I have received little to no information from other forums besides personal opinions about this subject. I am running an Apache server just fine, but I wanted to beef up my webpages. I am a fan of Java and know a little to get started. I can't, however, decide how to configure my server.
I have read that Tomcat can be a stand-alone server or work with Apache. I have been told the following suggestions: - Run Tomcat as a stand-alone - Run Apache with a module for JSP - Run Apache and Tomcat and proxy webpages between them with port numbers (this sounds messy) - ... the list goes on.
Can someone give me some good info on what the best setup would be? I was hoping to run Apache with Tomcat handling JSP requests (like a module).
Thanks in advance, ian
Linux Registered User <a href="http://counter.li.org/" target="_blank" rel="nofollow">#349319</a>
If you are not expecting a super-high volume of hits, or if the majority of your resources are going to be active anyway (servelts/JSPs), stand-alone Tomcat is certainly the easiest route and works pretty well.
If there is going to be a high demand for static resources, then Apache with the Tomcat connector is a common configuration.
Ignoring benchmarks for the moment, and falling back on opinion, I don't believe you can get a more well-informed opinion than from the tomcat developers / commmiters / super-users that hang around tomcat-user. They will all tell you that Tomcat is "ready" for high-volume sites. It doesn't need any help from Apache web server, thanks. Several will tell you that they are personally involved with running 'high traffic' production sites with Tomcat stand-alone.
As for 'personal opinion'. People think 'benchmarks' are the opposite of an 'opinion'. Benchmarks are objective and show you the "real" results, right? In truth though, there's lies, damn lies and benchmarks. There are dozens of different ways to configure Tomcat. There are hundreds of platforms, jvm's, hardware combos, etc, etc. These all have impact. And we haven't even started talking about the *application* that **you** are running.
Application 1: thousands of small requests, with very little processing/business logic. Should be sub-second. Application 2: 'lots' of long-run requests. Perhaps back-end threads are spawned. Results can take minutes.
Should tomcat be configured the same for these two apps? Would app2 run slower or faster under the Tomcat configuration for app1? What impact does gc have? What about jvm heapsize switches? How many connectors should Tomcat be configured with? The list goes on and on.
The best advice (which involves work, so it's frequently unpopular) is to do your own stress-testing and benchmarks. Those people on tomcat-user would say the same thing.
Sorry, that turned into a mini-diatribe. I didn't mean it. I think what set me off was: I have received little to no information from other forums besides personal opinions about this subject.
There's a reason for that. There is no 'one right answer'. It seriously depends on what the app is doing, and what you have already. If you already have a site that does a bit of perl, a little bit of mod_rewrite, and maybe some (gasp) PHP mixed in... then you will *need* to run Tomcat behind Apache. If you have no other *need* for Apache, then many, many people will tell you that Tomcat by itself is fine. Even for "mostly static" sites.
Btw, what I left off my response was that personally I run Tomcat standalone with no difficulties.
Joined: May 12, 2004
Wow! Thanks for the replies. I guess there's nothing wrong with a well supported opinion. I'm going to run my own trials and see which one works best.
As far as my currently running services like Webmin and Webalizer, will those run normally with something like Tomcat? Will Webmin see Tomcat in its menu of servers? Will I be able to use Webalizer to get reports like I do with Apache? My guess would be that since both are from the same organization (http://apache.org/) they would work in a very similar way.
Answering for William, I think he meant 'settings'. Tomcat is an implementation of the servlet spec, which provides for such things as declarative security, transport guarantees, etc, etc.
As for "does it have exploits?"...
The two I've heard about so far have been regarding the invoker servlet (which is off by default in recent versions), and another where the JSP source code is displayed to the browser. That last one resulted, ironically enough, by misconfiguring the jk connector between Apache and Tomcat.
I'm quite confident that if there ever was an actual security vulnerability, that there would be a hotfix available *at least* as soon as similar fixes for apache web server, or IIS.
Joined: May 02, 2002
as Mr William Brogden is asking, just conclude some point. based on J2EE blueprint & my experience , Apache + Tomcat is better approach. there's a strong voice in my mind, Apache is Web server[\B], Tomcat is [B]Application Server. :roll:
1. Web server usually deployed before DMZ, and application server is deployed within private network.
2. unless your application is not critical, means that it does cost you much if it die.
3. the most simple & available internet attack is DoS. I don't know how Tomcat is going to handle this, but I know Apache can do some thing.
4. beside the security reason, I don't know how the application cluster could be configured if no web server set up.
5. anyway, it is your own choice. Tomcat alone can handle the job, and everyone feel comfortable with this, specially your customer. then tomcat alone is alright. There's also a rule, just keep it simple if the simple solution can handle the job. as complex solution also introduce more failure points.
[ May 21, 2004: Message edited by: Lipman Li ]
Author and all-around good cowpoke