1 / 37

Fronting Tomcat with Apache Httpd Mladen Turk Red Hat, Inc.

Fronting Tomcat with Apache Httpd Mladen Turk Red Hat, Inc. Agenda. Introduction Using mod_jk Using mod_proxy. Typical architecture. Enterprise information systems Heterogeneous environment Multiple data sources (static/dynamic). Typical architecture. Apache Httpd in front

Download Presentation

Fronting Tomcat with Apache Httpd Mladen Turk Red Hat, Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fronting Tomcat with Apache HttpdMladen TurkRed Hat, Inc.

  2. Agenda • Introduction • Using mod_jk • Using mod_proxy

  3. Typical architecture • Enterprise information systems • Heterogeneous environment • Multiple data sources (static/dynamic)

  4. Typical architecture • Apache Httpd in front • Requests for dynamic information or interaction with back-end data sources go through web server to app server mod_jk or mod_proxy Apache HTTPD Apache TomcatJBoss ASGeronimo

  5. Enterprise IS problems • Applications are time consuming • Process client data, access the database, do some calculations and present the data back to the client. • Within ½ of second to achieve user perception of a working application • High concurrency • The entire family of your manager will participate in testing • Add more CPU power • Buy faster hardware • Add more boxes • Security • Share applications with Intranet • Use Intranet data

  6. Simple configuration • Separate content • Web server delivers static content • Application server delivers dynamic content

  7. Secure generic configuration • Secure your data • Put the web server in DMZ • Handle security with Web server

  8. High availability configuration • Add more application servers • Failover in case of failure • Add more boxes • Handle more clients

  9. Apache HTTPD Architecture • Threaded • Windows, Netware • MaxClients Parent process Listener Socket Child process T1 T2 Tn

  10. Apache HTTPD Architecture • Prefork • Unixes • StartServers • MaxClients Parent process Child process Listener Socket Child process Child process

  11. Apache HTTPD Architecture • Semi-threaded (worker) • Unixes (Apache 2 and up) • ThreadsPerChild • MaxClients Parent process Listener Socket Child process T1 T2 Tn Child process T1 T2 Tn

  12. Tomcat Architecture • maxThreads AJP Connector HTTP Connector SSL Connector Server Service Engine Host Context Context 1 2 3 4

  13. Tomcat architecture • Thread context switch latency • Limits the number of concurrent connections • Limit 250 per CPU – (empirical) • Depends on the OS and JVMvery bad on Windows (kernel limit on 64 event objects) T1 T2 Processing Latency

  14. Getting the most out of integration • Do you need that? • Additional configuration • Additional maintenance • Need to build the connector on your own • Additional point of failure • Define your needs • Application response time • Number of concurrent users • Network throughput

  15. Getting the most out of integration • Define your topology • Application servers • Web servers • Static content delivery • Clustering • Sessions • Caching • Failover • Load balancing

  16. Getting the most out of Integration • Separate content • Do not mix application and native web server content • Separate applications • Do not mount /* • Do not mount /*.jsp • Use native SSL • Much faster then JSSE • Can use hardware accelerators

  17. Getting the most out of Integration • Do you need SSL between web and application server? • Paranoid IT department • Understand the problem • Encryption is done twice Tomcat Apache HTTPD mod_ssl NIC 1 NIC 2 NIC 1 Firewall/443 Firewall/8009

  18. Fronting with mod_jk • Apache Tomcat project • Use current stable (1.2.22) • Supported Apache Httpd servers • Apache 1.33+ • Apache 2.0.47+ • Apache 2.2/2.3 (*)

  19. mod_jk architecture • Uses AJP 1.3 protocol • Binary custom protocol • Constant connection pool • No need to parse HTTP headers twice • All preprocessing is done in Apache httpd • Integrated load balancer • Sticky sessions • Failover • Domain model clustering

  20. MaxClientsThreadsPerChildmaxThreads mod_jk Architecture Tomcat AJP Protocol <Connector … protocol=“AJP/1.3"/> worker.tomcat.type=ajp13

  21. mod_jk Load balancer Architecture jvmRoute=“host1” AJP13 AJP/1.3 worker.host1.type=ajp13 jvmRoute=“host2” AJP13 AJP/1.3 worker.host2.type=ajp13 worker.balancer.type=lbworker.balancer. balance_workers=host1,host2

  22. Using mod_jk • Understand configuration server.xml httpd.conf <Service name=“Catalina”> <!-- A AJP 1.3 Connector on port 8009 --> <Connector port=“8009” address=“100.101.102.103” enableLookups="false" redirectPort=“8443” debug=“0“maxThreads=“150”minSpareThreads=“25” protocol=“AJP/1.3”/> <Engine name=“standalone” defaultHost=“localhost” jvmRoute=“host1”> <IfModule worker.c> StartServers 2 MaxClients150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> workers.properties worker.host1.type=ajp13 worker.host1.port=8009worker.host1.host=100.101.102.103worker.host1.connection_pool_size=25

  23. Clustering with mod_jk • Without sticky sessions • Session replication exists between Tomcat nodes • Sticky sessions • No session replication • Session replication between domains • Force sticky sessions • Domain clustering • Allows buddy replication • Split the nodes into groups • Use with large clusters • Tomcat cluster does only allow session replication to all nodes in the cluster. Once you work with more than 3-4 nodes there is too much overhead and risk in replicating sessions to all nodes.

