You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Edwin Quijada <li...@hotmail.com> on 2016/12/19 17:22:09 UTC
Tomcat SSL or Apache SSL
Hi!
I am trying to use SSL with my server Tomcat . I have read different articles when it recommends that is better use Apache webserver in front of Tomcat to and apache handles the SSL conection. My problem is that I cannot use apache in front of Tomcat because I am using websockets and these doesnt work with apache in front of.
I read howto use Tomcat with SSL but I 'd like to know any comments from you about this.
TIA
Re: Tomcat SSL or Apache SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Edwin,
On 12/19/16 12:22 PM, Edwin Quijada wrote:
> I am trying to use SSL with my server Tomcat . I have read
> different articles when it recommends that is better use Apache
> webserver in front of Tomcat to and apache handles the SSL
> conection. My problem is that I cannot use apache in front of
> Tomcat because I am using websockets and these doesnt work with
> apache in front of.
I haven't used it, but httpd does have mod_proxy_wstunnel[1]. I'm not
sure if it's production-quality.
> I read howto use Tomcat with SSL but I 'd like to know any
> comments from you about this.
It used to be the conventional wisdom that Tomcat should be fronted by
httpd for two reasons:
1. httpd was faster for static content
2. httpd was faster for TLS termination
Neither of those are true anymore, so they aren't compelling reasons
to use httpd as a reverse-proxy in front of Tomcat. There are *other*
compelling reasons to use httpd in front of Tomcat, but static content
and TLS performance aren't among them.
For the best performance, you are going to want to use either of these
configurations for TLS:
a. NIO/NIO2 with OpenSSL crypto provider
b. APR/tcnative with OpenSSL
The APR/tcnative option has a longer history and will likely yield
slightly better (but possibly not measurable) performance, but it is
more difficult to set-up, requires a native library shim for OpenSSL, et
c.
The NIO/NIO2 option is much easier to configure but the OpenSSL crypto
provider has fewer miles under its treads, so you might want to make
sure you test it a lot before you rely on it in production. Then
again, Websocket in general is somewhat "new" itself, so I'm not sure
if the "newness" of the OpenSSL crypto provider should be particularly
worrisome for you.
Hope that helps,
- -chris
[1] https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYWCH9AAoJEBzwKT+lPKRYDxgQAMdESHpvr081in7FIeJsL7HO
j9uIm07lz2ZaL9ruZd/RBeM7goPUfSgAouuSxTut3Ko/6wbINv5PA1I43BqVulHn
Hnq7tKCfGuUdfjDKUtxDYImK4FW/JDbRZI4mafpDAHkvcsMC5ac5Mb3jtWIr8Dn3
+wgeeGqnHA+juPGFKkNdk4NxBv/nxyLC8vWGY4nTPnKQ69EtAKFCSwNfbN04Y3qr
H4SQ8zon4YMMg/YPyTb3OsL+QnakJPr1bXgN4vpxtKAGGLcUUiPBsVzEX8e4J8b6
ZS41SoteuUa/4YbbKagWgBiTahjxGU4sYoOvVvnCGTpnSQGd2uoK6S5l1OyyWite
osPPvmXnnMGolMv4LT/EZTnUKrmYr8/NNC1tIWiGGNXoCoEG7K3fWxsWy1rIDNEe
8xo3GsCTNj8RnQ9Zd7mRkEgJQj49Mbdoepb9IiQCpcaDs2wBFRt7wVrFhXk4NXEy
AoEWPuQEHgi8BmupjN3pN2i8Du8WN1xchRfRT+XpXnEOq2Drw4bcEpYjJZ2Kltjj
zWJVKCrEJE2afV8acyABGRCkhM5sOTVkupZhAZqz0rfjtZlnOACPfo8o8qbALxb0
z5LQDmDF6CNtP5M+lJAqHA2lRyMkAQkLcPyABu/CDjscvpWcgifds0zbJB7K+WMp
RTL714GE+JxO+Z1JzRqx
=uJlB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org