There are many ways to secure an application.
We can either secure each component of Datafari : Solr, Tomcat but it needs more work to manage the security at the level of every component : manage management of the certificates, configuration specific for each application.
Another way of securing the application is to use SSL Offloading. Basically we delegate the functions required for SSL/TLS, namely the handshake and the encryption/decryption to a dedicated component in front of the user. So all the servers behind the reverse proxy communicate as usual.
More precisely it is called SSL Termination in this case :
The proxy server/load balancer we use for the SSL offloading acts as the SSL terminatorWhen terminator. When a client attempts to connect to Datafari, the client still has a secure connection with the SSL terminator, which is acting as a pass-through.
The Datafari architecture will be is like this for monoserver and multiservers :
| Gliffy | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Architecture Apache reverse proxy monoserver
...
| Gliffy | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Architecture Apache reverse proxy multiserver
This mechanism solution is a good solution if the network compromise between the secuirty and the maintenance. The network part between the load balancer and the Datafari servers is secure. It can be done more secured by isolate isolating the Solr servers by their own VLAN or IPSEC tunneling for example.
...