From: Dmitriy S. <sha...@gm...> - 2010-01-05 17:35:25
|
On Tue, 2010-01-05 at 14:30 +0000, Adam Retter wrote: > > Adam - in http://exist-db.org/production_web_proxying.html you > > explained the reasons behind the 'positive' reasons for adopting the > > reverse proxy approach (1. Unified web namespace and 2. Virtual > > Hosting), but could you expand a bit on the 'negative' reason: "eXist > > like any Web Application Server (Tomcat, WebLogic, GlassFish, etc) > > should not be directly exposed to the Web." My understanding was that > > Jetty played the role of 'web server' to eXist's 'web application > > server', no? Pardon my ignorance! > > I generally believe that web application servers are really there for > deploying your applications into, they tend to be complicated beasts, > which permit huge amounts of configuration and customisation and as > such they provide large attack surfaces. As such I prefer to use > something smaller, lighter and more specifically designed to be web > facing up-front, Apache or Nginx has had a lot of web exposure and I > would tend to trust it more in a hostile environment. > > In the strictest Java sense, Jetty is a Web Application server and > eXist is a set of Web Applications. I disagree, it depend on administrator knowledge & experience. There was apache server that was cracked in seconds & jetty as "Enterprise scalable" (http://jetty.codehaus.org/jetty/) You should know what you do & WHY. There are no simple solution & all good are quite complicated. jetty(eXist)+firewall can do work. -- Cheers, Dmitriy Shabanov |