-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Edwin,
On 12/19/16 12:22 PM, Edwin Quijada wrote: > I am trying to use SSL with my server Tomcat . I have read > different articles when it recommends that is better use Apache > webserver in front of Tomcat to and apache handles the SSL > conection. My problem is that I cannot use apache in front of > Tomcat because I am using websockets and these doesnt work with > apache in front of. I haven't used it, but httpd does have mod_proxy_wstunnel[1]. I'm not sure if it's production-quality. > I read howto use Tomcat with SSL but I 'd like to know any > comments from you about this. It used to be the conventional wisdom that Tomcat should be fronted by httpd for two reasons: 1. httpd was faster for static content 2. httpd was faster for TLS termination Neither of those are true anymore, so they aren't compelling reasons to use httpd as a reverse-proxy in front of Tomcat. There are *other* compelling reasons to use httpd in front of Tomcat, but static content and TLS performance aren't among them. For the best performance, you are going to want to use either of these configurations for TLS: a. NIO/NIO2 with OpenSSL crypto provider b. APR/tcnative with OpenSSL The APR/tcnative option has a longer history and will likely yield slightly better (but possibly not measurable) performance, but it is more difficult to set-up, requires a native library shim for OpenSSL, et c. The NIO/NIO2 option is much easier to configure but the OpenSSL crypto provider has fewer miles under its treads, so you might want to make sure you test it a lot before you rely on it in production. Then again, Websocket in general is somewhat "new" itself, so I'm not sure if the "newness" of the OpenSSL crypto provider should be particularly worrisome for you. Hope that helps, - -chris [1] https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYWCH9AAoJEBzwKT+lPKRYDxgQAMdESHpvr081in7FIeJsL7HO j9uIm07lz2ZaL9ruZd/RBeM7goPUfSgAouuSxTut3Ko/6wbINv5PA1I43BqVulHn Hnq7tKCfGuUdfjDKUtxDYImK4FW/JDbRZI4mafpDAHkvcsMC5ac5Mb3jtWIr8Dn3 +wgeeGqnHA+juPGFKkNdk4NxBv/nxyLC8vWGY4nTPnKQ69EtAKFCSwNfbN04Y3qr H4SQ8zon4YMMg/YPyTb3OsL+QnakJPr1bXgN4vpxtKAGGLcUUiPBsVzEX8e4J8b6 ZS41SoteuUa/4YbbKagWgBiTahjxGU4sYoOvVvnCGTpnSQGd2uoK6S5l1OyyWite osPPvmXnnMGolMv4LT/EZTnUKrmYr8/NNC1tIWiGGNXoCoEG7K3fWxsWy1rIDNEe 8xo3GsCTNj8RnQ9Zd7mRkEgJQj49Mbdoepb9IiQCpcaDs2wBFRt7wVrFhXk4NXEy AoEWPuQEHgi8BmupjN3pN2i8Du8WN1xchRfRT+XpXnEOq2Drw4bcEpYjJZ2Kltjj zWJVKCrEJE2afV8acyABGRCkhM5sOTVkupZhAZqz0rfjtZlnOACPfo8o8qbALxb0 z5LQDmDF6CNtP5M+lJAqHA2lRyMkAQkLcPyABu/CDjscvpWcgifds0zbJB7K+WMp RTL714GE+JxO+Z1JzRqx =uJlB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org