Apache httpd Reverse Proxy and Tomcat

Jim Jagielski
@jimjag
Apache httpd v2.4
Reverse Proxy
The “Hidden” Gem

About Me
➡ Apache Software Foundation
➡ Co-founder, Director Emeritus, Member and Developer
➡ Director Emeritus
➡ Outercurve, MARSEC-XL, OSSI, OSI (ex)…
➡ Developer
➡ Mega FOSS projects
➡ O’Reilly Open Source Award: 2013
➡ European Commission: Luminary Award
➡ Open Source Chef: ConsenSys
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag

Apache httpd 2.4
➡ Currently at version 2.4.33 (2.4.1 went GA Feb 21, 2012)
➡ Significant Improvements
➡ high-performance
➡ cloud suitability
@jimjag

Apache httpd 2.4 - design drivers
➡ Support for async I/O w/o dropping support for older
systems
➡ Larger selection of usable MPMs: added event, motorz,
etc...
➡ Leverage higher-performant versions of APR
➡ Increase performance
➡ Reduce memory utilization
➡ The Cloud and Reverse Proxy
@jimjag

Cloud and Dynamics
➡ The Cloud is a game changer for web servers
➡ The cloud is a dynamic place
➡ automated reconfiguration
➡ horizontal, not vertical scaling
➡ self-aware environments
@jimjag
OK, maybe not THAT self-aware

Why Dynamic Proxy Matters
➡ Apache httpd still the most frequently used front-end
➡ Proxy capabilities must be cloud friendly
➡ Front-end must be dynamic friendly
@jimjag

Reverse Proxy
Internet
Firewall Firewall
Cloud
Reverse Proxy Server
Transactional
Servers
Browser
➡ Operates at the server end of the transaction
➡ Completely transparent to the Web Browser – thinks the
Reverse Proxy Server is the real server
@jimjag

Features of Reverse Proxy Server
➡ Security
Uniform security policy can be administered
The real transactional servers are behind the firewall
➡ Delegation, Specialization, Load Balancing
➡ Caching
➡ Performance, HA
@jimjag

Proxy Design Drivers
➡ Becoming a robust but generic proxy implementation
➡ Support various protocols
➡ HTTP, HTTPS, HTTP/2, CONNECT, FTP
➡ AJP, FastCGI, SCGI, WSGI, UWSGI, PROXY
➡ Load balancing
➡ Clustering, failover
➡ Performance
@jimjag

Apache httpd 2.4 proxy
➡ Reverse Proxy Improvements
➡ Supports FastCGI, SCGI, Websockets in balancer
➡ Additional load balancing mechanisms
➡ Runtime changing of clusters w/o restarts
➡ Support for dynamic configuration
➡ mod_proxy_express
➡ mod_fcgid and fcgistarter
➡ Brand New: Support for Unix Domain Sockets
➡ Brand New: HTTP/2
@jimjag

Conﬁguring Reverse Proxy
➡ Set ProxyRequests Off
➡ Apply ProxyPass, ProxyPassReverse and possibly
RewriteRule directives
@jimjag

Reverse Proxy Directives: 
ProxyPass
➡ Allows remote server to be mapped into the space of the
local (Reverse Proxy) server
➡ There is also ProxyPassMatch which takes a regex
➡ Example:
➡ ProxyPass /secure/ http://secureserver/ 
➡ Presumably “secureserver” is inaccessible directly from the
internet 
➡ ProxyPassMatch ^/(.*.js)$ http://js-storage.example.com/bar/$1
@jimjag

Reverse Proxy Directives: 
ProxyPassReverse
➡ Used to specify that redirects issued by the remote server
are to be translated to use the proxy before being
returned to the client.
➡ Syntax is identical to ProxyPass; used in conjunction with
it
➡ Example:
➡ProxyPass /secure/ http://secureserver/
➡ProxyPassReverse /secure/ http://secureserver/
@jimjag

Simple Rev Proxy
➡ All requests for /images to a backend server
ProxyPass /images http://images.example.com/
ProxyPass <path> <scheme>://<full url>
➡ Useful, but limited
➡ What if:
images.example.com dies?
traffic for /images increases
@jimjag

Load Balancing
➡ mod_proxy_balancer.so
➡ mod_proxy can do native load balancing
➡ weight by actual requests
➡ weight by traffic
➡ weight by busyness
➡ lbfactors
@jimjag

Create a balancer “cluster”
➡ Create a balancer which contains several host nodes
➡ Apache httpd will then direct to each node as specified
@jimjag
<Proxy balancer://foo>
BalancerMember http://www1.example.com:80/ loadfactor=1
BalancerMember http://www2.example.com:80/ loadfactor=1
BalancerMember http://www3.example.com:80/ loadfactor=4 status=+h
ProxySet lbmethod=bytraffic
</Proxy>

