Apache httpd reverse proxy and Tomcat

Jean-Frederic Clere
Jean-Frederic ClereSoftware Developer at Red Hat
Apache httpd reverse proxy andApache httpd reverse proxy and TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
What I will coverWhat I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others (web-socket etc) ● Proxies – Httpd / Traffic Server / ngix / untertow proxy /mod_cluster 9/19/19 2
What I will cover (2)What I will cover (2) Proxies – httpd – Ngnix Questions? 9/19/19 3
Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 9/19/19 4
What is Proxy?What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and soon HTTP/3 ● Understands a protocol and possible upgrades. 9/19/19 5
Why a proxy?Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 9/19/19 6
AJPAJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 9/19/19 7
HTTP and HTTPS 1.1HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be need (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 9/19/19 8
H2C ● h2c is only for reverse proxy ● Supported – httpd
Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy
mod_jk configurationmod_jk configuration ● Httpd.confHttpd.conf LoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1JkMount /jkaj/* worker1 JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties ● propertiesproperties # Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1 worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04
mod_proxy_ajp configurationmod_proxy_ajp configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp><Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009 </Proxy></Proxy> ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj
mod_proxy_httpd configurationmod_proxy_httpd configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http><Proxy balancer://http> BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080 </Proxy></Proxy> ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes/second
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPUUsage
Conclusion AJP/HTTPConclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed)AJP more easy (no Valve needed) ● AJP not encryptedAJP not encrypted ● AJP has no upgradeAJP has no upgrade
H2C configurationH2C configuration ● Httpd.confHttpd.conf LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so – Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1 – LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so – ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"
H2C configurationH2C configuration ● server.xmlserver.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector></Connector>
NGNIX versus HTTPNGNIX versus HTTP Is NGNIX better?Is NGNIX better?
NGNIX configurationNGNIX configuration worker_processes 1;worker_processes 1; events {events { worker_connections 1024;worker_connections 1024; }} http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }} server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem; ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on; location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }} }}
Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size Kbytes/second
Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size CPUUsage
Comparisons HTTP11Comparisons HTTP11 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 ngnix_http11 proxy_http11 File Size Kbytes/second
Comparisons HTTP11Comparisons HTTP11 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_http11 proxy_http11 File Size CPUusage
And so what ngnix?And so what ngnix? ● Hard to conclude (try 2 processes in NGNIX) ● Many process in httpd (try less 5 used) ● Ngnix also uses openssl 9/19/19 25
Other proxiesOther proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server 9/19/19 26
Other protocolsOther protocols ● Jboss-remoting ● Mix httpd/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 9/19/19 27
So proxy or not proxySo proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes ● Pure java tomcat + TLS/SSL : yes ● Otherwise: No ● Which proxy: httpd but ngnix too... 9/19/19 28
Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 9/19/19 29
Jean-Frederic Clere @jfclere jfclere@gmail.com
1 of 30

Apache httpd reverse proxy and Tomcat

Download to read offline
Software

presentation given at apacheconna2019

Jean-Frederic Clere
Jean-Frederic ClereSoftware Developer at Red Hat

Recommended

Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Jim Jagielski
180.7K views44 slides
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
125.1K views42 slides
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
104.9K views24 slides
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
193.1K views57 slides
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
420.1K views35 slides
Docker and FargateDocker and Fargate
Docker and FargateShinji Miyazato
126.3K views9 slides

More Related Content

What's hot

What's hot(19)

Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea10.5K views
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly1.3K views
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He3.4K views
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
Jxck Jxck14.9K views
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
DongHyeon Kim2.2K views
Apache httpd 2.4: The Cloud Killer AppApache httpd 2.4: The Cloud Killer App
Apache httpd 2.4: The Cloud Killer App
Jim Jagielski5.7K views
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference1.4K views
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
Shuya Osaki2.7K views
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
Jean-Frederic Clere2.1K views
nginx: writing your first modulenginx: writing your first module
nginx: writing your first module
redivy2.8K views
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
peychevi4.4K views
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
Jean-Frederic Clere1.7K views
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu16.4K views
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel8K views
How and Why Prometheus' New Storage Engine Pushes the Limits of Time Series D...How and Why Prometheus' New Storage Engine Pushes the Limits of Time Series D...
How and Why Prometheus' New Storage Engine Pushes the Limits of Time Series D...
Docker, Inc.571 views
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen2.1K views
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines11.3K views
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
Jean-Frederic Clere240 views
QUICQUIC
QUIC
Apache Traffic Server888 views

