SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM We want to optimize our SSL chipher by removing some and adding other We want Apache to use the server's preference. #When choosing a cipher during an SSLv3 ot TLSv1 handshake, normally the client's preference is used. #Dont' use SSLv2, instead use SSLv3 and TLSv1 #Log level, this can be emrg, alert, crti, error, warn, notice, info, or debug SSLRandomSeed startup file:/dev/urandom 256 SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) #We don't want to pass Apache server status to the Jetty server #Load the SSL module that is needed to terminate SSL on Apache I will explain some of the configuration settings below. You can find a configuration for Apache here. Configure the load balancer to use DSR, or direct server return. In the logs of Apache you will see the source IP address of the clients. Apache will then forward the traffic to port 8080 on the same host. So the connection would look something like this:Ĭlients-(SSL)->Load Balancer-(SSL)->Apache-(Unencrypted)->JettyĪpache will be listening on port 443, and Jetty on port 8080. Let’s say you have a load balancer that is in front of your Jetty servers, you can install Apache on each of the servers running Jetty. Apache will then pass the traffic to Jetty in an unencrypted connection. Another way of reducing load on Jetty is to offload SSL termination to Apache. For instance a load balancer might be able to handle 10Gbps, so if your traffic is more than that, it will cause a problem. You can also terminate SSL on the load balancer, but load balancers often have a limit on the amount of SSL traffic they can handle. If SSL termination is done on the application server, such as Jetty, it may impact the performance of Jetty. Application servers such as Jetty abd Tomcat are widely used in today’s world.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |