Using Proxies with TomcatUsing Proxies with TomcatJean-Frederic ClereJean-Frederic Clere

What I will coverWhat I will cover

● Who I am.

● Proxy what and why.

● Protocols

– AJP

– HTTP/HTTPS (1.1)

– HTTP/2 (H2 and H2C)

– Others (web-socket etc)

● Proxies

– httpd

– Traffic Server

– ngix

– untertow proxy

– mod_cluster

● Performance tests

– h2load as client load generator.

● Questions?

5/17/17 2

What I will cover (2)What I will cover (2)

● Proxies

– httpd

– Ngnix

– Traffic Server

– untertow proxy /mod_cluster

● Performance tests

– h2load as client load generator.

● Questions?5/17/17 3

Who I amWho I am

Jean-Frederic Clere

Red Hat

Years writing JAVA code and server software

Tomcat committer since 2001

Doing OpenSource since 1999

Cyclist/Runner etc

Lived 15 years in Spain (Barcelona)

Now in Neuchâtel (CH)5/17/17 4

What is Proxy?What is Proxy?

● Something between the application server and the internet.

● Load-balancer

● Failover

● Protocol termination

– SSL

– HTTP/2

● Understands a protocol and possible upgrades.

5/17/17 5

Why a proxy?Why a proxy?

● Control the load

● Serve static pages

● Control requests: mod_security / mod_rewrite etc

● Dynamic configuration (mod_balancer/mod_cluster…)

● Protocol translations

5/17/17 6

AJPAJP● When

– Easy SSL forwarding

● Limitations

– No upgrade

– Header size

– No encryption

– Limited “authentication” (secret)

● mod_proxy_ajp and mod_jk

● Others (undertow, ngnix more?)5/17/17 7

HTTP and HTTPS 1.1HTTP and HTTPS 1.1● When:

– No SSL forwarding

– Using SSLValve

● HTTP/HTTPS:

– HTTPS might be need (Encyption/Authentication)

– HTTPS on tomcat (openssl again?)

– HTTP if you trust your intranet. (really?)

● Other reasons:

– HTTP is more developed than AJP

5/17/17 8

H2C● h2c is only for reserve proxy● Supported

– httpd– Undertow

Demultiplexing h2 in proxy● Keep the back-end unchanged● Keep the overhead for h2 in the proxy

Tomcat / PerformancesTomcat / Performances

5/17/17 11

4KiB.bin8KiB.bin

16KiB.bin32KiB.bin

64KiB.bin128KiB.bin

256KiB.bin512KiB.bin

1MiB.bin

0

50000

100000

150000

200000

250000

300000

350000

400000

Concurency 240

coyote_nio_jsse_h1_https

coyote_nio_jsse_h2_https

File Size

Kb

yte

s / s

eco

nd

Tomcat / PerformancesTomcat / Performances

5/17/17 12

4KiB8KiB

16KiB32KiB

64KiB128KiB

256KiB512KiB

1MiB

0

10

20

30

40

50

60

70

80

90

Concurency 240

coyote_nio_jsse_h1_https

coyote_nio_jsse_h2_https

File Size

CP

U U

sag

e

mod_jk configurationmod_jk configuration

● Httpd.confHttpd.confLoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so

JkMount /jkaj/* worker1JkMount /jkaj/* worker1

JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties

● propertiesproperties# Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1

worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04

# Set properties for workers (ajp13)# Set properties for workers (ajp13) worker.clusterdev03.type=ajp13worker.clusterdev03.type=ajp13 worker.clusterdev03.host=192.168.0.130worker.clusterdev03.host=192.168.0.130 worker.clusterdev03.port=8009worker.clusterdev03.port=8009

worker.clusterdev04.type=ajp13worker.clusterdev04.type=ajp13 worker.clusterdev04.host=192.168.0.140worker.clusterdev04.host=192.168.0.140 worker.clusterdev04.port=8009worker.clusterdev04.port=8009

mod_proxy_ajp configurationmod_proxy_ajp configuration

● Httpd.confHttpd.confLoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so

LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so

<Proxy balancer://ajp><Proxy balancer://ajp>

#192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03

BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009

BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009

</Proxy></Proxy>

ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj

mod_proxy_httpd configurationmod_proxy_httpd configuration

● Httpd.confHttpd.confLoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so

LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so

<Proxy balancer://http><Proxy balancer://http>

BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080

BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080

</Proxy></Proxy>

ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp

Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy

4KiB

.bin

8KiB

.bin

16KiB

.bin

32KiB

.bin

64KiB

.bin

128K

iB.b

in

256K

iB.b

in

512K

iB.b

in

1MiB

.bin

0

10000

20000

30000

40000

50000

60000

70000

Concurency 240

mod_jk

proxy_ajp

proxy_http11

File Size

Kb

yte

s / s

eco

nd

Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy

4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0

20

40

60

80

100

120

Concurency 240

mod_jk

proxy_ajp

proxy_http11

File Size

CP

U U

sag

e

Conclusion AJP/HTTPConclusion AJP/HTTP● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk● AJP more easy (no Valve needed)AJP more easy (no Valve needed)● AJP no encryptedAJP no encrypted● AJP no upgradeAJP no upgrade

