Is it necessary to use nginx server to use with tomcat

Solution 1:

You could use only tomcat if you like. However, be careful!

Tomcat is a servlet container. It uses JSSE to implement TLS, and by default it exposes management services on the network. It also has had a large number of security vulnerabilities (see https://tomcat.apache.org/security-7.html for example). It is somewhat slow and it's extremely complex.

The security practice I recommend to my clients is to run some other web server in front of it, unless they are using client certificate authentication. The other web server can act as a caching proxy and a validating proxy (almost but not quite a web application firewall), can offload SSL, allows you to use openssl instead of JSSE, and sometimes can even do load balancing. These are all good features.

Tomcat's architecture also poses problems. For example, it can only use privileged ports either by running as root (very bad), or by using the authbind mechanism (which doesn't support IPv6 before tomcat 8). It needs continuous access to both its TLS keys and the configuration file containing the password used to encrypt them, which is a minor security risk every major web server mitigates.

What you use as a proxy doesn't really matter; any capable HTTP daemon should suffice. I'd also recommend a web application firewall to filter requests, though.

Solution 2:

It is possible to use Tomcat alone, however you need to avoid some obvious mistakes. Most important

• Run your Tomcat on a separate user account with minimal rights.
• When not running as root, Tomcat will not be able to bind the privileged port that is a good security feature, not a problem. In these days I usually use xinetd to move the port. I used iptables before, it is more complex but also works fine.
• Do not forget to update both Tomcat and Java periodically.
• Block all possible ports with firewall, especially all kinds of "remote management". Only leave that you really need and use.

Do not even think about

• Running Tomcat as root.
• Leaving any of the Tomcat web management interfaces. Uninstall immediately. They have never offered anything that our could not do from the command line even faster.
• Running without firewall.

I do not see Tomcat as complex to configure and maintain, but this is maybe because I am using it for many years. Speaking about security issues, every server has them time to time, and discovered issues are periodically fixed. Just google.