Some conﬁg params
➡ For BalancerMembers:
➡ loadfactor
➡ normalized load for worker [1]
➡ lbset
➡ worker cluster number [0]
➡ retry
➡ retry timeout, in seconds, for non-ready workers [60]
@jimjag

Some conﬁg params
➡ For BalancerMembers (cont):
➡ connectiontimeout/timout
➡ Connection timeouts on backend [ProxyTimeout]
➡ flushpackets *
➡ Does proxy need to flush data with each chunk of data?
➡ on : Yes | off : No | auto : wait and see
➡ flushwait *
➡ ms to wait for data before flushing
@jimjag

Some conﬁg params
➡ For BalancerMembers (cont):
➡ ping
➡ Ping backend to check for availability; value is time to wait for
response
➡ status (+/-)
➡ D : Disabled
➡ S : Stopped
➡ I : Ignore errors
➡ H : Hot standby
➡ E : Error
➡ N: Drain
➡ C: Dynamic Health Check
@jimjag

Some conﬁg params
➡ For Balancers:
➡ lbmethod
➡ load balancing algo to use [byrequests]
➡ stickysession
➡ sticky session name (eg: JSESSIONID)
➡ maxattempts
➡ # failover tries before we bail
➡ growth
➡ Extra BalancerMember slots to allow for
➡
@jimjag

Some conﬁg params
➡ For Balancers:
➡ nofailover
➡ pretty freakin obvious
➡ For both:
➡ ProxySet
➡ Alternate method to set various params
@jimjag
ProxySet balancer://foo timeout=10
...
ProxyPass / balancer://foo timeout=10

Connection Pooling
➡ Backend connection pooling
➡ Available for named workers:
➡ eg: ProxyPass /foo ajp://bar.example.com
➡ Reusable connection to origin
➡ For threaded MPMs, can adjust size of pool (min, max, smax)
➡ For prefork: singleton
➡ Shared data held in shared memory
@jimjag

Some conﬁg params
➡ For BalancerMembers - connection pool:
➡ min
➡ Initial number of connections [0]
➡ max
➡ Hard maximum number of connections [1|TPC]
➡ smax:
➡ soft max - keep this number available [max]
@jimjag

Some conﬁg params
➡ For BalancerMembers - connection pool:
➡ disablereuser/enablereuse:
➡ bypass/enable the connection pool (firewalls)
➡ ttl
➡ time to live for connections above smax
@jimjag

Sessions
➡ Sticky session support
➡ aka “session affinity”
➡ Cookie based
➡ stickysession=PHPSESSID
➡ stickysession=JSESSIONID
➡ Natively easy with Tomcat
➡ May require more setup for “simple” HTTP proxying
➡ Use of mod_session helps
@jimjag

Failover control
➡ Cluster set with failover
➡ Group backend servers as numbered sets
➡ balancer will try lower-valued sets first
➡ If no workers are available, will try next set
➡ Hot standby
@jimjag

Putting it all together
@jimjag
<Proxy balancer://foo>
BalancerMember http://php1:8080/ loadfactor=1
BalancerMember http://php2:8080/ loadfactor=4
BalancerMember http://phpbkup:8080/ loadfactor=1 status=+h
BalancerMember http://phpexp:8080/ lbset=1
ProxySet lbmethod=bytraffic
</Proxy>
<Proxy balancer://javaapps>
BalancerMember ajp://tc1:8089/ loadfactor=10
BalancerMember ajp://tc2:8089/ loadfactor=40
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass /apps/ balancer://foo/
ProxyPassReverse /apps/ balancer://foo/
ProxyPass /serv/ balancer://javaapps/
ProxyPass /images/ http://images:8080/
ProxyPass /dyno h2c://pappy:80/
ProxyPass /foo unix:/home/www.socket|ajp://localhost/bar/

Mass Reverse Proxy
➡ We front-end a LOT of reverse proxies
➡ What a httpd.conf disaster!
➡ Slow and bloated
➡ mod_rewrite doesn’t help
@jimjag
<VirtualHost www1.example.com>
ProxyPass / http://192.168.002.2:8080
ProxyPassReverse / http://192.168.002.2:8080
</VirtualHost>
 
ProxyPass / http://192.168.002.12:8088 
ProxyPassReverse / http://192.168.002.12:8088
</VirtualHost>
ProxyPass / http://192.168.002.10
ProxyPassReverse / http://192.168.002.10
</VirtualHost>
...
ProxyPass / http://192.168.211.26
ProxyPassReverse / http://192.168.211.26
</VirtualHost>

Mass Reverse Proxy
➡ Use the new mod_proxy_express module
➡ ProxyPass mapping obtained via db file
➡ Fast and efficient
➡ Still dynamic, with no config changes required
➡ micro-services? You betcha!
@jimjag
ProxyExpress map file
## 
##express-map.db: 
## 
 
www1.example.com http://192.168.002.2:8080 
www2.example.com http://192.168.002.12:8088 
www3.example.com http://192.168.002.10
...
www6341.example.com http://192.168.211.26
httpd.conf file
ProxyExpressEnable On
ProxyExpressDBMFile express-map.db

