Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Using Proxies with TomcatUsing Proxies with TomcatJean-Frederic ClereJean-Frederic Clere
What I will coverWhat I will cover
● Who I am.
● Proxy what and why.
● Protocols
– AJP
– HTTP/HTTPS (1.1)
– HTTP/2 (H2 and H2C)
– Others (web-socket etc)
● Proxies
– httpd
– Traffic Server
– ngix
– untertow proxy
– mod_cluster
● Performance tests
– h2load as client load generator.
● Questions?
5/15/17 2
What I will cover (2)What I will cover (2)
● Proxies
– httpd
– Traffic Server
– ngix
– untertow proxy /mod_cluster
● Performance tests
– h2load as client load generator.
● Questions?5/15/17 3
Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing OpenSource since 1999
Cyclist/Runner etc
Lived 15 years in Spain (Barcelona)
Now in Neuchâtel (CH)5/15/17 4
What is Proxy?What is Proxy?
● Something between the application server and the internet.
● Load-balancer
● Failover
● Protocol termination
– SSL
– HTTP/2
● Understands a protocol and possible upgrades.
5/15/17 5
Why a proxy?Why a proxy?
● Control the load
● Serve static pages
● Control requests: mod_security / mod_rewrite etc
● Dynamic configuration (mod_balancer/mod_cluster…)
● Protocol translations
5/15/17 6
AJPAJP● When
– Easy SSL forwarding
● Limitations
– No upgrade
– Header size
– No encryption
– Limited “authentication” (secret)
● mod_proxy_ajp and mod_jk
● Others (undertow, ngnix more?)5/15/17 7
HTTP and HTTPS 1.1HTTP and HTTPS 1.1● When:
– No SSL forwarding
– SSLValve
● HTTP/HTTPS:
– HTTPS might be need (Encyption/Authentication)
– HTTPS on tomcat (openssl again?)
– HTTP if you trust your intranet.
● Other reasons:
– HTTP is more developed than AJP
●
5/15/17 8
H2C● h2c is only for reserve proxy● Supported
– httpd– Undertow
Demultiplexing h2 in proxy● Keep the back-end unchanged● Keep the overhead for h2 in the proxy
Tomcat / PerformancesTomcat / Performances
5/15/17 11
4KiB.bin8KiB.bin
16KiB.bin32KiB.bin
64KiB.bin128KiB.bin
256KiB.bin512KiB.bin
1MiB.bin
0
50000
100000
150000
200000
250000
300000
350000
400000
Concurency 240
coyote_nio_jsse_h1_https
coyote_nio_jsse_h2_https
File Size
Kb
yte
s / s
eco
nd
Tomcat / PerformancesTomcat / Performances
5/15/17 12
4KiB8KiB
16KiB32KiB
64KiB128KiB
256KiB512KiB
1MiB
0
10
20
30
40
50
60
70
80
90
Concurency 240
coyote_nio_jsse_h1_https
coyote_nio_jsse_h2_https
File Size
CP
U U
sag
e
mod_jk configurationmod_jk configuration
● Httpd.confHttpd.confLoadModule jk_module modules/mod_jk.soLoadModule jk_module modules/mod_jk.so
JkMount /jkaj/* worker1JkMount /jkaj/* worker1
JkWorkersFile conf/workers.propertiesJkWorkersFile conf/workers.properties
● propertiesproperties# Define 1 real worker using ajp13# Define 1 real worker using ajp13 worker.list=worker1worker.list=worker1
worker.worker1.type=lbworker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04worker.worker1.balance_workers=clusterdev03,clusterdev04
# Set properties for workers (ajp13)# Set properties for workers (ajp13) worker.clusterdev03.type=ajp13worker.clusterdev03.type=ajp13 worker.clusterdev03.host=192.168.0.130worker.clusterdev03.host=192.168.0.130 worker.clusterdev03.port=8009worker.clusterdev03.port=8009
worker.clusterdev04.type=ajp13worker.clusterdev04.type=ajp13 worker.clusterdev04.host=192.168.0.140worker.clusterdev04.host=192.168.0.140 worker.clusterdev04.port=8009worker.clusterdev04.port=8009
mod_proxy_ajp configurationmod_proxy_ajp configuration
● Httpd.confHttpd.confLoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so
<Proxy balancer://ajp><Proxy balancer://ajp>
#192.168.0.140 192.168.0.130 clusterdev04 / 03#192.168.0.140 192.168.0.130 clusterdev04 / 03
BalancerMember ajp://192.168.0.130:8009BalancerMember ajp://192.168.0.130:8009
BalancerMember ajp://192.168.0.140:8009BalancerMember ajp://192.168.0.140:8009
</Proxy></Proxy>
ProxyPass /tcaj balancer://ajp/tcajProxyPass /tcaj balancer://ajp/tcaj
mod_proxy_httpd configurationmod_proxy_httpd configuration
● Httpd.confHttpd.confLoadModule slotmem_shm_module modules/mod_slotmem_shm.soLoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.soLoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.soLoadModule proxy_balancer_module modules/mod_proxy_balancer.so
<Proxy balancer://http><Proxy balancer://http>
BalancerMember http://192.168.0.130:8080BalancerMember http://192.168.0.130:8080
BalancerMember http://192.168.0.140:8080BalancerMember http://192.168.0.140:8080
