On Sat, Aug 10, 2019, at 5:54 AM, Mark Gowdy via Webobjects-dev wrote: > Hi. > > Is anyone aware of any security issues (or other considerations) with > Direct Connect mode for a live deployment? > > This will be using the Amazon’s Application Load Balancer. > And it _might_ mean that I can ditch Apache once and for all :-) > > Thanks, > > Mark
Hi Mark, If you are applying a cert to your ALB, then SSL effectively terminates at that point and the request is forwarded on to your direct connect EC2 instances. I'm not sure what kind of security issues you are envisioning. Your should hold your EC2 instances security considerations to the same standard whether using Apache over 443 or your app on, say, 55555. To that end, there should be no accessibility outside the above mentioned ALB connectivity and some administration bastion host for your terminal access. Having said all that, if your application is completely session-less, then you're good to go. If you have sessions in your app you still have some problems to overcome. You can use session affinity (sticky sessions) in ALB/ELB (but not Network LB), but be aware they require cookies on the client. So, you have the sticky sessions working, great! As your load balancer horizontally scales out, it's creating EC2 instances running your java app. But when your ALB decides to scale _in_, it'll wipe one or more of your EC2 instances, which could still have active sessions. So, unless you de-/serialise your Sessions at the start and end of the R-R loop and store that somewhere else (db/redis/etc) which your EC2 instances would have access to, it may annoy some users. Because of proprietary classes in WO, Session serialisation is unsolved and inflexible. Regards, -- Matt http://logicsquad.net https://www.linkedin.com/company/logic-squad/ _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
