-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Al,
On 5/28/12 1:35 AM, al so wrote: > It would be nice if I can hear from someone who has done such > familiar setup. Have you seen any performance issues in setting up > SSL both at Tomcat and Apache? As Aristedes states: only you know your environment and we can't really answer performance questions for you. But, in general, if you have lots of small HTTPS requests (and responses) without keepalive, then your performance will be terrible, relative to /not/ using SSL. If you have lots of keepalive requests and/or your requests (or responses, or both) then it won't feel so bad. The worst-performing part of SSL communication is the setup of the channel. Once the negotiation has happened (at the start of the connection), the stream-encryption is not too bad. I honestly don't know how mod_proxy_http handles keepalives when communicating with a Tomcat backend... if mod_proxy_http can pipeline disparate incoming requests from random clients into a single keepalive connection to Tomcat, then things might work out well. If not, well then maybe performance will be terrible. If you use something like ssh tunnel (or stunnel, or anything similar) then your performance shouldn't suffer too much because SSL re-negotiations are going to be very rare events. Again, you'll have to test in your own environment with realistic conditions in order to draw any meaningful conclusions. Honestly, I think it comes down to your requirements: if you *need* to protect the data between httpd and Tomcat then you don't really have a choice: you must encrypt it... you just have to decide exactly how you will be doing it. > Do you use same keys/certs at both Tomcat and Apache? I see no advantage to doing that, and one might consider it to be a security problem to have a backend server's key out on a web server (which is presumably in more danger of being compromised). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E5XAACgkQ9CaO5/Lv0PDmtACgoOF+nGPRqzxZhGn0QKENJ08U JuoAn1CgtfEY5/9RJ5hVWD6USQIuhjQf =Eppm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org