Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Apache httpd reverse proxy andApache httpd reverse proxy and
TomcatTomcat
Jean-Frederic ClereJean-Frederic Clere
What I will coverWhat I will cover
●
Proxy what and why.
●
Protocols
– AJP
– HTTP/HTTPS (1.1)
– HTTP/2 (H2 and H2C)
– Othe...
What I will cover (2)What I will cover (2)
Proxies
– httpd
– Ngnix
Questions?
9/19/19 3
Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing...
What is Proxy?What is Proxy?
●
Something between the application server and the internet.
●
Load-balancer
●
Failover
●
Pro...
Why a proxy?Why a proxy?
●
Control the load
●
Serve static pages
●
Control requests: mod_security / mod_rewrite etc
●
Dyna...
AJPAJP
●
When
– Easy TLS/SSL forwarding
●
Limitations
– No upgrade
– Header size
– No encryption
– Limited “authentication...
HTTP and HTTPS 1.1HTTP and HTTPS 1.1
●
When:
– No SSL forwarding
– Using SSLValve
●
HTTP/HTTPS:
– HTTPS might be need (Enc...
H2C
●
h2c is only for reverse proxy
●
Supported
– httpd
Demultiplexing h2 in proxy
●
Keep the back-end unchanged
●
Keep the overhead of h2 in the proxy
mod_jk configurationmod_jk configuration
●
Httpd.confHttpd.conf
LoadModule jk_module modules/mod_jk.soLoadModule jk_module...
mod_proxy_ajp configurationmod_proxy_ajp configuration
●
Httpd.confHttpd.conf
LoadModule slotmem_shm_module modules/mod_sl...
mod_proxy_httpd configurationmod_proxy_httpd configuration
●
Httpd.confHttpd.conf
LoadModule slotmem_shm_module modules/mo...
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
...
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB
0
20
...
Conclusion AJP/HTTPConclusion AJP/HTTP
●
No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk
●
AJ...
H2C configurationH2C configuration
●
Httpd.confHttpd.conf
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_mod...
H2C configurationH2C configuration
●
server.xmlserver.xml
<Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><...
NGNIX versus HTTPNGNIX versus HTTP
Is NGNIX better?Is NGNIX better?
NGNIX configurationNGNIX configuration
worker_processes 1;worker_processes 1;
events {events {
worker_connections 1024;wor...
Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512Ki...
Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB
0
20
40
60
80
100
120
C...
Comparisons HTTP11Comparisons HTTP11
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1M
i...
Comparisons HTTP11Comparisons HTTP11
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB
0
20
40
60
80
100
120
Concurenc...
And so what ngnix?And so what ngnix?
●
Hard to conclude (try 2 processes in NGNIX)
●
Many process in httpd (try less 5 use...
Other proxiesOther proxies
●
HAProxy (in the cloud / openshift for example)
●
mod_cluster (httpd dynamic load balancer)
●
...
Other protocolsOther protocols
●
Jboss-remoting
●
Mix httpd/1.1 websockets
●
mod_proxy_wstunnel
●
ProxySet "ws://localhost...
So proxy or not proxySo proxy or not proxy
●
Fail-over : yes
●
H2 and old HTTP/1.1 tomcat : yes
●
Pure java tomcat + TLS/S...
Questions?Questions?
Thank you!Thank you!
●
jfclere@gmail.com
●
users@tomcat.apache.org
●
Repo with the scripts for the te...
Jean-Frederic Clere
@jfclere
jfclere@gmail.com
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Apache httpd reverse proxy and Tomcat

Download to read offline

presentation given at apacheconna2019

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Apache httpd reverse proxy and Tomcat

  1. 1. Apache httpd reverse proxy andApache httpd reverse proxy and TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
  2. 2. What I will coverWhat I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others (web-socket etc) ● Proxies – Httpd / Traffic Server / ngix / untertow proxy /mod_cluster 9/19/19 2
  3. 3. What I will cover (2)What I will cover (2) Proxies – httpd – Ngnix Questions? 9/19/19 3
  4. 4. Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 9/19/19 4
  5. 5. What is Proxy?What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and soon HTTP/3 ● Understands a protocol and possible upgrades. 9/19/19 5
  6. 6. Why a proxy?Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 9/19/19 6
  7. 7. AJPAJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 9/19/19 7
  8. 8. HTTP and HTTPS 1.1HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be need (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 9/19/19 8
  9. 9. H2C ● h2c is only for reverse proxy ● Supported – httpd
  10. 10. Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy
  11. 11. mod_jk configurationmod_jk configuration ● Httpd.confHttpd.conf LoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1JkMount /jkaj/* worker1 JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties ● propertiesproperties # Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1 worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04
  12. 12. mod_proxy_ajp configurationmod_proxy_ajp configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp><Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009 </Proxy></Proxy> ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj
  13. 13. mod_proxy_httpd configurationmod_proxy_httpd configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http><Proxy balancer://http> BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080 </Proxy></Proxy> ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp
  14. 14. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes/second
  15. 15. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPUUsage
  16. 16. Conclusion AJP/HTTPConclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed)AJP more easy (no Valve needed) ● AJP not encryptedAJP not encrypted ● AJP has no upgradeAJP has no upgrade
  17. 17. H2C configurationH2C configuration ● Httpd.confHttpd.conf LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so – Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1 – LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so – ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"
  18. 18. H2C configurationH2C configuration ● server.xmlserver.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector></Connector>
  19. 19. NGNIX versus HTTPNGNIX versus HTTP Is NGNIX better?Is NGNIX better?
  20. 20. NGNIX configurationNGNIX configuration worker_processes 1;worker_processes 1; events {events { worker_connections 1024;worker_connections 1024; }} http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }} server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem; ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on; location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }} }}
  21. 21. Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size Kbytes/second
  22. 22. Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size CPUUsage
  23. 23. Comparisons HTTP11Comparisons HTTP11 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 ngnix_http11 proxy_http11 File Size Kbytes/second
  24. 24. Comparisons HTTP11Comparisons HTTP11 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_http11 proxy_http11 File Size CPUusage
  25. 25. And so what ngnix?And so what ngnix? ● Hard to conclude (try 2 processes in NGNIX) ● Many process in httpd (try less 5 used) ● Ngnix also uses openssl 9/19/19 25
  26. 26. Other proxiesOther proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server 9/19/19 26
  27. 27. Other protocolsOther protocols ● Jboss-remoting ● Mix httpd/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 9/19/19 27
  28. 28. So proxy or not proxySo proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes ● Pure java tomcat + TLS/SSL : yes ● Otherwise: No ● Which proxy: httpd but ngnix too... 9/19/19 28
  29. 29. Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 9/19/19 29
  30. 30. Jean-Frederic Clere @jfclere jfclere@gmail.com
  • amine2206

    Jan. 29, 2021

presentation given at apacheconna2019

Views

Total views

1,807

On Slideshare

0

From embeds

0

Number of embeds

7

Actions

Downloads

12

Shares

0

Comments

0

Likes

1

×