  24. mod_jk with Session replication • No need for session affinity • Requests can be served withany node • Tomcat session replication node1 mod_jk worker.cluster.type=lb Session replication worker.node1.type=ajp13 worker.node2.type=ajp13 node2

  25. mod_jk Sticky sessions • Session affinity mark • JSESSIOND defined as part of spec. <Engine name="jboss.web" defaultHost="localhost" jvmRoute="node1"> node1 JSESSIONID=XXX.node1 mod_jk worker.cluster.type=lb Session replication worker.node1.type=ajp13 worker.node2.type=ajp13 node2

  26. mod_jk Domain clustering <Engine name=“Standalone" defaultHost="localhost" jvmRoute="domain1"> • Large number of nodes node1 node2 JSESSIONID=XXX.domain1 mod_jk worker.cluster.type=lb worker.domain1.type=ajp13 node3 node4 worker.domain2.type=ajp13

  27. mod_jk Hot standby • In case of failure • Takes the load only if all othernodes fail node1 mod_jk worker.cluster.type=lb worker.node1.type=ajp13 worker.node2.disabled=True worker.node2.type=ajp13 node2

  28. Handle high concurrency • Use connectionTimeout in AJP/1.3 connector • Actually this is KeepAlive timeout • Closes inactive connections • Firewalls not passing FIN packets • Multiple Apache Httpd front ends • Use connect_timeout • Sends small packet to check the Tomcats availability to serve requests • Can be replaced with socket_timeout • Use prepost_timeout • Needed with connectionTimeout set • Detects closed connections by Tomcat

  29. mod_jk Dynamic Configuration • Web based management • Allows dynamic management • VirtualHost limited workers.properties worker.list=jkstatus,... ... worker.jkstatus.type=status httpd.conf <Location /jkstatus/> JkMount jkstatus Order deny,allow Deny from all Allow from 127.0.0.1 </Location>

  30. Using mod_proxy • Part of standard Apache httpd distribution • No need to build additional module • Better integration with other modules (mod_rewrite) • Only way to have SSL communication with Tomcat • Using mod_ssl • Requires custom filter in Tomcat to get the original certificates • Requires additional headers for original client certificates • Uses http protocol • Standard protocol • No connection problems

  31. mod_proxy for Apache Httpd 2.2 • Rewritten mod_proxy • Connection pool capabilities • Option to separate MaxThreadsPerChild and connection pool size • More protocol • AJP 1.3 protocol support • mod_proxy_ajp • Integrated load balancer • mod_proxy_balancer • Protocol independent • Session affinity support • Multiple strategies

  32. mod_proxy Architecture • Shared memory runtime data • Each child is aware of the connection status Scoreboard Listener Socket Parent process Childprocess Worker #1 • status • elected • read • transferred • … Worker #1 Worker #2 Worker #n Child process Worker #2 Worker #1 Worker #n Worker #2 Worker #n

  33. mod_proxy Load balancing • Virtual proxy • Like any other protocol but prefixed as balancer:// • Contains 1 … n protocol workers LoadModule balancer_module modules/mod_proxy_balancer.so <Proxy balancer://cluster> BalancerMember http://remote:port … </Proxy> ProxyPass /examples balancer://cluster/examples

  34. Why Apache Httpd with Tomcat? • Pros • Can serve static content faster compared to standalone Tomcat. • Supports PHP, CGI etc via modules in addition to the ability to route JSP/Servlet requests to tomcat. • Can load balance requests between multiple instances of tomcat.Also provide session stickiness. • Cons • Needs additional effort to setup. • Dynamic Content (JSP/Servlets) in a heavy traffic scenario may be a bottleneck, due to the tunnelling that happens between apache and tomcat. • Native code tightly coupled to the operating system.

  35. Links • Apache Httpd • http://httpd.apache.org/ • Tomcat • http://tomcat.apache.org/ • Mod_jk • http://tomcat.apache.org/connectors-docs • Support • Apache Httpd mailing listshttp://httpd.apache.org/lists.html • Tomcat users mailing listhttp://tomcat.apache.org/lists.html • Google

  36. Q & A

  37. Mladen Turk Fronting Tomcat with Apache Httpdwas presented to you by

More Related