Successfully reported this slideshow.
Your SlideShare is downloading. ×

Apache httpd reverse proxy and Tomcat

Ad

Apache httpd reverse proxy andApache httpd reverse proxy and
TomcatTomcat
Jean-Frederic ClereJean-Frederic Clere

Ad

What I will coverWhat I will cover
●
Proxy what and why.
●
Protocols
– AJP
– HTTP/HTTPS (1.1)
– HTTP/2 (H2 and H2C)
– Othe...

Ad

What I will cover (2)What I will cover (2)
Proxies
– httpd
– Ngnix
Questions?
9/19/19 3

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 30 Ad
1 of 30 Ad

More Related Content

Apache httpd reverse proxy and Tomcat

  1. 1. Apache httpd reverse proxy andApache httpd reverse proxy and TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
  2. 2. What I will coverWhat I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others (web-socket etc) ● Proxies – Httpd / Traffic Server / ngix / untertow proxy /mod_cluster 9/19/19 2
  3. 3. What I will cover (2)What I will cover (2) Proxies – httpd – Ngnix Questions? 9/19/19 3
  4. 4. Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 9/19/19 4
  5. 5. What is Proxy?What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and soon HTTP/3 ● Understands a protocol and possible upgrades. 9/19/19 5
  6. 6. Why a proxy?Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 9/19/19 6
  7. 7. AJPAJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 9/19/19 7
  8. 8. HTTP and HTTPS 1.1HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be need (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 9/19/19 8
  9. 9. H2C ● h2c is only for reverse proxy ● Supported – httpd
  10. 10. Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy
  11. 11. mod_jk configurationmod_jk configuration ● Httpd.confHttpd.conf LoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1JkMount /jkaj/* worker1 JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties ● propertiesproperties # Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1 worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04
  12. 12. mod_proxy_ajp configurationmod_proxy_ajp configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp><Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009 </Proxy></Proxy> ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj
  13. 13. mod_proxy_httpd configurationmod_proxy_httpd configuration ● Httpd.confHttpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http><Proxy balancer://http> BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080 </Proxy></Proxy> ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp
  14. 14. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes/second
  15. 15. Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPUUsage
  16. 16. Conclusion AJP/HTTPConclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed)AJP more easy (no Valve needed) ● AJP not encryptedAJP not encrypted ● AJP has no upgradeAJP has no upgrade
  17. 17. H2C configurationH2C configuration ● Httpd.confHttpd.conf LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so – Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1 – LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so – ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"
  18. 18. H2C configurationH2C configuration ● server.xmlserver.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector></Connector>
  19. 19. NGNIX versus HTTPNGNIX versus HTTP Is NGNIX better?Is NGNIX better?
  20. 20. NGNIX configurationNGNIX configuration worker_processes 1;worker_processes 1; events {events { worker_connections 1024;worker_connections 1024; }} http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }} server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem; ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on; location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }} }}
  21. 21. Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size Kbytes/second
  22. 22. Comparisons ngnix/httpdComparisons ngnix/httpd 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB256KiB512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_h2_http11 proxy_h2_http11 File Size CPUUsage
  23. 23. Comparisons HTTP11Comparisons HTTP11 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 ngnix_http11 proxy_http11 File Size Kbytes/second
  24. 24. Comparisons HTTP11Comparisons HTTP11 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 ngnix_http11 proxy_http11 File Size CPUusage
  25. 25. And so what ngnix?And so what ngnix? ● Hard to conclude (try 2 processes in NGNIX) ● Many process in httpd (try less 5 used) ● Ngnix also uses openssl 9/19/19 25
  26. 26. Other proxiesOther proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server 9/19/19 26
  27. 27. Other protocolsOther protocols ● Jboss-remoting ● Mix httpd/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 9/19/19 27
  28. 28. So proxy or not proxySo proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes ● Pure java tomcat + TLS/SSL : yes ● Otherwise: No ● Which proxy: httpd but ngnix too... 9/19/19 28
  29. 29. Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 9/19/19 29
  30. 30. Jean-Frederic Clere @jfclere jfclere@gmail.com

×