</Proxy></Proxy>
ProxyPass /tchp balancer://http/tchpProxyPass /tchp balancer://http/tchp
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB
.bin
8KiB
.bin
16KiB
.bin
32KiB
.bin
64KiB
.bin
128K
iB.b
in
256K
iB.b
in
512K
iB.b
in
1MiB
.bin
0
10000
20000
30000
40000
50000
60000
70000
80000
Concurency 240
mod_jk
proxy_ajp
proxy_http
File Size
Kb
yte
s / s
eco
nd
Comparations mod_jk / mod_proxyComparations mod_jk / mod_proxy
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0
20
40
60
80
100
120
Concurency 240
mod_jk
proxy_ajp
proxy_http
File Size
CP
U U
sag
e
Conclusion AJP/HTTPConclusion AJP/HTTP● No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk● AJP more easy (no Valve needed)AJP more easy (no Valve needed)● AJP no encryptedAJP no encrypted● AJP no upgradeAJP no upgrade
H2C configurationH2C configuration
● Httpd.confHttpd.confLoadModule proxy_module modules/mod_proxy.soLoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.soLoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule http2_module modules/mod_http2.soLoadModule http2_module modules/mod_http2.so
– Protocols h2 h2c http/1.1Protocols h2 h2c http/1.1
– LoadModule proxy_http2_module modules/mod_proxy_http2.soLoadModule proxy_http2_module modules/mod_proxy_http2.so
– ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2"
H2C configurationH2C configuration
● server.xmlserver.xml
<Connector port="8888" protocol="HTTP/1.1" edirectPort="8443"><Connector port="8888" protocol="HTTP/1.1" edirectPort="8443">
– <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
– </Connector></Connector>
–
NGNIX versus HTTPNGNIX versus HTTP
Is NGNIX better?Is NGNIX better?
NGNIX configurationNGNIX configurationworker_processes 1;worker_processes 1;events {events { worker_connections 1024;worker_connections 1024;}}http {http { upstream myapp1 {upstream myapp1 { server 192.168.100.215:8080;server 192.168.100.215:8080; server 192.168.100.191:8080;server 192.168.100.191:8080; }}
server {server { listen 8097 ssl http2;listen 8097 ssl http2; server_name localhost;server_name localhost; ssl_certificate newcert.pem;ssl_certificate newcert.pem; ssl_certificate_key newkey.txt.pem;ssl_certificate_key newkey.txt.pem;
ssl_session_cache shared:SSL:1m;ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;ssl_prefer_server_ciphers on;
location / {location / { proxy_pass http://myapp1;proxy_pass http://myapp1; }} }}}}
Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB
.bin
8KiB
.bin
16KiB
.bin
32KiB
.bin
64KiB
.bin
128K
iB.b
in
256K
iB.b
in
512K
iB.b
in
1MiB
.bin
0
10000
20000
30000
40000
50000
60000
Concurency 240
ngnix_h2_http11
proxy_h2_http11
File Size
Kb
yte
s / s
eco
nd
Comparisons ngnix/httpdComparisons ngnix/httpd
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0
20
40
60
80
100
120
Concurency 240
ngnix_h2_http11
proxy_h2_http11
File Size
CP
U U
sag
e
Comparisons HTTP11Comparisons HTTP11
4KiB
.bin
8KiB
.bin
16KiB
.bin
32KiB
.bin
64KiB
.bin
128K
iB.b
in
256K
iB.b
in
512K
iB.b
in
1MiB
.bin
0
10000
20000
30000
40000
50000
60000
70000
Concurency 240
ngnix_http11
proxy_http11
File Size
Kb
yte
s / s
eco
nd
Comparisons HTTP11Comparisons HTTP11
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0
20
40
60
80
100
120
Concurency 240
Column B
Column C
File Size
CP
U u
sag
e
And so what ngnix?And so what ngnix?● Hard to conclude (try 2 processes in NGNIX)
● Many process in httpd (try less 5 used)
● Ngnix also rebuild openssl
5/15/17 27
Comparisons HTTP11Comparisons HTTP11
4KiB
.bin
8KiB
.bin
16KiB
.bin
32KiB
.bin
64KiB
.bin
128K
iB.b
in
256K
iB.b
in
512K
iB.b
in
1MiB
.bin
0
10000
20000
30000
40000
50000
60000
70000
80000
Concurency 240
ngnix_http11
proxy_http11
File Size
Kb
yte
s/se
con
d
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0
20
40
60
80
100
120
Concurency 240
ngnix_http11
proxy_http11
File Size
CP
U U
sag
e
Other proxiesOther proxies● HAProxy (in the cloud / openshift for example)
● mod_cluster (httpd dynamic load balancer)
● Undertow proxy (jboss new servlet container)
5/15/17 29
So proxy or not proxySo proxy or not proxy● Fail-over : yes
● H2 and old HTTP/1.1 tomcat : yes
● Pure java tomcat + SSL : yes
● Otherwise: No
● Which proxy: httpd but ngnix too...
5/15/17 30
Questions?Questions?Thank you!Thank you!
● Repo with the scripts for the tests:
– https://github.com/jfclere/AC2014scripts
5/15/17 31
Jean-Frederic Clere@[email protected]