• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: DirectConnect and Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DirectConnect and Security

  • Subject: Re: DirectConnect and Security
  • From: Matthew Ness via Webobjects-dev <email@hidden>
  • Date: Mon, 12 Aug 2019 19:03:37 +1000

On Sat, Aug 10, 2019, at 5:54 AM, Mark Gowdy via Webobjects-dev wrote:
> Hi.
>
> Is anyone aware of any security issues (or other considerations) with
> Direct Connect mode for a live deployment?
>
> This will be using the Amazon’s Application Load Balancer.
> And it _might_ mean that I can ditch Apache once and for all :-)
>
> Thanks,
>
> Mark


Hi Mark,

If you are applying a cert to your ALB, then SSL effectively terminates at that
point and the request is forwarded on to your direct connect EC2 instances.
I'm not sure what kind of security issues you are envisioning. Your should hold
your EC2 instances security considerations to the same standard whether using
Apache over 443 or your app on, say, 55555.
To that end, there should be no accessibility outside the above mentioned ALB
connectivity and some administration bastion host for your terminal access.

Having said all that, if your application is completely session-less, then
you're good to go.

If you have sessions in your app you still have some problems to overcome.
You can use session affinity (sticky sessions) in ALB/ELB (but not Network LB),
but be aware they require cookies on the client.
So, you have the sticky sessions working, great! As your load balancer
horizontally scales out, it's creating EC2 instances running your java app. But
when your ALB decides to scale _in_, it'll wipe one or more of your EC2
instances, which could still have active sessions.
So, unless you de-/serialise your Sessions at the start and end of the R-R loop
and store that somewhere else (db/redis/etc) which your EC2 instances would
have access to, it may annoy some users.
Because of proprietary classes in WO, Session serialisation is unsolved and
inflexible.


Regards,


--
Matt
http://logicsquad.net
https://www.linkedin.com/company/logic-squad/
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: DirectConnect and Security
      • From: Mark Gowdy via Webobjects-dev <email@hidden>
References: 
 >DirectConnect and Security (From: Mark Gowdy via Webobjects-dev <email@hidden>)

  • Prev by Date: Anyone running macOS Catalina yet?
  • Next by Date: Re: DirectConnect and Security
  • Previous by thread: DirectConnect and Security
  • Next by thread: Re: DirectConnect and Security
  • Index(es):
    • Date
    • Thread