0

We are currently using the "standard" architecture created by AWS OpsWorks. We have set up AWS ELB in front of multiple machines, which sends the requests to one machine using round-robin algorithm ( we have stateless application without any cookies ). Apache httpd + Apache tomcat is installed on every machine ( everything set up and configured by AWS OpsWorks ). So Apache httpd handles the connection and then sends it to Tomcat via AJP connection.

I would like to get rid of the apache httpd. Few reasons for that:

  • Easier architecture, easier configuration
  • Maybe slight gain in performance
  • Less monitoring ( need to monitor only Tomcat, but not Apache httpd )

I have checked the following thread: Why use Apache Web Server in front of Glassfish or Tomcat?

and haven't find any reasons why I shouldn't remove apache httpd from my architecture.

However, I know that some applications have nginx in front of the Tomcat for the following reasons:

  • Slow clients handling ( ie worker thread of tomcat is freed, but async nginx thread sends clients )
  • DDoS SYN ( using SYN cookies ) protection

Questions to consider: Does apache httpd protects from these DDoS techniques? Does AWS ELB protects from these DDoS techniques? Should I remove apache httpd ( given that I don't need anything from the list )? Should I replace it with nginx? Should I replace it with nginx ( taking into account that we have a DDoS protection with Incapsula )?

Any other advice/comment would be highly appreciated! Thank you in advance!

Community
  • 1
  • 1
user3489820
  • 1,459
  • 3
  • 22
  • 38

1 Answers1

0

Does apache httpd protects from these DDoS techniques?

No apache httpd does not automatically protect from DDOS attack you have to enable and configure the security modules.

Does AWS ELB protects from these DDoS techniques?

AWS ELB features are High Availability, Health Checks, Security Features By managing associated security groups, SSL Offloading for encryption etc.No AWS ELB does not protect from the DDOS and DDoS techniques.

Should I remove apache httpd?

By using Apache HTTP as a front end you can let Apache HTTP act as a front door to your content to multiple Apache Tomcat instances. If one of your Apache Tomcats fails, Apache HTTP ignores it and your Sysadmin can sleep through the night. This point could be ignored if you use a hardware loadbalancer and Apache Tomcat's clustering capabilities. This option is when you are not using AWS ELB.

Should I replace it with nginx?

If you have Incapsula for DDOS there no need to complex the process by adding nginx.

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54
  • 2
    Using Apache as a load balancer in front of multiple Tomcat instances, when there is already an ELB in front of multiple servers seems needlessly complex, and the reason you give for doing this is already solved by the ELB. Also CloudFront and Incapsula are both CDNs and mixing CDNs is usually a bad thing. Incapsula also has a WAF already, so adding the AWS WAF seems needlessly complex. – Mark B Jun 05 '16 at 17:20
  • Yes, I would like to clarify: apache httpd is installed on every machine with tomcat and it sends the request only to one tomcat instance on the same machine. Load balancing is done using ELB. – user3489820 Jun 05 '16 at 17:32
  • I know, that generally AWS ELB doesn't protect from DDoS. The question is: does ELB protect from some of the DDoS techniques, particularly "Slow clients"? When a client starts to read a response by 1 byte with big delay, which results in "all threads are busy".. – user3489820 Jun 05 '16 at 17:34
  • Check edited answer. And no AWS ELB does not provide any protection from "Slow Clients". – Piyush Patil Jun 05 '16 at 17:34
  • what is the benefit you try to achieve by putting 1 httpd in front of each and every tomcat instance ? – Frederic Henri Jun 05 '16 at 19:53