We have a java j2ee web application deployed in AWS in following manner. Requests come to External load balancer which terminates SSL and forwards to web server which forwards to internal load balancer which forwards request to tomcat app server which is connected to database (rds). Here are few questions:
The purpose of apache web server is just that of reverse proxy. it does not have static content. all content including jss,css are served from tomcat. apache does have page speed module for minification If static content is served from cloudfront , why even have apache web server ? This will improve network hops and latency.
If content is in fact served from cloud front, how can we get functionality of page speed to avoid issues such as caching ?
If we remove apache, we open the front door of the application but is security really compromised?
Appreciate thoughts and suggestions from experts.
You don't need both apache HTTP web server and internal load balancer. Generally, web servers are placed before app server for purposes like they will be able to handle networks connections efficiently, mitigating slow read attacks, caching static contents etc. since tomcat server HTTP connectors are optimized for above cases over a period of time you dont need HTTP server. Your External load balancer will do the load balancing so don't need the internal load balancer as well.
Consider serving only the static content like css, js files through CDN.
Your app is not exposed to internet directly, request comes through ELB. Apart from public ELB both app and RDS should be booted in private subnet(instances will have private ip). Make sure you configure security groups correctly to avoid security breach.