[OWASP-LEADERS] Filters / dyn vs. static

Ingo Struck ingo at ingostruck.de
Sat Nov 9 09:08:45 EST 2002


Hi...

> Q for Ingo:  What is the reason to combine HTTPD (apache) and AS
> (tomcat)?  And
> have the DB standalone? Why not vice versa?

The answer is really simple:
- the part which will produce / serve the lion's share of the load will be
  the web server. Most DoS attacks (overload) will hit the web server
  and not the app server (if config is well done)
- the part which is most sensitive is the db. 
- the task of data administration is complex enough to need a dedicated
  machine.

So, if you think of an advanced setup, you should have this one:

FW --- WS/AS1, WS/AS2, WS/AS3 -- DB1, DB2

Another reason for that is, that webserver/appserver are rather close-knit.
If you want to benefit from the full power of load balancing that a good 
WS-AS setup may provide (e.g. http with mod_jk), then you just can't run
them on seperate machines. In general the WS-AS breakup is really only
for performance reasons. In a better world the AS (tomcat) would be secure
and powerful enough to be run standalone.  :o)

Kind regards

Ingo






More information about the OWASP-Leaders mailing list