Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Frederik,

On 9/28/15 11:13 AM, Frederik Nosi wrote:
> Hi, On 09/26/2015 02:04 AM, Christopher Schultz wrote: Graham,
> 
> On 9/25/15 7:23 PM, Graham Leggett wrote:
 On 25 Sep 2015, at 10:33 PM, Christopher Schultz 
  wrote:
 
> While I obviously agree with the sentiment, I do feel bad
> for the OP who has to fight this battle.
 It is important however to clarify that this isn’t a typical 
 scenario, lest someone cites this thread as to why they
 should be doing the same thing.
 
> 1. All the code we currently have in tcnative uses APR for 
> everything, and I'm not sure if APR supports AF_UNIX
> sockets, or even if it would have to support them to do
> this.
 The as-yet-unreleased v1.6 of APR does support unix domain 
 sockets, although the docs for it don’t appear to be very
 clear.
 
> 2. The plumbing required to configure an AF_UNIX socket is 
> non-trivial, and it's currently all wired-around using
> AF_INET sockets, so it's got hostname, port, etc. I suppose
> we could stuff the inode's name into the hostname and
> ignore the port number or something like that, but it's
> fairly hacky.
 Currently APR seems to accept the UDS filename where the IP 
 address would otherwise be provided.
 
> So this is a non-trivial amount of work, here.
> 
> Srini, is there any chance your employer would pay someone
> to write this code? Patches are always welcome, and Tomcat
> is otherwise completely free…
 If there was a push for unix domain sockets from Tomcat it
 would definitely help working out whether the APR_UNIX
 implementation does what it needs to do, and gets properly
 documented and v1.6 released.
> I don't really see this happening.
> 
> I'm fairly sure that the widespread use of HTTP/2 is going to kill
> AJP forever, leaving only mod_proxy_http(2) as a viable long-term 
> connector. Nobody is ever going to bother writing an AF_UNIX
> connector for HTTP/2, so I think this idea is very likely to die in
> this thread.
> 
>> Not sure on this, as AJP is quite handy. Expecialy load balancing
>> java webapps and i find mod_jk quite good at this.

Remember, it's not mod_jk doing the load-balancing, it's Apache httpd.
mod_jk is simply providing the channel over which the proxying is
being done. In a thread on the dev list, I'm a little more defensive
of AJP because of its ability to pass data out-of-band with respect to
the tunneled HTTP message. There definitely is utility there.

>> Out of curiosity, why do you think so? What does offer HTTP/2
>> that can be handy in a reverse proxy scenario? Compression /
>> streams?

It's not that I think HTTP/2 offers a particular advantage over AJP,
but HTTP/2 *will* be implemented and it offers a number of advantages
over AJP (specifically, encryption as part of the HTTPS protocol).
Currently, AJP doesn't support the connection-oriented web protocols
like Websocket, and it just seems like it will be a huge effort to get
AJP to be able to tunnel everything that both HTTP and HTTP/2 offer.

Since HTTP/2 is going to (eventually) have to support all this, and
httpd is going to (eventually) implement HTTP/2 proxying, I'm not sure
I see a great benefit to continuing to maintain AJP and mod_jk along
with it.

mod_jk was great when proxying was otherwise very complicated with
Apache httpd. That's no longer the case, and I think it makes sense to
push mod_proxy_http to support all the great features that AJP/mod_jk
is currently providing. There is no great need to maintain two
components that do pretty much the same thing, when one of those
components (mod_jk) has a very narrow use-case and the other
(mod_proxy_http) has very wide applicability.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWCWY6AAoJEBzwKT+lPKRYVboP/3t1DbLZ3IgizG6ISeuQmDJC
kxlFnxhKZ5EErI3o9BUIs/e65/iWqVNNhY6AMJOPcMKEfLDc7SsF0Vu5+Y/Si4K8
5Y+s1l1t5peLJB6eNxAGaCEULE3DwBtCF2Zwok99OdGWEzXI8NzHpCUIPdJ2Uh0g
ezeaY1MAkYTzs1JGsN+m7u4Z04h6khnhS6hSseFoCKyF1nFHTb+f7xjBbT9dN2CO
kBANTK+CjT/WtOw3pjb9EMJ7AbRO4AgoT2gfuuol+LDTeQZiWcwQpLXLIxKN84ra
rStt1ijPGVUbar4q/DHq+gbUk4CeDQwcpVqTBeos2r+GSV2BqWiGrqdTstA6qUXl
evn61o0PTOA9raNTn8PIhxWhJOuKn6gQOGvW2NQzVuqAzLTqeqep8cCsvcQkjQkj
NlbjSrCJR5iiP0V/Q68cqX6qgJvZcMjQ4EFHxswKxS19xg4NhHU3wW1CuhzShZxa
DUfxVDTT1Jnk36CaX2ijIY/q7oxQMDfuuLub4Tmg974o4HcPuNG/c0Y72A7yZbaZ
mxwfxezGGu9QAwyVzAg1EF7QOaCgO1tvIjfimuG6ye27bJeX6WTT6FDvdHFYsCjk
H6e/j5qv3OLff217Y73g+LLiDlbqO+RbowBSzGNBTZtnMKaxrqG0tYObfJmk5stY
mIYPp6B/CrsY3fSlPDna
=QplG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Frederik Nosi]