Similar to Apache httpd reverse proxy and Tomcat

Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
13.3K views62 slides

Similar to Apache httpd reverse proxy and Tomcat(20)

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
Jean-Frederic Clere7 views
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf
Jean-Frederic Clere6 views
Container Orchestration from Theory to PracticeContainer Orchestration from Theory to Practice
Container Orchestration from Theory to Practice
Docker, Inc.1.6K views
Container orchestration from theory to practiceContainer orchestration from theory to practice
Container orchestration from theory to practice
Docker, Inc.343 views
Ob1k presentation at Java.ILOb1k presentation at Java.IL
Ob1k presentation at Java.IL
Eran Harel1.6K views
Solving anything in VCLSolving anything in VCL
Solving anything in VCL
Fastly13.3K views
Apache Web ServicesApache Web Services
Apache Web Services
lkurriger1.2K views
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
Viktor Todorov587 views
Socket programming, and openrestySocket programming, and openresty
Socket programming, and openresty
Tavish Naruka1.2K views
202107 - Orion introduction - COSCUP202107 - Orion introduction - COSCUP
202107 - Orion introduction - COSCUP
Ronald Hsu119 views
Docker Monitoring WebinarDocker Monitoring Webinar
Docker Monitoring Webinar
Sematext Group, Inc. 6K views
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
NGINX, Inc.336 views
Tomcat nextTomcat next
Tomcat next
Jean-Frederic Clere437 views
NGINX: HTTP/2 Server Push and gRPCNGINX: HTTP/2 Server Push and gRPC
NGINX: HTTP/2 Server Push and gRPC
NGINX, Inc.4.6K views
WebTalk - Implementing Web Services with a dedicated Java daemonWebTalk - Implementing Web Services with a dedicated Java daemon
WebTalk - Implementing Web Services with a dedicated Java daemon
Geert Van Pamel6.9K views
Docker for mac & local developer environment optimizationDocker for mac & local developer environment optimization
Docker for mac & local developer environment optimization
Radek Baczynski2.5K views
HTTP2HTTP2
HTTP2
Mateus Prado524 views
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server Internals
Praveen Gollakota12.4K views
NGINX: HTTP/2 Server Push and gRPC – EMEANGINX: HTTP/2 Server Push and gRPC – EMEA
NGINX: HTTP/2 Server Push and gRPC – EMEA
NGINX, Inc.378 views
Start tracking your ruby infrastructureStart tracking your ruby infrastructure
Start tracking your ruby infrastructure
Sergiy Kukunin95 views

More from Jean-Frederic Clere

Panama.pdfPanama.pdf
Panama.pdfJean-Frederic Clere
14 views51 slides
Juggva cloudJuggva cloud
Juggva cloudJean-Frederic Clere
251 views37 slides

More from Jean-Frederic Clere(14)

Panama.pdfPanama.pdf
Panama.pdf
Jean-Frederic Clere14 views
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
Jean-Frederic Clere8 views
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
Jean-Frederic Clere161 views
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
Jean-Frederic Clere909 views
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
Jean-Frederic Clere156 views
Juggva cloudJuggva cloud
Juggva cloud
Jean-Frederic Clere251 views
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3
Jean-Frederic Clere588 views
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
Jean-Frederic Clere445 views
Tomcat opensslTomcat openssl
Tomcat openssl
Jean-Frederic Clere410 views
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere527 views
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
Jean-Frederic Clere394 views
Tomcat nextTomcat next
Tomcat next
Jean-Frederic Clere3.3K views
Native 1.2.8Native 1.2.8
Native 1.2.8
Jean-Frederic Clere189 views
Tomcat opensslTomcat openssl
Tomcat openssl
Jean-Frederic Clere404 views

Recently uploaded

Tridens DevOpsTridens DevOps
Tridens DevOpsTridens
9 views28 slides
El Arte de lo PossibleEl Arte de lo Possible
El Arte de lo PossibleNeo4j
28 views35 slides

Recently uploaded(20)

Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 views
Best Mics For Your Live StreamingBest Mics For Your Live Streaming
Best Mics For Your Live Streaming
ontheflystream6 views
Les nouveautés produit Neo4j Les nouveautés produit Neo4j
Les nouveautés produit Neo4j
Neo4j26 views
El Arte de lo PossibleEl Arte de lo Possible
El Arte de lo Possible
Neo4j28 views
What Can Employee Monitoring Software Do?​What Can Employee Monitoring Software Do?​
What Can Employee Monitoring Software Do?​
wAnywhere17 views
Unleash The MonkeysUnleash The Monkeys
Unleash The Monkeys
Jacob Duijzer7 views
[PHPCon 2023] “Kto to pisał?!... a, to ja.”, czyli sposoby żeby znienawidzić ...[PHPCon 2023] “Kto to pisał?!... a, to ja.”, czyli sposoby żeby znienawidzić ...
[PHPCon 2023] “Kto to pisał?!... a, to ja.”, czyli sposoby żeby znienawidzić ...
Mateusz Zalewski52 views
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 views
How to Make the Most of Regression and Unit Testing.pdfHow to Make the Most of Regression and Unit Testing.pdf
How to Make the Most of Regression and Unit Testing.pdf
Abhay Kumar8 views
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent16 views
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
Deltares11 views
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
Deltares6 views
Applying Platform Engineering Thinking to Observability.pdfApplying Platform Engineering Thinking to Observability.pdf
Applying Platform Engineering Thinking to Observability.pdf
Natan Yellin11 views
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Steve Poole6 views
[PHPCon 2023] Blaski i ciebie BDD[PHPCon 2023] Blaski i ciebie BDD
[PHPCon 2023] Blaski i ciebie BDD
Mateusz Zalewski47 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares9 views
Why Cloud Services.pdfWhy Cloud Services.pdf
Why Cloud Services.pdf
Pi DATACENTERS6 views
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...
Deltares8 views
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
Deltares15 views
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
Tiago Henriques70 views

Apache httpd reverse proxy and Tomcat

  • 1. Apache httpd reverse proxy andApache httpd reverse proxy and TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
  • 2. What I will coverWhat I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others (web-socket etc) ● Proxies – Httpd / Traffic Server / ngix / untertow proxy /mod_cluster 9/19/19 2
  • 3. What I will cover (2)What I will cover (2) Proxies – httpd – Ngnix Questions? 9/19/19 3
  • 4. Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 9/19/19 4
  • 5. What is Proxy?What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and soon HTTP/3 ● Understands a protocol and possible upgrades. 9/19/19 5
  • 6. Why a proxy?Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 9/19/19 6
  • 7. AJPAJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 9/19/19 7
  • 8. HTTP and HTTPS 1.1HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be need (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 9/19/19 8
  • 9. H2C ● h2c is only for reverse proxy ● Supported – httpd
  • 10. Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy
  • 11. mod_jk configurationmod_jk configuration ● Httpd.confHttpd.conf LoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1JkMount /jkaj/* worker1 JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties ● propertiesproperties # Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1 worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04
  • 12. mod_proxy_ajp configurationmod_proxy_ajp configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp><Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009 </Proxy></Proxy> ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj
  • 13. mod_proxy_httpd configurationmod_proxy_httpd configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http><Proxy balancer://http> BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080 </Proxy></Proxy> ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp
  • 14. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes/second
  • 15. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPUUsage
  • 16. Conclusion AJP/HTTPConclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed)AJP more easy (no Valve needed) ● AJP not encryptedAJP not encrypted ● AJP has no upgradeAJP has no upgrade
  • 17. H2C configurationH2C configuration ● Httpd.confHttpd.conf LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so – Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1 – LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so – ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"
  • 18. H2C configurationH2C configuration ● server.xmlserver.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector></Connector>
  • 19. NGNIX versus HTTPNGNIX versus HTTP Is NGNIX better?Is NGNIX better?
  • 20. NGNIX configurationNGNIX configuration worker_processes 1;worker_processes 1; events {events { worker_connections 1024;worker_connections 1024; }} http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }} server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem; ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on; location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }} }}
  • 22. Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size CPUUsage
  • 24. Comparisons HTTP11Comparisons HTTP11 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_http11 proxy_http11 File Size CPUusage
  • 25. And so what ngnix?And so what ngnix? ● Hard to conclude (try 2 processes in NGNIX) ● Many process in httpd (try less 5 used) ● Ngnix also uses openssl 9/19/19 25
  • 26. Other proxiesOther proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server 9/19/19 26
  • 27. Other protocolsOther protocols ● Jboss-remoting ● Mix httpd/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 9/19/19 27
  • 28. So proxy or not proxySo proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes ● Pure java tomcat + TLS/SSL : yes ● Otherwise: No ● Which proxy: httpd but ngnix too... 9/19/19 28
  • 29. Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 9/19/19 29