Fronting Tomcat with Apache Httpd

judgedrunkshipServers

Nov 17, 2013 (3 years and 9 months ago)

190 views

Fronting Tomcat with Apache Httpd


Mladen Turk

Red Hat, Inc.


Agenda




Introduction



Using mod_jk



Using mod_proxy

Typical architecture


Enterprise information systems


Heterogeneous environment


Multiple data sources (static/dynamic)

Typical architecture


Apache Httpd in front


Requests for dynamic information or interaction with back
-
end data
sources go through web server to app server

Apache
HTTPD

Apache Tomcat

JBoss AS

Geronimo

mod_jk or mod_proxy

Enterprise IS problems


Applications are time consuming


Process client data, access the database, do some calculations and
present the data back to the client.


Within ½ of second to achieve user perception of a working application


High concurrency


The entire family of your manager will participate in testing


Add more CPU power


Buy faster hardware


Add more boxes


Security


Share applications with Intranet


Use Intranet data


Simple configuration


Separate content


Web server delivers static content


Application server delivers dynamic content

Secure generic configuration


Secure your data


Put the web server in DMZ


Handle security with Web server


High availability configuration


Add more application servers


Failover in case of failure


Add more boxes


Handle more clients

Apache HTTPD Architecture


Threaded


Windows, Netware

Parent process

Listener Socket




MaxClients


T1

T2

Tn

Child process

Apache HTTPD Architecture


Prefork


Unixes

Parent process

Child process

Child process

Child process

Listener Socket



StartServers



MaxClients


Apache HTTPD Architecture


Semi
-
threaded (worker)


Unixes (Apache 2 and up)

Parent process

Listener Socket

T1

T2

Tn

Child process

T1

T2

Tn

Child
process



ThreadsPerChild



MaxClients


Tomcat Architecture

Server

Service

Engine

Host

Context

Context

1

2

3

4

AJP

Connector

SSL

Connector

HTTP

Connector




maxThreads


Tomcat architecture


Thread context switch latency


Limits the number of concurrent connections


Limit 250 per CPU


(empirical)


Depends on the OS and JVM

very bad on Windows (kernel limit on 64 event objects)


T1

T2

Processing

Latency

Getting the most out of integration


Do you need that?


Additional configuration


Additional maintenance


Need to build the connector on your own


Additional point of failure


Define your needs


Application response time


Number of concurrent users


Network throughput


Getting the most out of integration


Define your topology


Application servers


Web servers


Static content delivery


Clustering


Sessions


Caching


Failover


Load balancing



Getting the most out of Integration


Separate content


Do not mix application and native web server content


Separate applications


Do not mount /*


Do not mount /*.jsp


Use native SSL


Much faster then JSSE


Can use hardware accelerators


Getting the most out of Integration


Do you need SSL between web and application server?


Paranoid IT department


Understand the problem


Encryption is done twice

NIC 1

mod_ssl

NIC 2

NIC 1

Apache HTTPD

Tomcat

Firewall/8009

Firewall/443

Fronting with mod_jk


Apache Tomcat project


Use current stable (1.2.22)


Supported Apache Httpd servers


Apache 1.33+


Apache 2.0.47+


Apache 2.2/2.3 (*)


mod_jk architecture


Uses AJP 1.3 protocol


Binary custom protocol


Constant connection pool


No need to parse HTTP headers twice


All preprocessing is done in Apache httpd


Integrated load balancer


Sticky sessions


Failover


Domain model clustering

mod_jk Architecture

worker.tomcat.type=ajp13

Tomcat

AJP Protocol

MaxClients

ThreadsPerChild

maxThreads

<Connector … protocol=“AJP/1.3"/>

mod_jk Load balancer Architecture

worker.host1.type=ajp13

jvmRoute=“host1”

AJP13

AJP/1.3

worker.host2.type=ajp13

jvmRoute=“host2”

AJP13

AJP/1.3

worker.balancer.type=lb

worker.balancer.
balance_workers=host1,host2

Using mod_jk


Understand configuration

<Service name=“Catalina”>



<!
--

A AJP 1.3 Connector on port 8009
--
>


<Connector port=“
8009
µ?DGGUHVV ´
100.101.102.103
µ


enableLookups="false" redirectPort=“8443” debug=“0“


maxThreads=

150
µ

PLQ6SDUH7KUHDGV ´??µ


protocol=“AJP/1.3”/>



<Engine name=“standalone” defaultHost=“localhost”


jvmRoute=“host1”
>
=
server.xml

httpd.conf

<IfModule worker.c>


StartServers 2


MaxClients

150


MinSpareThreads 25


MaxSpareThreads 75


ThreadsPerChild 25


MaxRequestsPerChild 0

</IfModule>



workers.properties

worker.
host1
.type=ajp13

worker.
host1
.port=
8009

worker.
host1
.host=
100.101.102.103

worker.
host1
.connection_pool_size=25



Clustering with mod_jk


Without sticky sessions


Session replication exists between Tomcat nodes


Sticky sessions


No session replication


Session replication between domains


Force sticky sessions


Domain clustering


Allows buddy replication


Split the nodes into groups


Use with large clusters


Tomcat cluster does only allow session replication to all nodes in the
cluster. Once you work with more than 3
-
4 nodes there is too much
overhead and risk in replicating sessions to all nodes.