Hi,
On 09/26/2015 02:04 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Graham,

On 9/25/15 7:23 PM, Graham Leggett wrote:

On 25 Sep 2015, at 10:33 PM, Christopher Schultz
 wrote:


While I obviously agree with the sentiment, I do feel bad for
the OP who has to fight this battle.

It is important however to clarify that this isn’t a typical
scenario, lest someone cites this thread as to why they should be
doing the same thing.


1. All the code we currently have in tcnative uses APR for
everything, and I'm not sure if APR supports AF_UNIX sockets, or
even if it would have to support them to do this.

The as-yet-unreleased v1.6 of APR does support unix domain
sockets, although the docs for it don’t appear to be very clear.


2. The plumbing required to configure an AF_UNIX socket is
non-trivial, and it's currently all wired-around using AF_INET
sockets, so it's got hostname, port, etc. I suppose we could
stuff the inode's name into the hostname and ignore the port
number or something like that, but it's fairly hacky.

Currently APR seems to accept the UDS filename where the IP
address would otherwise be provided.


So this is a non-trivial amount of work, here.

Srini, is there any chance your employer would pay someone to
write this code? Patches are always welcome, and Tomcat is
otherwise completely free…

If there was a push for unix domain sockets from Tomcat it would
definitely help working out whether the APR_UNIX implementation
does what it needs to do, and gets properly documented and v1.6
released.

I don't really see this happening.

I'm fairly sure that the widespread use of HTTP/2 is going to kill AJP
forever, leaving only mod_proxy_http(2) as a viable long-term
connector. Nobody is ever going to bother writing an AF_UNIX connector
for HTTP/2, so I think this idea is very likely to die in this thread.


Not sure on this, as AJP is quite handy. Expecialy load balancing java 
webapps and i find mod_jk quite good at this.
Out of curiosity, why do you think so? What does offer HTTP/2 that can 
be handy in a reverse proxy scenario? Compression / streams?





- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWBeEhAAoJEBzwKT+lPKRYzU0QAIKV6imgl5CIyQW60QaTxERY
92VX4/s305D02r1Pp2Mji/kxmnylLgRq1ZQEwq7Jnygcm8NKPjHQQtOieSlSTHEO
S/OvB8p57arsY8N5JRcf2+mequYcNx5CbeWSSbqp2DS7KEli8FKyDHKpeioNVmZX
qWaWqG1mADxQBoLOgsk0opa82R18VadRQL4iKk+K28S3QLIFoIlOpi5pWOaothiV
RHBPQ282FfSJMfwhqmtirS3ZyqNu9Tve/e21kz1eCeBh/9L9sOI6E2EFKcF2Mq1Q
2PPoY3EuxSIlUeVKQgZZL+QPUy3UDcWmlsm6WNxCLQRIkpSXLfmJr2JpAwJaL2if
6Ssd9nVizP29WcnKQa8qWC50vrlbOROb9OaI/2t/zjdAWFKRdyG2FKHJQB+lolxV
+A+xiHIaATrcLTtkbbwm+dcUl6KFx/UMKmCLdK7+m19RDmTdeYeUSEvNXidZopb8
mZe4T87KbOrwMpqAjlehlqSOY3B993ZQu3bQdB+S1H0AdjXAL+C7umtzNX3qFb1C
KmJBpmt6AhIzaLYCiwHK3sYEp0BW5PYTMrM6MNJErheGvbxmfo7yPTYsVgfmTsMM
VS6kZqCXogj/FPaIna8X3UJr4BSEP5Dwx5AUZXS4qd1EcFT7gSKYD5+1vApsfUGh
cjAzQL+QFx/pl3DEtG8w
=whRf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[tomcat]

On 28.09.2015 18:09, Christopher Schultz wrote:
...




Not sure on this, as AJP is quite handy. Expecialy load balancing
java webapps and i find mod_jk quite good at this.


Remember, it's not mod_jk doing the load-balancing, it's Apache httpd.
mod_jk is simply providing the channel over which the proxying is
being done.


I don't think that's true.

In the case of mod_proxy_ajp, it is mod_proxy and mod_proxy_balancer who do the 
load-balancing.


But mod_proxy* are not used with mod_jk; it does its own balancing.

 In a thread on the dev list, I'm a little more defensive

of AJP because of its ability to pass data out-of-band with respect to
the tunneled HTTP message. There definitely is utility there.

+1.  Passing Apache httpd's "environment variables" for instance, becoming "request 
attributes" in Tomcat.


...



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Srinivasan Raman]

Hi Chris,
I did not get much in terms of reference, but here goes:
1.http://tomcat.apache.org/tomcat-7.0-doc/apr.html
Tomcat can use the Apache Portable Runtime to provide superior scalability, 
performance, and better integration with native server technologies. The Apache 
Portable Runtime is a highly portable library that is at the heart of Apache 
HTTP Server 2.x. APR has many uses, including access to advanced IO 
functionality (such as sendfile, epoll and OpenSSL), OS level functionality 
(random number generation, system status etc), and native process handling 
(shared memory, NT pipes and Unix sockets).
I assumed Unix sockets meant Unix domain sockets, but looks like that might not 
be the right assumption.
2.https://tomcat.apache.org/connectors-doc-archive/jk2/jk2/configwebex.html
This page, in the section titled "/example using AF_UNIX socket", there is a 
sample configuration that appeared like the configuration of a Tomcat instance 
to enable it to communicate with an Apache instance over Unix domain sockets. 
However, as this page is an archived page, it is likely this is old 
functionality that might have been supported earlier, but no longer.
Anyways, I think from your recommendation, and that of the others that too 
responded to this email thread, it does not appear to be available out of the 
box.
Thanks a lot for taking the time and trouble to clarify things...
srini_
> Subject: Re: Need help understanding support for Unix Domain Sockets in 
> Tomcat 7.0.x
> To: users@tomcat.apache.org
> From: ch...@christopherschultz.net
> Date: Wed, 23 Sep 2015 15:28:04 -0400
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Srini,
> 
> On 9/23/15 1:03 PM, Srinivasan Raman wrote:
> > Unfortunately, the data needs to be encrypted if the communication
> > is over TCP, even if it is to a process in the same VM. Any
> > alternatives that you can suggest for getting Unix domain sockets
> > to work with Tomcat? I did come across mention of a connector, JK,
> > that mentions Unix Domain sockets - that's what got me interested
> > in this.
> 
> Reference?
> 
> The only thing I could find was the link I posted earlier where markt
> said "no you can't do that".
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBCAAGBQJWAv1EAAoJEBzwKT+lPKRYSmoP/2eT39dBHcd9xBcDJ7XgV78g
> p/724e6cEeuzLozjf6belOPtnvS9W1JTznU/vQdY1ZbD6TTqy1kXsSV5U7m5I2v7
> GPZuPXswMsdgy1i2GvempMYhkQgOw39jGjHxoHIkyTga/eING3NOy5FH/JPjDVom
> iV64JFm06150lpKuXfS7cQj1mFb4ib0zmVw+t3e9VwSGQVO5tFZ0a7+ldBsLikg/
> P3fLFPOBZbD9TEUWaSlz/ArDvPjAO8NUoZK/Tz9PzHDWMdBgQEUBSfSka9mQ6BJv
> ggLqXxjCgfUEj8h+rWYe7Q6aPdrT6epMYbuhIslmPn02AUGuKfY4Ser+Io9tV74w
> +kHjap8gHdddQjzl5pPPWoc/BQkZhAa8jEvsNzYcZsNjtIJ6FoTjLofWfdwq+2lP
> XJuXr1EerC+hW5eG5lo/nGEZgzSW17nmsk7hrYXZBNb5GYLjGjATTDWuPzhICInC
> /RAO5qME3PtazFpHeHeNQnFVAM/mko6+b3DpognestCv+dGv8x8WY8sDWrJL3UNE
> VV6cM3ODSQMtqtjezw245ZBe1KivjW4enAa0ZYQexM069MI0eXeruTFjkt4fX4/Z
> 1l24xDBbDo2Cmv9KuSc/+DOgxizLXNmq2UaMffBcu+3T7MAg9bvarJdH90Jq1cPP
> DhrwRiHXgFeaTA/39qbn
> =tC8V
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
  

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Graham,

On 9/24/15 2:56 PM, Graham Leggett wrote:
> On 23 Sep 2015, at 22:05, André Warnier (tomcat) 
> wrote:
> 
>> - you convince whoever wrote that requirement, that an internal
>> TCP connection within the same host, is no less secure than a
>> Unix Domain socket
> 
> +1.

