Transcript Introducing Apache Tomcat 6 by Mladen Turk Red Hat, Inc.

Fronting Tomcat with Apache Httpd
Mladen Turk
Red Hat, Inc.
Agenda
• Introduction
• Using mod_jk
• Using mod_proxy
Typical architecture
• Enterprise information systems
– Heterogeneous environment
– Multiple data sources (static/dynamic)
Typical architecture
• Apache Httpd in front
– Requests for dynamic information or interaction with back-end data
sources go through web server to app server
mod_jk or mod_proxy
Apache
HTTPD
Apache Tomcat
JBoss AS
Geronimo
Enterprise IS problems
• Applications are time consuming
– Process client data, access the database, do some calculations and
present the data back to the client.
– Within ½ of second to achieve user perception of a working application
• High concurrency
– The entire family of your manager will participate in testing
• Add more CPU power
– Buy faster hardware
– Add more boxes
• Security
– Share applications with Intranet
– Use Intranet data
Simple configuration
• Separate content
– Web server delivers static content
– Application server delivers dynamic content
Secure generic configuration
• Secure your data
– Put the web server in DMZ
– Handle security with Web server
High availability configuration
• Add more application servers
– Failover in case of failure
• Add more boxes
– Handle more clients
Apache HTTPD Architecture
• Threaded
– Windows, Netware
• MaxClients
Child process
Parent process
Listener Socket
T1
T2
Tn
Apache HTTPD Architecture
• Prefork
– Unixes
• StartServers
• MaxClients
Child process
Parent process
Listener Socket
Child process
Child process
Apache HTTPD Architecture
• Semi-threaded (worker)
– Unixes (Apache 2 and up)
• ThreadsPerChild
• MaxClients
Child process
T1
Parent process
Listener Socket
T2
Tn
Child process
T1
T2
Tn
Tomcat Architecture
• maxThreads
AJP
HTTP
SSL
Connector
Connector
Connector
Engine
Host
Context
1
2
Context
3
4
Server
Service
Tomcat architecture
• Thread context switch latency
– Limits the number of concurrent connections
– Limit 250 per CPU – (empirical)
– Depends on the OS and JVM
very bad on Windows (kernel limit on 64 event objects)
T1
T2
Processing
Latency
Getting the most out of integration
• Do you need that?
–
–
–
–
Additional configuration
Additional maintenance
Need to build the connector on your own
Additional point of failure
• Define your needs
– Application response time
– Number of concurrent users
– Network throughput
Getting the most out of integration
• Define your topology
–
–
–
–
–
–
–
–
Application servers
Web servers
Static content delivery
Clustering
Sessions
Caching
Failover
Load balancing
Getting the most out of Integration
• Separate content
– Do not mix application and native web server content
• Separate applications
– Do not mount /*
– Do not mount /*.jsp
• Use native SSL
– Much faster then JSSE
– Can use hardware accelerators
Getting the most out of Integration
• Do you need SSL between web and application server?
– Paranoid IT department
– Understand the problem
– Encryption is done twice
Tomcat
Apache HTTPD
NIC 1
Firewall/443
mod_ssl
NIC 2
NIC 1
Firewall/8009
Fronting with mod_jk
• Apache Tomcat project
– Use current stable (1.2.22)
• Supported Apache Httpd servers
– Apache 1.33+
– Apache 2.0.47+
– Apache 2.2/2.3 (*)
mod_jk architecture
• Uses AJP 1.3 protocol
–
–
–
–
Binary custom protocol
Constant connection pool
No need to parse HTTP headers twice
All preprocessing is done in Apache httpd
• Integrated load balancer
– Sticky sessions
– Failover
– Domain model clustering
mod_jk Architecture
<Connector … protocol=“AJP/1.3"/>
AJP Protocol
worker.tomcat.type=ajp13
MaxClients
ThreadsPerChild
maxThreads
Tomcat
mod_jk Load balancer Architecture
worker.host1.type=ajp13
AJP13
AJP/1.3
jvmRoute=“host1”
worker.host2.type=ajp13
AJP13
AJP/1.3
jvmRoute=“host2”
worker.balancer.type=lb
worker.balancer.
balance_workers=host1,host2
Using mod_jk
• Understand configuration
httpd.conf
server.xml
<IfModule worker.c>
StartServers
2
MaxClients
150
MinSpareThreads
25
MaxSpareThreads
75
ThreadsPerChild
25
MaxRequestsPerChild 0
</IfModule>
<Service name=“Catalina”>
<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port=“8009” address=“100.101.102.103”
enableLookups="false" redirectPort=“8443” debug=“0“
maxThreads=“150” minSpareThreads=“25”
protocol=“AJP/1.3”/>
<Engine name=“standalone” defaultHost=“localhost”
jvmRoute=“host1”>
workers.properties
worker.host1.type=ajp13
worker.host1.port=8009
worker.host1.host=100.101.102.103
worker.host1.connection_pool_size=25
Clustering with mod_jk
• Without sticky sessions
– Session replication exists between Tomcat nodes
• Sticky sessions
– No session replication
– Session replication between domains
– Force sticky sessions
• Domain clustering
–
–
–
–
Allows buddy replication
Split the nodes into groups
Use with large clusters
Tomcat cluster does only allow session replication to all nodes in the
cluster. Once you work with more than 3-4 nodes there is too much
overhead and risk in replicating sessions to all nodes.
