SlideShare a Scribd company logo

03_clere_Proxing to tomcat with httpd.pdf

Jean-Frederic Clere
Jean-Frederic Clere

the presentation drives you to proxy Apache tomcat using Apache HTTPD.

Software
1 of 26
Download to read offline
Proxing to tomcat with httpd Jean-Frederic Clere Principal Software Engineer / Red Hat
What I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others proxy and Other protocols (web-socket etc) ● Configuration – mod_jk, mod_proxy, http/1.1 basic, h2c, h2 – https /TLS proxying ● Demo ● QUESTIONS? 10/12/22 2
Who I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 10/12/22 3
What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and (soon) HTTP/3 ● Understands a protocol and possible upgrades. 10/12/22 4
Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 10/12/22 5
AJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 10/12/22 6
HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be needed (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 10/12/22 7
Comparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes / second 8 10/12/22
Comparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPU Usage 9 10/12/22
Conclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed) ● AJP not encrypted ● AJP has no upgrade 10 10/12/22
H2C ● h2c is only for reverse proxy – <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> ● Supported by httpd 11 10/12/22
Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy 12 10/12/22
Other proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server ● Nginx 10/12/22 13
Other protocols ● Jboss-remoting ● Mix HTTP/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 10/12/22 14
So proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes? Really? Danger? ● Pure java tomcat + TLS/SSL : yes ● Otherwise: Not needed 10/12/22 15
mod_jk configuration ● Httpd.conf LoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1 JkWorkersFile conf/workers.properties ● properties # Define 1 real worker using ajp13 worker.list=worker1 worker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04 # Set properties for workers (ajp13) worker.clusterdev03.type=ajp13 worker.clusterdev03.host=192.168.0.130 worker.clusterdev03.port=8009 worker.clusterdev04.type=ajp13 worker.clusterdev04.host=192.168.0.140 worker.clusterdev04.port=8009 16 10/12/22
mod_proxy_ajp configuration ● Httpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009 </Proxy> ProxyPass /tcaj balancer://ajp/tcaj 10/12/22 10/12/22 17
mod_proxy_httpd configuration ● Httpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http> BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080 </Proxy> ProxyPass /tchp balancer://http/tchp 18 10/12/22
H2C configuration ● Httpd.conf LoadModule http2_module modules/mod_http2.so Protocols h2 http/1.1 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_http2_module modules/mod_proxy_http2.so ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2" 10/12/22 19
H2C configuration ● server.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector> 10/12/22 10/12/22 10/12/22 20
Using TLS (1 tomcat) server.xml <Connector port="4433" protocol="org.apache.coyote.http11.Http11NioProtocol" address="localhost" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="/home/jfclere/CERTS/localhost/newcert.pem" certificateKeyFile="/home/jfclere/CERTS/localhost/newkey.txt.pem"/> </SSLHostConfig> </Connector> 10/12/22 10/12/22 10/12/22 21
Using TLS (1 httpd) httpd.conf SSLProxyEngine on SSLProxyCACertificateFile "/etc/pki/CA/cacert.pem" ProxyPass "/examples" "https://localhost:8443/examples" ProxyPassReverse "/examples" "https://localhost:8443/examples" 10/12/22 10/12/22 10/12/22 22
Using TLS (2 tomcat) server.xml <Valve className="org.apache.catalina.valves.SSLValve" /> 10/12/22 10/12/22 10/12/22 23
Using TLS (2 httpd) Httpd.conf add headers for Valve # export the ssl variables SSLOptions +StdEnvVars +ExportCertData # Use mod_headers to add them as headers. RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" 10/12/22 10/12/22 10/12/22 24
Demo 8007: just encrypt httpd-tomcat (makes no sense!!!). 8000: encrypt both. (makes sense) 8888: encrypt both. (makes sense) and get client certificates. (remember PEM vs pem) 9999: h2c proxy 9998: h2 proxy See: https://github.com/jfclere/AC2022/blob/main/proxy/tomcat-proxy.conf Remember: LogLevel proxy_module:debug (or ssl_module:debug) will help! 10/12/22 10/12/22 10/12/22 25
Questions? Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the examples for the demo: – https://github.com/jfclere/AC2022 10/12/22 26

Recommended

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
Jean-Frederic Clere
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
Jean-Frederic Clere
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
Socket programming, and openresty
Socket programming, and openrestySocket programming, and openresty
Socket programming, and openresty
Tavish Naruka
 
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
Frank Munz
 
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Corey Clark, Ph.D.
 
Sprint 17
Sprint 17Sprint 17
Sprint 17
ManageIQ
 

Recommended

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
Jean-Frederic Clere
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
Jean-Frederic Clere
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
Socket programming, and openresty
Socket programming, and openrestySocket programming, and openresty
Socket programming, and openresty
Tavish Naruka
 
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
Frank Munz
 
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Corey Clark, Ph.D.
 
Sprint 17
Sprint 17Sprint 17
Sprint 17
ManageIQ
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
Ericom Software
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
All Things Open
 
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
Dávid Kőszeghy
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
GLC Networks
 
Container Orchestration from Theory to Practice
Container Orchestration from Theory to PracticeContainer Orchestration from Theory to Practice
Container Orchestration from Theory to Practice
Docker, Inc.
 
Ob1k presentation at Java.IL
Ob1k presentation at Java.ILOb1k presentation at Java.IL
Ob1k presentation at Java.IL
Eran Harel
 
Percona Xtradb Cluster (pxc) 101 percona university 2019
Percona Xtradb Cluster (pxc) 101 percona university 2019Percona Xtradb Cluster (pxc) 101 percona university 2019
Percona Xtradb Cluster (pxc) 101 percona university 2019
Marcelo Henrique Gonçalves
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
jackpot201
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
IngridRivera36
 
Nodejs
NodejsNodejs
Nodejs
Vinod Kumar Marupu
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
Simon J Mudd
 
Rohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterRohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual Router
ShapeBlue
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using Websockets
Naresh Chintalcheru
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
Patrick Meenan
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
Eduardo Silva Pereira
 
Gluster dev session #6 understanding gluster's network communication layer
Gluster dev session #6 understanding gluster's network communication layerGluster dev session #6 understanding gluster's network communication layer
Gluster dev session #6 understanding gluster's network communication layer
Pranith Karampuri
 
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan KoomanOpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebula Project
 
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan KoomanOpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
NETWAYS
 
Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
Jean-Frederic Clere
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
Jean-Frederic Clere
 

More Related Content

Similar to 03_clere_Proxing to tomcat with httpd.pdf

0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri
 
Rohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterRohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual Router
ShapeBlue
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days
 
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan KoomanOpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebula Project
 

Similar to 03_clere_Proxing to tomcat with httpd.pdf (20)

WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
 
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
19. Cloud Native Computing - Kubernetes - Bratislava - Databases in K8s world
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Container Orchestration from Theory to Practice
Container Orchestration from Theory to PracticeContainer Orchestration from Theory to Practice
Container Orchestration from Theory to Practice
 
Ob1k presentation at Java.IL
Ob1k presentation at Java.ILOb1k presentation at Java.IL
Ob1k presentation at Java.IL
 
Percona Xtradb Cluster (pxc) 101 percona university 2019
Percona Xtradb Cluster (pxc) 101 percona university 2019Percona Xtradb Cluster (pxc) 101 percona university 2019
Percona Xtradb Cluster (pxc) 101 percona university 2019
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Nodejs
NodejsNodejs
Nodejs
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
 
Rohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterRohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual Router
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using Websockets
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
 
Gluster dev session #6 understanding gluster's network communication layer
Gluster dev session #6 understanding gluster's network communication layerGluster dev session #6 understanding gluster's network communication layer
Gluster dev session #6 understanding gluster's network communication layer
 
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan KoomanOpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
OpenNebulaConf 2014 - ONE BIT to rule them all - Stefan Kooman
 
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan KoomanOpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
OpenNebula Conf 2014 | ONE BIT to rule them all - Stefan Kooman
 

More from Jean-Frederic Clere

More from Jean-Frederic Clere (17)

Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
 
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
 
Juggva cloud
Juggva cloudJuggva cloud
Juggva cloud
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Native 1.2.8
Native 1.2.8Native 1.2.8
Native 1.2.8
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 