mod_jk with Session replication


No need for session affinity


Requests can be served with

any node


Tomcat session replication

mod_jk

worker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2

Session replication

mod_jk Sticky sessions


Session affinity mark


JSESSIOND defined as part of spec.


mod_jk

worker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2

Session

replication

<Engine name="jboss.web" defaultHost="localhost"


jvmRoute=
"
node1"
>


JSESSIONID=XXX.
node1

mod_jk Domain clustering


Large number of nodes

mod_jk

worker.domain1.type=ajp13

worker.cluster.type=lb

node1

<Engine name=“Standalone" defaultHost="localhost"


jvmRoute=
"
domain1"
>


JSESSIONID=XXX.
domain1

worker.domain2.type=ajp13

node2

node3

node4

mod_jk Hot standby


In case of failure


Takes the load only if all other

nodes fail

mod_jk

worker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2


worker.
node2
.
disabled
=
True


Handle high concurrency


Use connectionTimeout in AJP/1.3 connector


Actually this is KeepAlive timeout


Closes inactive connections


Firewalls not passing FIN packets


Multiple Apache Httpd front ends



Use connect_timeout


Sends small packet to check the Tomcats availability to serve requests


Can be replaced with socket_timeout



Use prepost_timeout


Needed with connectionTimeout set


Detects closed connections by Tomcat

mod_jk Dynamic Configuration


Web based management


Allows dynamic management


VirtualHost limited

workers.properties

worker.
list
=jkstatus,...

...

worker.
jkstatus
.type=status


httpd.conf

<Location /jkstatus/>


JkMount jkstatus


Order deny,allow


Deny from all


Allow from 127.0.0.1

</Location>



Using mod_proxy


Part of standard Apache httpd distribution


No need to build additional module


Better integration with other modules (mod_rewrite)


Only way to have SSL communication with Tomcat


Using mod_ssl


Requires custom filter in Tomcat to get the original certificates


Requires additional headers for original client certificates


Uses http protocol


Standard protocol


No connection problems

mod_proxy for Apache Httpd 2.2


Rewritten mod_proxy


Connection pool capabilities


Option to separate MaxThreadsPerChild and connection pool size



More protocol


AJP 1.3 protocol support


mod_proxy_ajp



Integrated load balancer


mod_proxy_balancer


Protocol independent


Session affinity support


Multiple strategies


Shared memory runtime data


Each child is aware of the connection status

mod_proxy Architecture

Parent process

Listener Socket

Worker #1

Worker #2

Worker #n

Child

process

Worker #1

Worker #2

Worker #n

Child process

Worker #1



status



elected



read



transferred





Worker #2

Worker #n

Scoreboard

mod_proxy Load balancing


Virtual proxy


Like any other protocol but prefixed as
balancer://


Contains 1 … n protocol workers


LoadModule balancer_module modules/mod_proxy_balancer.so


<Proxy
balancer://cluster
>


BalancerMember http://remote:port




</Proxy>

ProxyPass /examples
balancer://cluster
/examples


Why Apache Httpd with Tomcat?


Pros


Can serve static content faster compared to standalone Tomcat.


Supports PHP, CGI etc via modules in addition to the ability to route
JSP/Servlet requests to tomcat.


Can load balance requests between multiple instances of tomcat.

Also provide session stickiness.



Cons


Needs additional effort to setup.


Dynamic Content (JSP/Servlets) in a heavy traffic scenario may be a
bottleneck, due to the tunnelling that happens between apache and
tomcat.


Native code tightly coupled to the operating system.

Links


Apache Httpd


http://httpd.apache.org/


Tomcat


http://tomcat.apache.org/


Mod_jk


http://tomcat.apache.org/connectors
-
docs


Support


Apache Httpd mailing lists

http://httpd.apache.org/lists.html


Tomcat users mailing list

http://tomcat.apache.org/lists.html


Google

Q & A










Mladen Turk


Fronting Tomcat with Apache Httpd

was presented to you by