This document discusses Apache httpd reverse proxies and Tomcat. It covers why to use a proxy, common proxy protocols like AJP, HTTP/HTTPS, and HTTP/2. It also provides configuration examples for mod_jk, mod_proxy_ajp, and mod_proxy_http when using Apache httpd as a reverse proxy for Tomcat. Performance comparisons are shown between mod_jk, mod_proxy, and Nginx. The document concludes that a proxy is useful for load balancing, protocol upgrades, and SSL termination between the application server and internet.

1. Apache httpd reverse proxy andApache httpd reverse proxy and
TomcatTomcat
Jean-Frederic ClereJean-Frederic Clere

2. What I will coverWhat I will cover
●
Proxy what and why.
●
Protocols
– AJP
– HTTP/HTTPS (1.1)
– HTTP/2 (H2 and H2C)
– Others (web-socket etc)
●
Proxies
– Httpd / Traffic Server / ngix / untertow proxy /mod_cluster
9/19/19 2

3. What I will cover (2)What I will cover (2)
Proxies
– httpd
– Ngnix
Questions?
9/19/19 3

4. Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing OpenSource since 1999
Cyclist/Runner etc
Lived 15 years in Spain (Barcelona)
Now in Neuchâtel (CH)
9/19/19 4

5. What is Proxy?What is Proxy?
●
Something between the application server and the internet.
●
Load-balancer
●
Failover
●
Protocol termination
– TLS/SSL
– HTTP/2 and soon HTTP/3
●
Understands a protocol and possible upgrades.
9/19/19 5

6. Why a proxy?Why a proxy?
●
Control the load
●
Serve static pages
●
Control requests: mod_security / mod_rewrite etc
●
Dynamic configuration (mod_balancer/mod_cluster…)
●
Protocol translations
9/19/19 6

7. AJPAJP
●
When
– Easy TLS/SSL forwarding
●
Limitations
– No upgrade
– Header size
– No encryption
– Limited “authentication” (secret)
●
mod_proxy_ajp and mod_jk
9/19/19 7

8. HTTP and HTTPS 1.1HTTP and HTTPS 1.1
●
When:
– No SSL forwarding
– Using SSLValve
●
HTTP/HTTPS:
– HTTPS might be need (Encryption/Authentication)
– HTTPS on tomcat (openssl again?)
– HTTP if you trust your intranet. (really?)
●
Other reasons:
– HTTP is more developed than AJP
9/19/19 8

9. H2C
●
h2c is only for reverse proxy
●
Supported
– httpd

10. Demultiplexing h2 in proxy
●
Keep the back-end unchanged
●
Keep the overhead of h2 in the proxy

11. mod_jk configurationmod_jk configuration
●
Httpd.confHttpd.conf
LoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so
JkMount /jkaj/* worker1JkMount /jkaj/* worker1
JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties
●
propertiesproperties
# Define 1 real worker using ajp13# Define 1 real worker using ajp13
worker.list=worker1worker.list=worker1
worker.worker1.type=lbworker.worker1.type=lb
worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04

12. mod_proxy_ajp configurationmod_proxy_ajp configuration
●
Httpd.confHttpd.conf
LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so
<Proxy balancer://ajp><Proxy balancer://ajp>
#192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03
BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009
BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009
</Proxy></Proxy>
ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj

13. mod_proxy_httpd configurationmod_proxy_httpd configuration
●
Httpd.confHttpd.conf
LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so
<Proxy balancer://http><Proxy balancer://http>
BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080
BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080
</Proxy></Proxy>
ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp

14. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1M
iB.bin
0
10000
20000
30000
40000
50000
60000
70000
Concurency 240
mod_jk
proxy_ajp
proxy_http11
File Size
Kbytes/second

15. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB
0
20
40
60
80
100
120
Concurency 240
mod_jk
proxy_ajp
proxy_http11
File Size
CPUUsage

16. Conclusion AJP/HTTPConclusion AJP/HTTP
●
No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk
●
AJP more easy (no Valve needed)AJP more easy (no Valve needed)
●
AJP not encryptedAJP not encrypted
●
AJP has no upgradeAJP has no upgrade

17. H2C configurationH2C configuration
●
Httpd.confHttpd.conf
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so
– Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1
– LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so
– ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"

18. H2C configurationH2C configuration
●
server.xmlserver.xml
<Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" redirectPort="8443">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector></Connector>

19. NGNIX versus HTTPNGNIX versus HTTP
Is NGNIX better?Is NGNIX better?

20. NGNIX configurationNGNIX configuration
worker_processes 1;worker_processes 1;
events {events {
worker_connections 1024;worker_connections 1024;
}}
http {http {
upstream myapp1 {upstream myapp1 {
server 192.168.100.215:8080;server 192.168.100.215:8080;
server 192.168.100.191:8080;server 192.168.100.191:8080;
}}
server {server {
listen 8097 ssl http2;listen 8097 ssl http2;
server_name localhost;server_name localhost;
ssl_certificate newcert.pem;ssl_certificate newcert.pem;
ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem;
ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on;
location / {location / {
proxy_pass http://myapp1;proxy_pass http://myapp1;
}}
}}
}}

21. Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1M
iB.bin
0
10000
20000
30000
40000
50000
60000
Concurency 240
ngnix_h2_http11
proxy_h2_http11
File Size
Kbytes/second

22. Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB
0
20
40
60
80
100
120
Concurency 240
ngnix_h2_http11
proxy_h2_http11
File Size
CPUUsage

23. Comparisons HTTP11Comparisons HTTP11
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1M
iB.bin
0
10000
20000
30000
40000
50000
60000
70000
Concurency 240
ngnix_http11
proxy_http11
File Size
Kbytes/second

24. Comparisons HTTP11Comparisons HTTP11
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB
0
20
40
60
80
100
120
Concurency 240
ngnix_http11
proxy_http11
File Size
CPUusage

25. And so what ngnix?And so what ngnix?
●
Hard to conclude (try 2 processes in NGNIX)
●
Many process in httpd (try less 5 used)
●
Ngnix also uses openssl
9/19/19 25

26. Other proxiesOther proxies
●
HAProxy (in the cloud / openshift for example)
●
mod_cluster (httpd dynamic load balancer)
●
Undertow proxy (jboss servlet container)
●
Ingress (in kubernetes, well Nginx or GCE)
●
Traffic Server
9/19/19 26

27. Other protocolsOther protocols
●
Jboss-remoting
●
Mix httpd/1.1 websockets
●
mod_proxy_wstunnel
●
ProxySet "ws://localhost:8080/" upgrade=jboss-remoting
●
LoadModule proxy_wstunnel_module
modules/mod_proxy_wstunnel.so
9/19/19 27

28. So proxy or not proxySo proxy or not proxy
●
Fail-over : yes
●
H2 and old HTTP/1.1 tomcat : yes
●
Pure java tomcat + TLS/SSL : yes
●
Otherwise: No
●
Which proxy: httpd but ngnix too...
9/19/19 28

29. Questions?Questions?
Thank you!Thank you!
●
jfclere@gmail.com
●
users@tomcat.apache.org
●
Repo with the scripts for the tests:
– https://github.com/jfclere/AC2014scripts
9/19/19 29

30. Jean-Frederic Clere
@jfclere
jfclere@gmail.com