Fronting Tomcat with Apache Httpd

Mladen TurkRed Hat, Inc.

Agenda

• Introduction

• Using mod_jk

• Using mod_proxy

Typical architecture

• Enterprise information systems– Heterogeneous environment– Multiple data sources (static/dynamic)

Typical architecture

• Apache Httpd in front– Requests for dynamic information or interaction with back-end data

sources go through web server to app server

Apache HTTPD

Apache TomcatJBoss ASGeronimo

mod_jk or mod_proxy

Enterprise IS problems

• Applications are time consuming– Process client data, access the database, do some calculations and

present the data back to the client.– Within ½ of second to achieve user perception of a working application

• High concurrency– The entire family of your manager will participate in testing

• Add more CPU power– Buy faster hardware– Add more boxes

• Security– Share applications with Intranet– Use Intranet data

Simple configuration

• Separate content– Web server delivers static content– Application server delivers dynamic content

Secure generic configuration

• Secure your data– Put the web server in DMZ– Handle security with Web server

High availability configuration

• Add more application servers– Failover in case of failure

• Add more boxes– Handle more clients

Apache HTTPD Architecture

• Threaded– Windows, Netware

Parent process

Listener S

ocke

t

• MaxClients

T1

T2

Tn

Child process

Apache HTTPD Architecture

• Prefork– Unixes

Parent processChild process

Child process

Child process

Listener S

ocke

t

• StartServers• MaxClients

Apache HTTPD Architecture

• Semi-threaded (worker)– Unixes (Apache 2 and up)

Parent process

Listener S

ocke

t

T1

T2

Tn

Child process

T1

T2

Tn

Child process

• ThreadsPerChild• MaxClients

Tomcat Architecture

Server

Service

Engine

Host

Context Context

1 2 3 4

AJP

Connector

SSL

Connector

HTTP

Connector

• maxThreads

Tomcat architecture

• Thread context switch latency– Limits the number of concurrent connections– Limit 250 per CPU – (empirical)– Depends on the OS and JVM

very bad on Windows (kernel limit on 64 event objects)

T1

T2

Processing Latency

Getting the most out of integration

• Do you need that?– Additional configuration– Additional maintenance– Need to build the connector on your own– Additional point of failure

• Define your needs– Application response time– Number of concurrent users– Network throughput

Getting the most out of integration

• Define your topology– Application servers– Web servers– Static content delivery– Clustering– Sessions– Caching– Failover– Load balancing

Getting the most out of Integration

• Separate content– Do not mix application and native web server content

• Separate applications– Do not mount /*– Do not mount /*.jsp

• Use native SSL– Much faster then JSSE– Can use hardware accelerators

Getting the most out of Integration

• Do you need SSL between web and application server?– Paranoid IT department– Understand the problem– Encryption is done twice

NIC 1 mod_ssl NIC 2 NIC 1

Apache HTTPDTomcat

Firewall/8009Firewall/443

Fronting with mod_jk

• Apache Tomcat project– Use current stable (1.2.22)

• Supported Apache Httpd servers– Apache 1.33+– Apache 2.0.47+– Apache 2.2/2.3 (*)

mod_jk architecture

• Uses AJP 1.3 protocol– Binary custom protocol – Constant connection pool– No need to parse HTTP headers twice– All preprocessing is done in Apache httpd

• Integrated load balancer– Sticky sessions– Failover– Domain model clustering

mod_jk Architecture

worker.tomcat.type=ajp13 Tomcat

AJP

Pro

toco

lMaxClientsThreadsPerChildmaxThreads

<C

onnecto

r … p

roto

col=

“AJP

/1.3

"/>

mod_jk Load balancer Architecture

worker.host1.type=ajp13 jvmRoute=“host1”

AJP

13

AJP

/1.3

worker.host2.type=ajp13 jvmRoute=“host2”

AJP

13

AJP

/1.3

worker.balancer.type=lbworker.balancer. balance_workers=host1,host2

Using mod_jk

• Understand configuration

<Service name=“Catalina”>

<!-- A AJP 1.3 Connector on port 8009 --> <Connector port=“8009” address=“100.101.102.103” enableLookups="false" redirectPort=“8443” debug=“0“ maxThreads=“150” minSpareThreads=“25” protocol=“AJP/1.3”/>

<Engine name=“standalone” defaultHost=“localhost” jvmRoute=“host1”>

server.xmlhttpd.conf<IfModule worker.c> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0</IfModule>

workers.propertiesworker.host1.type=ajp13 worker.host1.port=8009worker.host1.host=100.101.102.103worker.host1.connection_pool_size=25

