On 09/01/2007, at 5:20 PM, Christopher Schultz wrote:

> Leon Rosenberg wrote:
>> Also by using apache in front of tomcat you rather loose[sic]
>> security than gain it. At least this is my personal opinion :-)
>
> Would you care to defend that argument? Security in layers is
> typically
> an advantage.
>
> One could argue that more moving parts equals more complexity, and
> that
> complexity is an enemy of security (and I agree). However, there
> must be
> a balance. If good security requires layers, and each layer adds more
> complexity, then there is a paradox.

With Apache HTTPD you have the advantage of being able to do fine
grained
url/ IP access control.

It also brings with it however all the bugs that are in Apache HTTPD.

What are your trying to protect by adding in Apache HTTPD?
 The IP Stack ? - Nope kernel issue - have this problem with both...
 Tomcats connection handling ? Nope - not protected as mod_proxy
and mod_jk
    blindly forward all traffic towards the backend tomcat.

So unless you want protect certain paths, hiding tomcat behind an apache
will not bring any security benefits.

Regards

Andrew




---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)