Using Proxies With Tomcat
2y ago
45 Views
1 Downloads
1.05 MB
32 Pages
Report/dmca
Download PDF

Transcription

Using Proxies with TomcatJean-Frederic Clere

What I will cover Who I am. Proxy what and why. Protocols –AJP–HTTP/HTTPS (1.1)–HTTP/2 (H2 and H2C)–Others (web-socket etc)Proxies5/15/172

What I will cover (2) Proxies–httpd–Traffic Server–ngix–untertow proxy /mod clusterPerformance tests– h2load as client load generator.Questions?5/15/173

Who I amJean-Frederic ClereRed HatYears writing JAVA code and server softwareTomcat committer since 2001Doing OpenSource since 1999Cyclist/Runner etcLived 15 years in Spain (Barcelona)Now in Neuchâtel (CH)5/15/174

What is Proxy? Something between the application server and the internet. Load-balancer Failover Protocol termination –SSL–HTTP/2Understands a protocol and possible upgrades.5/15/175

Why a proxy? Control the load Serve static pages Control requests: mod security / mod rewrite etc Dynamic configuration (mod balancer/mod cluster ) Protocol translations5/15/176

AJP When– Easy SSL forwardingLimitations–No upgrade–Header size–No encryption–Limited “authentication” (secret)mod proxy ajp and mod jkOthers (undertow, ngnix more?) 5/15/177

HTTP and HTTPS 1.1 When:–No SSL forwarding–SSLValveHTTP/HTTPS:–HTTPS might be need (Encyption/Authentication)–HTTPS on tomcat (openssl again?)–HTTP if you trust your intranet.Other reasons:–HTTP is more developed than AJP 5/15/178

H2C h2c is only for reserve proxy Supported–httpd–Undertow

Demultiplexing h2 in proxy Keep the back-end unchanged Keep the overhead for h2 in the proxy

Tomcat / PerformancesConcurency 240400000350000Kbytes / second300000250000200000coyote nio jsse h1 httpscoyote nio jsse h2 https1500001000005000008KiB.bin 32KiB.bin 128KiB.bin 512KiB.bin4KiB.bin 16KiB.bin 64KiB.bin 256KiB.bin 1MiB.binFile Size5/15/1711

Tomcat / PerformancesConcurency 240908070CPU Usage6050coyote nio jsse h1 httpscoyote nio jsse h2 56KiB1MiBFile Size5/15/1712

mod jk configuration Httpd.confLoadModulejk module modules/mod jk.soJkMount /jkaj/* worker1JkWorkersFile conf/workers.properties properties# Define 1 real worker using ajp13worker.list worker1worker.worker1.type lbworker.worker1.balance workers clusterdev03,clusterdev04# Set properties for workers (ajp13)worker.clusterdev03.type ajp13worker.clusterdev03.host 192.168.0.130worker.clusterdev03.port 8009worker.clusterdev04.type ajp13worker.clusterdev04.host 192.168.0.140worker.clusterdev04.port 8009

mod proxy ajp configuration Httpd.confLoadModule slotmem shm module modules/mod slotmem shm.soLoadModule proxy module modules/mod proxy.soLoadModule proxy ajp module modules/mod proxy ajp.soLoadModule lbmethod byrequests module modules/mod lbmethod byrequests.soLoadModule proxy balancer module modules/mod proxy balancer.so Proxy balancer://ajp #192.168.0.140 192.168.0.130 clusterdev04 / 03BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.140:8009 /Proxy ProxyPass /tcaj balancer://ajp/tcaj

mod proxy httpd configuration Httpd.confLoadModule slotmem shm module modules/mod slotmem shm.soLoadModule proxy module modules/mod proxy.soLoadModule proxy http module modules/mod proxy http.soLoadModule lbmethod byrequests module modules/mod lbmethod byrequests.soLoadModule proxy balancer module modules/mod proxy balancer.so Proxy balancer://http BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.140:8080 /Proxy ProxyPass /tchp balancer://http/tchp

Comparations mod jk / mod proxyConcurency 240800007000060000Kbytes / second5000040000mod jkproxy ajpproxy 1File Size

Comparations mod jk / mod proxyConcurency 240120100CPU Usage80mod jkproxy ajpproxy http60402004KiB8KiB16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiBFile Size