While I obviously agree with the sentiment, I do feel bad for the OP
who has to fight this battle.

It's been a while since I did socket programming in C, but IIRC it's
abstract enough that binding to an AF_INET socket and an AF_UNIX
socket is roughly equivalent, so it shouldn't be /that/ hard to do
this, in theory.

The problems I can think of are as follows:

1. All the code we currently have in tcnative uses APR for everything,
and I'm not sure if APR supports AF_UNIX sockets, or even if it would
have to support them to do this.

2. The plumbing required to configure an AF_UNIX socket is
non-trivial, and it's currently all wired-around using AF_INET
sockets, so it's got hostname, port, etc. I suppose we could stuff the
inode's name into the hostname and ignore the port number or something
like that, but it's fairly hacky.

3. mod_jk would need to be modified in exactly the same way.

So this is a non-trivial amount of work, here.

Srini, is there any chance your employer would pay someone to write
this code? Patches are always welcome, and Tomcat is otherwise
completely free...

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWBa+iAAoJEBzwKT+lPKRYuJcQALca4OMxIxo7t5dPEjtJeSig
dG83oFkGCAR5p04Lq5PCkzMBARHt+3IWcZhEOI9HkqwtS3rxQ39KnveemuD78sRI
KwndtGQnCxKbIPnRpboRA0lSZymqL5udcrQCKFMceeis9cj4bOU45hFTIA8Qekm/
qg3OIjtpCX2OKh07M9t+0lk7RO9qNuWt6jzi0qwZkRt3vxSX6i3k4ZoAIndcIFSF
Ep9tTbaUng1LjzmWqYxEw492JdX6Bx1VhYIdHHv3IxFFe8DFJyYmJ+Qb1cWMqAW6
GSKaYrIR+rHYYah82CLp3pfTtPFOumodklBpLPLAzUGBnP92PUPdlHYppEBiASWH
CvmIMbpvjh8YkG923ipE+XG2BVx2Fg9HL6cWnnj50urkFP9OxD48WHq/0QmzT7bo
Am0HXb5a1Ujnlt2SmiWuzkIkX2tG29yEcw16Ibapr5SAYuzQe7qwrsNb+ZHH/XTa
BhKPgVDhYl9p9sxPdmrgBk20EljPv5mVTLD7qC29Ng0km/9KCeXmgJ8jP+NHEpV3
uztY3GSfyClNqoQCpKRonAmxDwAJtNVjyTF9sfGxNEK77XnthULY/Ikoh24Us/HJ
tQ24QHpzn3YlbOng/e6ETnLsC/sL/kyHTmXnS+V07RjG0ms+CJ9S/oGkJgIdewma
UOgkLhdKmzfO/y2cgT7+
=qebF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Graham Leggett]

On 25 Sep 2015, at 10:33 PM, Christopher Schultz  
wrote:

> While I obviously agree with the sentiment, I do feel bad for the OP
> who has to fight this battle.

It is important however to clarify that this isn’t a typical scenario, lest 
someone cites this thread as to why they should be doing the same thing.

> 1. All the code we currently have in tcnative uses APR for everything,
> and I'm not sure if APR supports AF_UNIX sockets, or even if it would
> have to support them to do this.

The as-yet-unreleased v1.6 of APR does support unix domain sockets, although 
the docs for it don’t appear to be very clear.

> 2. The plumbing required to configure an AF_UNIX socket is
> non-trivial, and it's currently all wired-around using AF_INET
> sockets, so it's got hostname, port, etc. I suppose we could stuff the
> inode's name into the hostname and ignore the port number or something
> like that, but it's fairly hacky.

Currently APR seems to accept the UDS filename where the IP address would 
otherwise be provided.

> So this is a non-trivial amount of work, here.
> 
> Srini, is there any chance your employer would pay someone to write
> this code? Patches are always welcome, and Tomcat is otherwise
> completely free…

If there was a push for unix domain sockets from Tomcat it would definitely 
help working out whether the APR_UNIX implementation does what it needs to do, 
and gets properly documented and v1.6 released.

