I'm in the process of configuring Apache and Tomcat to run on separate servers and using mod_jk to connect the 2. The plan is to have the Apache server sit in the DMZ and have any servlet/JSP requests forwarede to Tomcat behind our inner firewall. I've never setup this type of configuration before, but I realize it is a standard security practice. I do however, have a few questions about how HTTP traffic will flow in this configuration.
My understanding: HTTP requests coming in from clients on the Intenet will always hit the Apache Web server and never our application server (i.e. Tomcat). Any requests to Tomcat will be forwarded from Apache on port 8009 using the AJP13 protocol.
My question is, how does the HTTP response get back to the client? Does the client see the response as coming from the Apache server or the Tomcat server? When I browse the Apache Web server and hit a JSP or servlet, the URL location in my browser changes to the Tomcat server. To me, that implies that the response came from Tomcat directly. This would mean we would have to allow traffic from Tomcat server behind the inner firewall out to clients on the internet.
Would enabling load balancing in the mod_jk connector help? We only plan on running single Tomcat instance on the backend, but I could setup load balancing with a single worker.
your apache webserver is connected with mod_jk2 to the tomcat application server. when a client asks for a jsp on the internet, this request goes to the apache webserver. if you configured it well, it sees that's it is a jsp (or a servlet) and forward it to the tomcat application server. He does the processing and sent the response back to the apache webserver that returns it to the client, so no connection/traffic between client on the internet and your application server (e.g. tomcat).
Eric, As Roel indicated the mod_jk or mod_jk2 shared library/dll sits on the Apache side and forwards any requests that it is configured for to Tomcat. This might be something like *.jsp or, perhaps, an entire web application like /mywebapp. Apache simple funnels the reponse from Tomcat back to the browser. At no time is the browser ever directly connected to Tomcat.
Virtual hosting works basically the same way. You can configure each virtual host in Apache and, optionally, have some of the virtual hosts have a Tomcat component and others not. Indeed, I have Apache forward different web apps for different virtual hosts. Not all of my virtual hosts have a need for Tomcat so I have fewer virtual hosts defined in Tomcat than in Apache.
<a href="http://forums.hotjoe.com/forums/list.page" target="_blank" rel="nofollow">Java forums using Java software</a> - Come and help get them started.
Every plan is a little cooler if you have a blimp. And a tiny ad.
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop