2. What I will coverWhat I will cover
●
Proxy what and why.
●
Protocols
– AJP
– HTTP/HTTPS (1.1)
– HTTP/2 (H2 and H2C)
– Others (web-socket etc)
●
Proxies
– Httpd / Traffic Server / ngix / untertow proxy /mod_cluster
9/19/19 2
3. What I will cover (2)What I will cover (2)
Proxies
– httpd
– Ngnix
Questions?
9/19/19 3
4. Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing OpenSource since 1999
Cyclist/Runner etc
Lived 15 years in Spain (Barcelona)
Now in Neuchâtel (CH)
9/19/19 4
5. What is Proxy?What is Proxy?
●
Something between the application server and the internet.
●
Load-balancer
●
Failover
●
Protocol termination
– TLS/SSL
– HTTP/2 and soon HTTP/3
●
Understands a protocol and possible upgrades.
9/19/19 5
6. Why a proxy?Why a proxy?
●
Control the load
●
Serve static pages
●
Control requests: mod_security / mod_rewrite etc
●
Dynamic configuration (mod_balancer/mod_cluster…)
●
Protocol translations
9/19/19 6
7. AJPAJP
●
When
– Easy TLS/SSL forwarding
●
Limitations
– No upgrade
– Header size
– No encryption
– Limited “authentication” (secret)
●
mod_proxy_ajp and mod_jk
9/19/19 7
8. HTTP and HTTPS 1.1HTTP and HTTPS 1.1
●
When:
– No SSL forwarding
– Using SSLValve
●
HTTP/HTTPS:
– HTTPS might be need (Encryption/Authentication)
– HTTPS on tomcat (openssl again?)
– HTTP if you trust your intranet. (really?)
●
Other reasons:
– HTTP is more developed than AJP
9/19/19 8
16. Conclusion AJP/HTTPConclusion AJP/HTTP
●
No big difference mod_proxy_ajp/mod_jkNo big difference mod_proxy_ajp/mod_jk
●
AJP more easy (no Valve needed)AJP more easy (no Valve needed)
●
AJP not encryptedAJP not encrypted
●
AJP has no upgradeAJP has no upgrade
25. And so what ngnix?And so what ngnix?
●
Hard to conclude (try 2 processes in NGNIX)
●
Many process in httpd (try less 5 used)
●
Ngnix also uses openssl
9/19/19 25
26. Other proxiesOther proxies
●
HAProxy (in the cloud / openshift for example)
●
mod_cluster (httpd dynamic load balancer)
●
Undertow proxy (jboss servlet container)
●
Ingress (in kubernetes, well Nginx or GCE)
●
Traffic Server
9/19/19 26
28. So proxy or not proxySo proxy or not proxy
●
Fail-over : yes
●
H2 and old HTTP/1.1 tomcat : yes
●
Pure java tomcat + TLS/SSL : yes
●
Otherwise: No
●
Which proxy: httpd but ngnix too...
9/19/19 28