is it really necessary to run Apache as a front-end to Glassfish/JBoss/Tomcat?

Most people are going to say you need something in-front because of static files.

This is somewhat dumb because:

• You can configure Tomcat to use the same IO as apache with APR
• You should be using a CDN (Content delivery network) anyways.

The real reason you need something in-front of tomcat/jetty/jboss to load balance and handle failover.

I recommend you do not listen to "...The Tomcat engine is the Achilles heel of the entire ecosphere..." as we all know that is not true... your database and its connection pooling will be that.

It depends on the ecosystem around your app. In an intranet environment - you probably do not need anything in front of Tomcat.

If alone on the internet as a public facing service, it depends. Apache is nice to because of the modules it provides like mod_security. But if you are not knowledgeable with the configuration of apache(or ngix) - then you could expose yourself to even MORE attacks or points of failure due to misconfiguration.

Apache in front comes in handy for serving outage pages in cases where you need to upgrade the webapp and wait for a restart. But if the restarts are rare or they are timed correctly - then its another reason to go Tomcat standalone.

The Tomcat FAQ does also talk about this too which addresses some additional points: http://wiki.apache.org/tomcat/FAQ/Connectors#Q3

Amazing, some of these answers - do any of you folks actually run high performance multi-tiered and mutli-server Tomcat backed websites? OP, your original supposition that Tomcat is not "slow"... wow. The Tomcat engine is the Achilles heel of the entire ecosphere.

Yes, you want Apache in front - it provides first and foremost mod_rewrite (have you already implemented UrlRewriteFilter in your Tomcat?) as well as the htaccess files that make protecting a webserver so important. Apache can enable you to load balance Tomcat nodes behind it, serve your static content much quicker and get better performance out of Tomcat because you're not overloading it's request pipe with non-Java (js/css/html/jpg/etc.) things. You can offload your SSL at Apache (if not offloading at a hardware LB) with ease and not even have to deal with that travesty called the Java Keystore. There are just so many wins - you can tune mod_jk to your backend nodes to keep from overrunning Java's poor little brain because it typically can't handle massive traffic with the average Java coder's classes.

Beware anyone who tells you that Apache (or nginx, etc - but Apache's performance will outshine Tomcat anyways so it doesn't matter) is not a good idea in front of Tomcat.

Apache is not a good candidate to serve static content due to its multi-process nature. Nginx suits better since it uses asynchronous I/O to process requests. Modern Tomcats can use asynchronous I/O (NIO in Java terminology) too. For example, you should install tomcat-native package in Fedora to make Tomcat use async I/O.

If it's just a matter of binding privileges port without being root when using Tomcat, you don't need to front it with Apache httpd. Tomcat by default ships with jsvc that you need to compile.

jsvc is a java service wrapper to launch Tomcat as a service. This service starts as root but start Tomcat as a normal user. So you can bind your Tomcat to privileged ports.

I don't know about Glassfish, but be sure that solutions exists and if not you can surely use port forwarding techniques (iptables, etc...)

I think the choice of fronting an application server with a web server (Apache httpd for instance) is for load balancing, clustering or serve static resources only with a web server and dynamic resources with an application server.