380 likes | 649 Views
Fronting Tomcat with Apache Httpd Mladen Turk Red Hat, Inc. Agenda. Introduction Using mod_jk Using mod_proxy. Typical architecture. Enterprise information systems Heterogeneous environment Multiple data sources (static/dynamic). Typical architecture. Apache Httpd in front
E N D
Agenda • Introduction • Using mod_jk • Using mod_proxy
Typical architecture • Enterprise information systems • Heterogeneous environment • Multiple data sources (static/dynamic)
Typical architecture • Apache Httpd in front • Requests for dynamic information or interaction with back-end data sources go through web server to app server mod_jk or mod_proxy Apache HTTPD Apache TomcatJBoss ASGeronimo
Enterprise IS problems • Applications are time consuming • Process client data, access the database, do some calculations and present the data back to the client. • Within ½ of second to achieve user perception of a working application • High concurrency • The entire family of your manager will participate in testing • Add more CPU power • Buy faster hardware • Add more boxes • Security • Share applications with Intranet • Use Intranet data
Simple configuration • Separate content • Web server delivers static content • Application server delivers dynamic content
Secure generic configuration • Secure your data • Put the web server in DMZ • Handle security with Web server
High availability configuration • Add more application servers • Failover in case of failure • Add more boxes • Handle more clients
Apache HTTPD Architecture • Threaded • Windows, Netware • MaxClients Parent process Listener Socket Child process T1 T2 Tn
Apache HTTPD Architecture • Prefork • Unixes • StartServers • MaxClients Parent process Child process Listener Socket Child process Child process
Apache HTTPD Architecture • Semi-threaded (worker) • Unixes (Apache 2 and up) • ThreadsPerChild • MaxClients Parent process Listener Socket Child process T1 T2 Tn Child process T1 T2 Tn
Tomcat Architecture • maxThreads AJP Connector HTTP Connector SSL Connector Server Service Engine Host Context Context 1 2 3 4
Tomcat architecture • Thread context switch latency • Limits the number of concurrent connections • Limit 250 per CPU – (empirical) • Depends on the OS and JVMvery bad on Windows (kernel limit on 64 event objects) T1 T2 Processing Latency
Getting the most out of integration • Do you need that? • Additional configuration • Additional maintenance • Need to build the connector on your own • Additional point of failure • Define your needs • Application response time • Number of concurrent users • Network throughput
Getting the most out of integration • Define your topology • Application servers • Web servers • Static content delivery • Clustering • Sessions • Caching • Failover • Load balancing
Getting the most out of Integration • Separate content • Do not mix application and native web server content • Separate applications • Do not mount /* • Do not mount /*.jsp • Use native SSL • Much faster then JSSE • Can use hardware accelerators
Getting the most out of Integration • Do you need SSL between web and application server? • Paranoid IT department • Understand the problem • Encryption is done twice Tomcat Apache HTTPD mod_ssl NIC 1 NIC 2 NIC 1 Firewall/443 Firewall/8009
Fronting with mod_jk • Apache Tomcat project • Use current stable (1.2.22) • Supported Apache Httpd servers • Apache 1.33+ • Apache 2.0.47+ • Apache 2.2/2.3 (*)
mod_jk architecture • Uses AJP 1.3 protocol • Binary custom protocol • Constant connection pool • No need to parse HTTP headers twice • All preprocessing is done in Apache httpd • Integrated load balancer • Sticky sessions • Failover • Domain model clustering
MaxClientsThreadsPerChildmaxThreads mod_jk Architecture Tomcat AJP Protocol <Connector … protocol=“AJP/1.3"/> worker.tomcat.type=ajp13
mod_jk Load balancer Architecture jvmRoute=“host1” AJP13 AJP/1.3 worker.host1.type=ajp13 jvmRoute=“host2” AJP13 AJP/1.3 worker.host2.type=ajp13 worker.balancer.type=lbworker.balancer. balance_workers=host1,host2
Using mod_jk • Understand configuration server.xml httpd.conf <Service name=“Catalina”> <!-- A AJP 1.3 Connector on port 8009 --> <Connector port=“8009” address=“100.101.102.103” enableLookups="false" redirectPort=“8443” debug=“0“maxThreads=“150”minSpareThreads=“25” protocol=“AJP/1.3”/> <Engine name=“standalone” defaultHost=“localhost” jvmRoute=“host1”> <IfModule worker.c> StartServers 2 MaxClients150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> workers.properties worker.host1.type=ajp13 worker.host1.port=8009worker.host1.host=100.101.102.103worker.host1.connection_pool_size=25
Clustering with mod_jk • Without sticky sessions • Session replication exists between Tomcat nodes • Sticky sessions • No session replication • Session replication between domains • Force sticky sessions • Domain clustering • Allows buddy replication • Split the nodes into groups • Use with large clusters • Tomcat cluster does only allow session replication to all nodes in the cluster. Once you work with more than 3-4 nodes there is too much overhead and risk in replicating sessions to all nodes.