Recently uploaded

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 

03_clere_Proxing to tomcat with httpd.pdf

  • 1. Proxing to tomcat with httpd Jean-Frederic Clere Principal Software Engineer / Red Hat
  • 2. What I will cover ● Proxy what and why. ● Protocols – AJP – HTTP/HTTPS (1.1) – HTTP/2 (H2 and H2C) – Others proxy and Other protocols (web-socket etc) ● Configuration – mod_jk, mod_proxy, http/1.1 basic, h2c, h2 – https /TLS proxying ● Demo ● QUESTIONS? 10/12/22 2
  • 3. Who I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 10/12/22 3
  • 4. What is Proxy? ● Something between the application server and the internet. ● Load-balancer ● Failover ● Protocol termination – TLS/SSL – HTTP/2 and (soon) HTTP/3 ● Understands a protocol and possible upgrades. 10/12/22 4
  • 5. Why a proxy? ● Control the load ● Serve static pages ● Control requests: mod_security / mod_rewrite etc ● Dynamic configuration (mod_balancer/mod_cluster…) ● Protocol translations 10/12/22 5
  • 6. AJP ● When – Easy TLS/SSL forwarding ● Limitations – No upgrade – Header size – No encryption – Limited “authentication” (secret) ● mod_proxy_ajp and mod_jk 10/12/22 6
  • 7. HTTP and HTTPS 1.1 ● When: – No SSL forwarding – Using SSLValve ● HTTP/HTTPS: – HTTPS might be needed (Encryption/Authentication) – HTTPS on tomcat (openssl again?) – HTTP if you trust your intranet. (really?) ● Other reasons: – HTTP is more developed than AJP 10/12/22 7
  • 8. Comparations mod_jk / mod_proxy 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1M iB.bin 0 10000 20000 30000 40000 50000 60000 70000 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size Kbytes / second 8 10/12/22
  • 9. Comparations mod_jk / mod_proxy 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 240 mod_jk proxy_ajp proxy_http11 File Size CPU Usage 9 10/12/22
  • 10. Conclusion AJP/HTTP ● No big difference mod_proxy_ajp/mod_jk ● AJP more easy (no Valve needed) ● AJP not encrypted ● AJP has no upgrade 10 10/12/22
  • 11. H2C ● h2c is only for reverse proxy – <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> ● Supported by httpd 11 10/12/22
  • 12. Demultiplexing h2 in proxy ● Keep the back-end unchanged ● Keep the overhead of h2 in the proxy 12 10/12/22
  • 13. Other proxies ● HAProxy (in the cloud / openshift for example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server ● Nginx 10/12/22 13
  • 14. Other protocols ● Jboss-remoting ● Mix HTTP/1.1 websockets ● mod_proxy_wstunnel ● ProxySet "ws://localhost:8080/" upgrade=jboss-remoting ● LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 10/12/22 14
  • 15. So proxy or not proxy ● Fail-over : yes ● H2 and old HTTP/1.1 tomcat : yes? Really? Danger? ● Pure java tomcat + TLS/SSL : yes ● Otherwise: Not needed 10/12/22 15
  • 16. mod_jk configuration ● Httpd.conf LoadModule jk_module modules/mod_jk.so JkMount /jkaj/* worker1 JkWorkersFile conf/workers.properties ● properties # Define 1 real worker using ajp13 worker.list=worker1 worker.worker1.type=lb worker.worker1.balance_workers=clusterdev03,clusterdev04 # Set properties for workers (ajp13) worker.clusterdev03.type=ajp13 worker.clusterdev03.host=192.168.0.130 worker.clusterdev03.port=8009 worker.clusterdev04.type=ajp13 worker.clusterdev04.host=192.168.0.140 worker.clusterdev04.port=8009 16 10/12/22
  • 17. mod_proxy_ajp configuration ● Httpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://ajp> #192.168.0.140 192.168.0.130 clusterdev04 / 03 BalancerMember ajp://192.168.0.130:8009 BalancerMember ajp://192.168.0.140:8009 </Proxy> ProxyPass /tcaj balancer://ajp/tcaj 10/12/22 10/12/22 17
  • 18. mod_proxy_httpd configuration ● Httpd.conf LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so <Proxy balancer://http> BalancerMember http://192.168.0.130:8080 BalancerMember http://192.168.0.140:8080 </Proxy> ProxyPass /tchp balancer://http/tchp 18 10/12/22
  • 19. H2C configuration ● Httpd.conf LoadModule http2_module modules/mod_http2.so Protocols h2 http/1.1 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_http2_module modules/mod_proxy_http2.so ProxyPass "/tch2" "h2c://192.168.100.215:8888/tch2" 10/12/22 19
  • 20. H2C configuration ● server.xml <Connector port="8888" protocol="HTTP/1.1" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector> 10/12/22 10/12/22 10/12/22 20
  • 21. Using TLS (1 tomcat) server.xml <Connector port="4433" protocol="org.apache.coyote.http11.Http11NioProtocol" address="localhost" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="/home/jfclere/CERTS/localhost/newcert.pem" certificateKeyFile="/home/jfclere/CERTS/localhost/newkey.txt.pem"/> </SSLHostConfig> </Connector> 10/12/22 10/12/22 10/12/22 21
  • 22. Using TLS (1 httpd) httpd.conf SSLProxyEngine on SSLProxyCACertificateFile "/etc/pki/CA/cacert.pem" ProxyPass "/examples" "https://localhost:8443/examples" ProxyPassReverse "/examples" "https://localhost:8443/examples" 10/12/22 10/12/22 10/12/22 22
  • 23. Using TLS (2 tomcat) server.xml <Valve className="org.apache.catalina.valves.SSLValve" /> 10/12/22 10/12/22 10/12/22 23
  • 24. Using TLS (2 httpd) Httpd.conf add headers for Valve # export the ssl variables SSLOptions +StdEnvVars +ExportCertData # Use mod_headers to add them as headers. RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" 10/12/22 10/12/22 10/12/22 24
  • 25. Demo 8007: just encrypt httpd-tomcat (makes no sense!!!). 8000: encrypt both. (makes sense) 8888: encrypt both. (makes sense) and get client certificates. (remember PEM vs pem) 9999: h2c proxy 9998: h2 proxy See: https://github.com/jfclere/AC2022/blob/main/proxy/tomcat-proxy.conf Remember: LogLevel proxy_module:debug (or ssl_module:debug) will help! 10/12/22 10/12/22 10/12/22 25
  • 26. Questions? Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the examples for the demo: – https://github.com/jfclere/AC2022 10/12/22 26