HeartBeat / HeartMonitor
➡ Experimental LB (load balance) method
➡ Uses multicast between gateway and reverse proxies
➡ Provides heartbeat (are you there?) capability
➡ Also provides basic load info
➡ This info stored in shm, and used for balancing
➡ Multicast can be an issue
➡ Use mod_header with %l, %i, %b (loadavg, idle, busy)
➡ but no LBmethod currently uses this :(
➡ We need a universal “load” measure
➡ Can we leverage nanomsg (MIT licensed!)
@jimjag

balancer-manager
➡ Embedded proxy admin web interface
➡ Allows for real-time
➡ Monitoring of stats for each worker
➡ Adjustment of worker params
➡ lbset
➡ load factor
➡ route
➡ enabled / disabled
➡ ...
@jimjag

Embedded Admin
➡ Allows for real-time
➡ Addition of new workers/nodes
➡ Change of LB methods
➡ Can be persistent!
➡ More RESTful
➡ Can be CLI-driven
@jimjag

Easy setup
<Location /balancer-manager>
SetHandler balancer-manager
Require 192.168.2.22
</Location>
@jimjag

@jimjag

server-status aware
@jimjag

Performance
➡ From Bryan Call’s 2014 ApacheCon preso 
(http://www.slideshare.net/bryan_call/choosing-a-proxy-server-apachecon-2014)
@jimjag
•  Squid&used&the&most&
CPU&again&
•  NGiNX&had&latency&
issues&
•  ATS&most&throughput& 0&
500&
1000&
1500&
2000&
2500&
ATS& NGiNX& Squid& Varnish& hBpd&
RPS$/$CPU$Usage$
0&
5000&
10000&
15000&
20000&
25000&
30000&
Requests$Per$Second$
0&
5&
10&
15&
20&
25&
30&
35&
40&
Latency$
Median&
95th&

nginx vs Event (typical)
@jimjag
Apache - Event MPM
0
500
1000
1500
2000
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency

Apache - Prefork MPM
0
500
1000
1500
2000
nginx vs Prefork (typical)
@jimjag
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency

Total req/resp time
@jimjag
Comparison - total transaction (close)
0
500
1000
1500
2000
Prefork Worker Event nginx
Increasing concurrency

Resp to Req. Bursts - httperf
@jimjag
100 ---> 20000
0.00
1.75
3.50
5.25
7.00
min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev
prefork worker event nginx
Increasing concurrency

Backend Status
➡ Dynamic Health Checks !
➡ TCP/IP Ping
➡ OPTIONS
➡ HEAD
➡ GET
@jimjag
ProxyHCExpr ok234 {%{REQUEST_STATUS} =~ /^[234]/}
ProxyHCExpr gdown {%{REQUEST_STATUS} =~ /^[5]/}
ProxyHCExpr in_maint {hc('body') !~ /Under maintenance/}
<Proxy balancer://foo/>
BalancerMember http://www.example.com/ hcmethod=GET hcexpr=in_maint hcuri=/status.php
BalancerMember http://www2.example.com/ hcmethod=HEAD hcexpr=ok234 hcinterval=10
BalancerMember http://www3.example.com/ hcmethod=TCP hcinterval=5 hcpasses=2 hcfails=3
BalancerMember http://www4.example.com/
</Proxy>
ProxyPass "/" “balancer://foo/"
ProxyPassReverse "/" “balancer://foo/"

What else is new?
➡ Additional protocols
➡ UWSGI, PROXY (HAproxy)
➡ Improved caching
➡ Redis (coming soon!)
➡ Memcache now mod_status aware
➡ Apache Geode
➡ FPM Improved.
➡ Performance, of course!
@jimjag

What’s on the horizon?
➡ Extend mod_proxy_express
➡ Adding additional protocols
➡ More dynamic configuration
➡ Adding balancers!
➡ Performance, of course!
@jimjag

In conclusion...
➡ For cloud environs and other, the performance and dynamic
control of Apache httpd 2.4 in reverse proxies is just
what the Dr. ordered (and flexibility remains a big
strength)
@jimjag

Thanks
@jimjag
Twitter: @jimjag
Emails: 
jim@jaguNET.com 
jim@apache.org 
jimjag@gmail.com
http://www.slideshare.net/jimjag/

Apache httpd Reverse Proxy and Tomcat

More Related Content

What's hot (20)

Similar to Apache httpd Reverse Proxy and Tomcat (20)

More from Jim Jagielski (20)

Recently uploaded (20)

Apache httpd Reverse Proxy and Tomcat