H2C configurationH2C configuration

● Httpd.confHttpd.confLoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so

– Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1

– LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so

– ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"

H2C configurationH2C configuration

● server.xmlserver.xml

<Connector port="8888" protocol="HTTP/1.1" edirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" edirectPort="8443">

– <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

– </Connector></Connector>

–

NGNIX versus HTTPNGNIX versus HTTP

Is NGNIX better?Is NGNIX better?

NGNIX configurationNGNIX configurationworker_processes 1;worker_processes 1;events {events { worker_connections 1024;worker_connections 1024;}}http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }}

server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem;

ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on;

location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }}}}

Comparisons ngnix/httpdComparisons ngnix/httpd

4KiB

.bin

8KiB

.bin

16KiB

.bin

32KiB

.bin

64KiB

.bin

128K

iB.b

in

256K

iB.b

in

512K

iB.b

in

1MiB

.bin

0

10000

20000

30000

40000

50000

60000

Concurency 240

ngnix_h2_http11

proxy_h2_http11

File Size

Kb

yte

s / s

eco

nd

Comparisons ngnix/httpdComparisons ngnix/httpd

4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0

20

40

60

80

100

120

Concurency 240

ngnix_h2_http11

proxy_h2_http11

File Size

CP

U U

sag

e

Comparisons HTTP11Comparisons HTTP11

4KiB

.bin

8KiB

.bin

16KiB

.bin

32KiB

.bin

64KiB

.bin

128K

iB.b

in

256K

iB.b

in

512K

iB.b

in

1MiB

.bin

0

10000

20000

30000

40000

50000

60000

70000

Concurency 240

ngnix_http11

proxy_http11

File Size

Kb

yte

s / s

eco

nd

Comparisons HTTP11Comparisons HTTP11

4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0

20

40

60

80

100

120

Concurency 240

Column B

Column C

File Size

CP

U u

sag

e

And so what ngnix?And so what ngnix?● Hard to conclude (try 2 processes in NGNIX)

● Many process in httpd (try less 5 used)

● Ngnix also rebuild openssl

5/17/17 27

Comparisons HTTP11 (2 workers)Comparisons HTTP11 (2 workers)

4KiB

.bin

8KiB

.bin

16KiB

.bin

32KiB

.bin

64KiB

.bin

128K

iB.b

in

256K

iB.b

in

512K

iB.b

in

1MiB

.bin

0

10000

20000

30000

40000

50000

60000

70000

80000

Concurency 240

ngnix_http11

proxy_http11

File Size

Kb

yte

s/se

con

d

4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0

20

40

60

80

100

120

Concurency 240

ngnix_http11

proxy_http11

File Size

CP

U U

sag

e

Other proxiesOther proxies● HAProxy (in the cloud / openshift for example)

● mod_cluster (httpd dynamic load balancer)

● Undertow proxy (jboss new servlet container)

5/17/17 29

TrafficServer / ConfigurationTrafficServer / Configuration● records.config

– CONFIG proxy.config.ssl.number.threads INT 0

– CONFIG proxy.config.http.server_ports STRING 8888:ssl

– CONFIG proxy.config.url_remap.pristine_host_hdr INT 1

– CONFIG proxy.config.http2.enabled INT 1

– CONFIG proxy.config.ssl.TLSv1_1 INT 1

– CONFIG proxy.config.ssl.TLSv1_2 INT 1

● ssl_multicert.config:– dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem

● remap.config:– map / http://127.0.0.1:8080

● ip_allow.config:– src_ip=192.168.1.38 action=ip_allow method=ALL

– src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL

5/17/17 30

Other protocolsOther protocols● Jboss-remoting

● Mix httpd/1.1 websockets

● mod_proxy_wstunnel

● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting

● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

5/17/17 31

So proxy or not proxySo proxy or not proxy● Fail-over : yes

● H2 and old HTTP/1.1 tomcat : yes

● Pure java tomcat + SSL : yes

● Otherwise: No

● Which proxy: httpd but ngnix too...

5/17/17 32

Questions?Questions?Thank you!Thank you!

● jfclere@gmail.com

● users@tomcat.apache.org

● Repo with the scripts for the tests:

– https://github.com/jfclere/AC2014scripts

5/17/17 33

Jean-Frederic Clere@jfclerejfclere@gmail.com