mod_jk with Session replication • No need for session affinity • Requests can be served withany node • Tomcat session replication node1 mod_jk worker.cluster.type=lb Session replication worker.node1.type=ajp13 worker.node2.type=ajp13 node2
mod_jk Sticky sessions • Session affinity mark • JSESSIOND defined as part of spec. <Engine name="jboss.web" defaultHost="localhost" jvmRoute="node1"> node1 JSESSIONID=XXX.node1 mod_jk worker.cluster.type=lb Session replication worker.node1.type=ajp13 worker.node2.type=ajp13 node2
mod_jk Domain clustering <Engine name=“Standalone" defaultHost="localhost" jvmRoute="domain1"> • Large number of nodes node1 node2 JSESSIONID=XXX.domain1 mod_jk worker.cluster.type=lb worker.domain1.type=ajp13 node3 node4 worker.domain2.type=ajp13
mod_jk Hot standby • In case of failure • Takes the load only if all othernodes fail node1 mod_jk worker.cluster.type=lb worker.node1.type=ajp13 worker.node2.disabled=True worker.node2.type=ajp13 node2
Handle high concurrency • Use connectionTimeout in AJP/1.3 connector • Actually this is KeepAlive timeout • Closes inactive connections • Firewalls not passing FIN packets • Multiple Apache Httpd front ends • Use connect_timeout • Sends small packet to check the Tomcats availability to serve requests • Can be replaced with socket_timeout • Use prepost_timeout • Needed with connectionTimeout set • Detects closed connections by Tomcat
mod_jk Dynamic Configuration • Web based management • Allows dynamic management • VirtualHost limited workers.properties worker.list=jkstatus,... ... worker.jkstatus.type=status httpd.conf <Location /jkstatus/> JkMount jkstatus Order deny,allow Deny from all Allow from 127.0.0.1 </Location>
Using mod_proxy • Part of standard Apache httpd distribution • No need to build additional module • Better integration with other modules (mod_rewrite) • Only way to have SSL communication with Tomcat • Using mod_ssl • Requires custom filter in Tomcat to get the original certificates • Requires additional headers for original client certificates • Uses http protocol • Standard protocol • No connection problems
mod_proxy for Apache Httpd 2.2 • Rewritten mod_proxy • Connection pool capabilities • Option to separate MaxThreadsPerChild and connection pool size • More protocol • AJP 1.3 protocol support • mod_proxy_ajp • Integrated load balancer • mod_proxy_balancer • Protocol independent • Session affinity support • Multiple strategies
mod_proxy Architecture • Shared memory runtime data • Each child is aware of the connection status Scoreboard Listener Socket Parent process Childprocess Worker #1 • status • elected • read • transferred • … Worker #1 Worker #2 Worker #n Child process Worker #2 Worker #1 Worker #n Worker #2 Worker #n
mod_proxy Load balancing • Virtual proxy • Like any other protocol but prefixed as balancer:// • Contains 1 … n protocol workers LoadModule balancer_module modules/mod_proxy_balancer.so <Proxy balancer://cluster> BalancerMember http://remote:port … </Proxy> ProxyPass /examples balancer://cluster/examples
Why Apache Httpd with Tomcat? • Pros • Can serve static content faster compared to standalone Tomcat. • Supports PHP, CGI etc via modules in addition to the ability to route JSP/Servlet requests to tomcat. • Can load balance requests between multiple instances of tomcat.Also provide session stickiness. • Cons • Needs additional effort to setup. • Dynamic Content (JSP/Servlets) in a heavy traffic scenario may be a bottleneck, due to the tunnelling that happens between apache and tomcat. • Native code tightly coupled to the operating system.
Links • Apache Httpd • http://httpd.apache.org/ • Tomcat • http://tomcat.apache.org/ • Mod_jk • http://tomcat.apache.org/connectors-docs • Support • Apache Httpd mailing listshttp://httpd.apache.org/lists.html • Tomcat users mailing listhttp://tomcat.apache.org/lists.html • Google
Mladen Turk Fronting Tomcat with Apache Httpdwas presented to you by