[OWASP-LEADERS] Filters / dyn vs. static

Mark Curphey mark at curphey.com
Sun Nov 10 10:49:55 EST 2002

I replied to owasp-portal to move this thread to the right list

On Sat, 2002-11-09 at 06:08, Ingo Struck wrote:
> Hi...
> > Q for Ingo:  What is the reason to combine HTTPD (apache) and AS
> > (tomcat)?  And
> > have the DB standalone? Why not vice versa?
> The answer is really simple:
> - the part which will produce / serve the lion's share of the load will be
>   the web server. Most DoS attacks (overload) will hit the web server
>   and not the app server (if config is well done)
> - the part which is most sensitive is the db. 
> - the task of data administration is complex enough to need a dedicated
>   machine.
> So, if you think of an advanced setup, you should have this one:
> FW --- WS/AS1, WS/AS2, WS/AS3 -- DB1, DB2
> Another reason for that is, that webserver/appserver are rather close-knit.
> If you want to benefit from the full power of load balancing that a good 
> WS-AS setup may provide (e.g. http with mod_jk), then you just can't run
> them on seperate machines. In general the WS-AS breakup is really only
> for performance reasons. In a better world the AS (tomcat) would be secure
> and powerful enough to be run standalone.  :o)
> Kind regards
> Ingo

More information about the OWASP-Leaders mailing list