mod_jk with Session replication
• No need for session affinity
– Requests can be served with
any node
– Tomcat session replication
node1
worker.cluster.type=lb
mod_jk
worker.node1.type=ajp13
worker.node2.type=ajp13
Session replication
node2
mod_jk Sticky sessions
• Session affinity mark
– JSESSIOND defined as part of spec.
<Engine name="jboss.web" defaultHost="localhost"
jvmRoute="node1">
node1
JSESSIONID=XXX.node1
worker.cluster.type=lb
mod_jk
worker.node1.type=ajp13
worker.node2.type=ajp13
Session replication
node2
mod_jk Domain clustering
• Large number of nodes
<Engine name=“Standalone" defaultHost="localhost"
jvmRoute="domain1">
node1
node2
node3
node4
JSESSIONID=XXX.domain1
worker.cluster.type=lb
mod_jk
worker.domain1.type=ajp13
worker.domain2.type=ajp13
mod_jk Hot standby
• In case of failure
– Takes the load only if all other
nodes fail
node1
worker.cluster.type=lb
mod_jk
worker.node1.type=ajp13
worker.node2.type=ajp13
worker.node2.disabled=True
node2
Handle high concurrency
• Use connectionTimeout in AJP/1.3 connector
–
–
–
–
Actually this is KeepAlive timeout
Closes inactive connections
Firewalls not passing FIN packets
Multiple Apache Httpd front ends
• Use connect_timeout
– Sends small packet to check the Tomcats availability to serve requests
– Can be replaced with socket_timeout
• Use prepost_timeout
– Needed with connectionTimeout set
– Detects closed connections by Tomcat
mod_jk Dynamic Configuration
• Web based management
– Allows dynamic management
– VirtualHost limited
workers.properties
worker.list=jkstatus,...
...
worker.jkstatus.type=status
httpd.conf
<Location /jkstatus/>
JkMount jkstatus
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
Using mod_proxy
• Part of standard Apache httpd distribution
– No need to build additional module
– Better integration with other modules (mod_rewrite)
• Only way to have SSL communication with Tomcat
– Using mod_ssl
– Requires custom filter in Tomcat to get the original certificates
– Requires additional headers for original client certificates
• Uses http protocol
– Standard protocol
– No connection problems
mod_proxy for Apache Httpd 2.2
• Rewritten mod_proxy
– Connection pool capabilities
– Option to separate MaxThreadsPerChild and connection pool size
• More protocol
– AJP 1.3 protocol support
– mod_proxy_ajp
• Integrated load balancer
–
–
–
–
mod_proxy_balancer
Protocol independent
Session affinity support
Multiple strategies
mod_proxy Architecture
• Shared memory runtime data
– Each child is aware of the connection status
Child process
Parent process
Worker #1
Listener Socket
Worker #2
Worker #n
Child process
Scoreboard
Worker #1
• status
• elected
• read
• transferred
• …
Worker #2
Worker #1
Worker #2
Worker #n
Worker #n
mod_proxy Load balancing
• Virtual proxy
– Like any other protocol but prefixed as balancer://
• Contains 1 … n protocol workers
LoadModule balancer_module modules/mod_proxy_balancer.so
<Proxy balancer://cluster>
BalancerMember http://remote:port
…
</Proxy>
ProxyPass /examples balancer://cluster/examples
Why Apache Httpd with Tomcat?
• Pros
– Can serve static content faster compared to standalone Tomcat.
– Supports PHP, CGI etc via modules in addition to the ability to route
JSP/Servlet requests to tomcat.
– Can load balance requests between multiple instances of tomcat.
Also provide session stickiness.
• Cons
– Needs additional effort to setup.
– Dynamic Content (JSP/Servlets) in a heavy traffic scenario may be a
bottleneck, due to the tunnelling that happens between apache and
tomcat.
– Native code tightly coupled to the operating system.
Links
• Apache Httpd
– http://httpd.apache.org/
• Tomcat
– http://tomcat.apache.org/
• Mod_jk
– http://tomcat.apache.org/connectors-docs
• Support
– Apache Httpd mailing lists
http://httpd.apache.org/lists.html
– Tomcat users mailing list
http://tomcat.apache.org/lists.html
• Google
Q&A
Fronting Tomcat with Apache Httpd
was presented to you by
Mladen Turk