Clustering with mod_jk

• Without sticky sessions– Session replication exists between Tomcat nodes

• Sticky sessions– No session replication– Session replication between domains– Force sticky sessions

• Domain clustering– Allows buddy replication– Split the nodes into groups– Use with large clusters– Tomcat cluster does only allow session replication to all nodes in the

cluster. Once you work with more than 3-4 nodes there is too much overhead and risk in replicating sessions to all nodes.

mod_jk with Session replication

• No need for session affinity– Requests can be served with

any node– Tomcat session replication

mod_jkworker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2

Session replication

mod_jk Sticky sessions

• Session affinity mark– JSESSIOND defined as part of spec.

mod_jkworker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2

Session replication

<Engine name="jboss.web" defaultHost="localhost" jvmRoute="node1">

JSESSIONID=XXX.node1

mod_jk Domain clustering

• Large number of nodes

mod_jkworker.domain1.type=ajp13

worker.cluster.type=lb

node1

<Engine name=“Standalone" defaultHost="localhost" jvmRoute="domain1">

JSESSIONID=XXX.domain1

worker.domain2.type=ajp13

node2

node3 node4

mod_jk Hot standby

• In case of failure– Takes the load only if all other

nodes fail

mod_jkworker.node1.type=ajp13

worker.node2.type=ajp13

worker.cluster.type=lb

node1

node2

worker.node2.disabled=True

Handle high concurrency

• Use connectionTimeout in AJP/1.3 connector– Actually this is KeepAlive timeout– Closes inactive connections– Firewalls not passing FIN packets– Multiple Apache Httpd front ends

• Use connect_timeout– Sends small packet to check the Tomcats availability to serve requests– Can be replaced with socket_timeout

• Use prepost_timeout– Needed with connectionTimeout set– Detects closed connections by Tomcat

mod_jk Dynamic Configuration

• Web based management– Allows dynamic management– VirtualHost limited

workers.propertiesworker.list=jkstatus,...... worker.jkstatus.type=status

httpd.conf<Location /jkstatus/> JkMount jkstatus Order deny,allow Deny from all Allow from 127.0.0.1</Location>

Using mod_proxy

• Part of standard Apache httpd distribution– No need to build additional module– Better integration with other modules (mod_rewrite)

• Only way to have SSL communication with Tomcat– Using mod_ssl– Requires custom filter in Tomcat to get the original certificates– Requires additional headers for original client certificates

• Uses http protocol– Standard protocol– No connection problems

mod_proxy for Apache Httpd 2.2

• Rewritten mod_proxy– Connection pool capabilities– Option to separate MaxThreadsPerChild and connection pool size

• More protocol– AJP 1.3 protocol support– mod_proxy_ajp

• Integrated load balancer– mod_proxy_balancer– Protocol independent– Session affinity support– Multiple strategies

• Shared memory runtime data– Each child is aware of the connection status

mod_proxy Architecture

Parent process

Listener S

ocke

t

Worker #1

Worker #2

Worker #n

Child process

Worker #1

Worker #2

Worker #n

Child process

Worker #1• status• elected• read• transferred• …

Worker #2

Worker #n

Scoreboard

mod_proxy Load balancing

• Virtual proxy– Like any other protocol but prefixed as balancer://

• Contains 1 … n protocol workers

LoadModule balancer_module modules/mod_proxy_balancer.so

<Proxy balancer://cluster> BalancerMember http://remote:port …</Proxy>ProxyPass /examples balancer://cluster/examples

Why Apache Httpd with Tomcat?

• Pros– Can serve static content faster compared to standalone Tomcat.– Supports PHP, CGI etc via modules in addition to the ability to route

JSP/Servlet requests to tomcat.– Can load balance requests between multiple instances of tomcat.

Also provide session stickiness.

• Cons– Needs additional effort to setup.– Dynamic Content (JSP/Servlets) in a heavy traffic scenario may be a

bottleneck, due to the tunnelling that happens between apache and tomcat.

– Native code tightly coupled to the operating system.

Links

• Apache Httpd– http://httpd.apache.org/

• Tomcat– http://tomcat.apache.org/

• Mod_jk– http://tomcat.apache.org/connectors-docs

• Support– Apache Httpd mailing lists

http://httpd.apache.org/lists.html– Tomcat users mailing list

http://tomcat.apache.org/lists.html

• Google

Q & A

Mladen Turk

Fronting Tomcat with Apache Httpdwas presented to you by