2010年4月7日水曜日

BlazeDS 入門記(Using BlazeDS clients and servers behind a firewall)

BlazeDS architecture / Channels and endpoints / Using BlazeDS clients and servers behind a firewall

Because servlet-based endpoints use standard HTTP requests, communicating with clients inside firewalls usually works, as long as the client-side firewall has the necessary ports open. Using the standard HTTP port 80 and HTTPS port 443 is recommended because many firewalls block outbound traffic over non-standard ports.

クライアント側がファイアウォール内にある場合は多くの場合 HTTP と HTTPS のポートしか外に出られないので、標準の80番と443番を使いましょうという話。

The protocols that the various client channels use are hard coded. For example, the AMFChannel always uses HTTP, while the SecureAMFChannel always uses HTTPS. One thing to watch for when using a SecureAMFChannel/SecureAMFEndpoint combination is an issue with Internet Explorer related to no-cache response headers and HTTPS. By default, no-cache response headers are enabled on HTTP-based endpoints. This causes problems for Internet Explorer browsers. You can suppress these response headers by adding the following configuration property to your endpoint:
<add-no-cache-headers>false</add-no-cache-headers>

IEだと HTTPS の時に no-cache ヘッダをつけるとうまく動作しないので、HTTPS と IE を併用したいのなら上記の設定をして no-cache ヘッダをつけないようにしましょうという話。

When you have a firewall/reverse HTTP proxy in your deployment that handles SSL for you, you must mix and match your channel and endpoint. You need the client to use a secure channel and the server to use an insecure endpoint, as the following example shows:
<channel-definition id="secure-amf" class="mx.messaging.channels.SecureAMFChannel">
   <endpoint url="https://[firewall ip:port]/{context.root}/messagebroker/amf" 
   class="flex.messaging.endpoints.AMFEndpoint"/>
   <properties>
   <add-no-cache-headers>false</add-no-cache-headers>
   ...
The channel class uses HTTPS to hit the firewall/proxy, and the endpoint URL must point at the firewall/proxy. Because SSL is handled in the middle, you want the endpoint class used by BlazeDS to be the insecure AMFEndpoint and your firewall/proxy must hand back requests to the HTTP port of the BlazeDS server, not the HTTPS port.

firewall で HTTPS を受ける場合、endpoint の url 設定を firewall 向けに書きましょうという話。でもって、もし wirewall 側で HTTPS で受けて裏のサーバでは HTTP で受けるのであれば、endpoint のクラスは Secure 無しのものにしましょうねという話。channel と endpoint のクラスの組み合わせが通常と異なるのがポイントですね。

0 件のコメント:

コメントを投稿