Conclusion AJP/HTTP No big difference mod proxy ajp/mod jkAJP more easy (no Valve needed)AJP no encryptedAJP no upgrade

H2C configuration Httpd.confLoadModule proxy module modules/mod proxy.soLoadModule proxy http module modules/mod proxy http.soLoadModule http2 module modules/mod http2.so–Protocols h2 h2c http/1.1–LoadModule proxy http2 module modules/mod proxy http2.so–ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"

H2C configuration server.xml Connector port "8888" protocol "HTTP/1.1" edirectPort "8443" ––– UpgradeProtocol className "org.apache.coyote.http2.Http2Protocol" / /Connector

NGNIX versus HTTPIs NGNIX better?

NGNIX configurationworker processes 1;events {worker connections 1024;}http {upstream myapp1 {server 192.168.100.215:8080;server 192.168.100.191:8080;}server {listen8097 ssl http2;server name localhost;ssl certificatenewcert.pem;ssl certificate key newkey.txt.pem;ssl session cache shared:SSL:1m;ssl session timeout 5m;ssl ciphers HIGH:!aNULL:!MD5;ssl prefer server ciphers on;}}location / {proxy pass http://myapp1;}

Comparisons ngnix/httpdConcurency 2406000050000Kbytes / second4000030000ngnix h2 http11proxy h2 bBKi46in.bBKi812File Sizein.bnnnbibibiB.B.B.iii6K2K1M2551

Comparisons ngnix/httpdConcurency 240120100CPU Usage80ngnix h2 http11proxy h2 http1160402004KiB8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiBFile Size

Comparisons HTTP11Concurency 2407000060000Kbytes / second500004000030000ngnix http11proxy le Size

Comparisons HTTP11Concurency 240120100CPU usage80Column BColumn C60402004KiB8KiB16KiB32KiB64KiB 128KiB 256KiB 512KiB 1MiBFile Size

And so what ngnix? Hard to conclude (try 2 processes in NGNIX) Many process in httpd (try less 5 used) Ngnix also rebuild openssl5/15/1727

Comparisons HTTP11Concurency 24080000700006000040000300001202000010000ngnix http11proxy http11Concurency 2401000nnnnnnnnnbibibibibibibibibi 12255160File SizeCPU UsageKbytes/second50000ngnix http11proxy http11402004KiB8KiB16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiBFile Size

Other proxies HAProxy (in the cloud / openshift for example) mod cluster (httpd dynamic load balancer) Undertow proxy (jboss new servlet container)5/15/1729

So proxy or not proxy Fail-over : yes H2 and old HTTP/1.1 tomcat : yes Pure java tomcat SSL : yes Otherwise: No Which proxy: httpd but ngnix too.5/15/1730

Questions?Thank you! jfclere@gmail.com users@tomcat.apache.org Repo with the scripts for the cripts31

Jean-Frederic Clere@jfclerejfclere@gmail.com

Load-balancer Failover . coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size K b y t e s / s e c o n d. Tomcat / Performances 5/15/17 12 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse

Related Books

Understanding Open Proxies in the Wild - Will Scott

Understanding Open Proxies in the Wild - Will Scott

Monitoring Tomcat with JMX - home.apache

Monitoring Tomcat with JMX - home.apache

How To Monitor Apache Tomcat With Nagios XI

How To Monitor Apache Tomcat With Nagios XI

Monitoring Apache Tomcat and the Apache Web Server

Monitoring Apache Tomcat and the Apache Web Server

Tomcat Monitoring Alternatives: Pros and Cons

Tomcat Monitoring Alternatives: Pros and Cons

System Monitoring Plug-in Installation Guide for Apache Tomcat

System Monitoring Plug-in Installation Guide for Apache Tomcat

Tomcat Cluster - events.static.linuxfound

Tomcat Cluster - events.static.linuxfound

So You Want High Performance - Apache Tomcat - Welcome!

So You Want High Performance - Apache Tomcat - Welcome!

Performance Tuning Apache Tomcat - Poison

Performance Tuning Apache Tomcat - Poison

Tomcat Tuning - home.apache

Tomcat Tuning - home.apache

Using the SplunkMachine Learning . - .conf21 Splunk

Using the SplunkMachine Learning . - .conf21 Splunk

Security use cases using splunk - Infosec

Security use cases using splunk - Infosec

PopularTags

Recent Views