Regards,
Graham
—


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Graham,

On 9/25/15 7:23 PM, Graham Leggett wrote:
> On 25 Sep 2015, at 10:33 PM, Christopher Schultz 
>  wrote:
> 
>> While I obviously agree with the sentiment, I do feel bad for
>> the OP who has to fight this battle.
> 
> It is important however to clarify that this isn’t a typical 
> scenario, lest someone cites this thread as to why they should be 
> doing the same thing.
> 
>> 1. All the code we currently have in tcnative uses APR for 
>> everything, and I'm not sure if APR supports AF_UNIX sockets, or 
>> even if it would have to support them to do this.
> 
> The as-yet-unreleased v1.6 of APR does support unix domain
> sockets, although the docs for it don’t appear to be very clear.
> 
>> 2. The plumbing required to configure an AF_UNIX socket is 
>> non-trivial, and it's currently all wired-around using AF_INET 
>> sockets, so it's got hostname, port, etc. I suppose we could 
>> stuff the inode's name into the hostname and ignore the port 
>> number or something like that, but it's fairly hacky.
> 
> Currently APR seems to accept the UDS filename where the IP
> address would otherwise be provided.
> 
>> So this is a non-trivial amount of work, here.
>> 
>> Srini, is there any chance your employer would pay someone to 
>> write this code? Patches are always welcome, and Tomcat is 
>> otherwise completely free…
> 
> If there was a push for unix domain sockets from Tomcat it would 
> definitely help working out whether the APR_UNIX implementation 
> does what it needs to do, and gets properly documented and v1.6 
> released.

I don't really see this happening.

I'm fairly sure that the widespread use of HTTP/2 is going to kill AJP
forever, leaving only mod_proxy_http(2) as a viable long-term
connector. Nobody is ever going to bother writing an AF_UNIX connector
for HTTP/2, so I think this idea is very likely to die in this thread.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWBeEhAAoJEBzwKT+lPKRYzU0QAIKV6imgl5CIyQW60QaTxERY
92VX4/s305D02r1Pp2Mji/kxmnylLgRq1ZQEwq7Jnygcm8NKPjHQQtOieSlSTHEO
S/OvB8p57arsY8N5JRcf2+mequYcNx5CbeWSSbqp2DS7KEli8FKyDHKpeioNVmZX
qWaWqG1mADxQBoLOgsk0opa82R18VadRQL4iKk+K28S3QLIFoIlOpi5pWOaothiV
RHBPQ282FfSJMfwhqmtirS3ZyqNu9Tve/e21kz1eCeBh/9L9sOI6E2EFKcF2Mq1Q
2PPoY3EuxSIlUeVKQgZZL+QPUy3UDcWmlsm6WNxCLQRIkpSXLfmJr2JpAwJaL2if
6Ssd9nVizP29WcnKQa8qWC50vrlbOROb9OaI/2t/zjdAWFKRdyG2FKHJQB+lolxV
+A+xiHIaATrcLTtkbbwm+dcUl6KFx/UMKmCLdK7+m19RDmTdeYeUSEvNXidZopb8
mZe4T87KbOrwMpqAjlehlqSOY3B993ZQu3bQdB+S1H0AdjXAL+C7umtzNX3qFb1C
KmJBpmt6AhIzaLYCiwHK3sYEp0BW5PYTMrM6MNJErheGvbxmfo7yPTYsVgfmTsMM
VS6kZqCXogj/FPaIna8X3UJr4BSEP5Dwx5AUZXS4qd1EcFT7gSKYD5+1vApsfUGh
cjAzQL+QFx/pl3DEtG8w
=whRf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Graham Leggett]

On 23 Sep 2015, at 22:05, André Warnier (tomcat)  wrote:

> - you convince whoever wrote that requirement, that an internal TCP 
> connection within the same host, is no less secure than a Unix Domain socket

+1.

Regards,
Graham
--


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Srini,

On 9/23/15 7:54 AM, Srinivasan Raman wrote:
> In one use-case, for performance reasons, I wold like to explore
> the option of connecting from a in-house software load balancer
> running in a VM running Linux to a Tomcat instance running in the
> same VM using Unix Domain sockets.

Do you have any evidence that there is a performance advantage, here?
localhost TCP is quite fast.

http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-connec
tor-td2048906.html

> Googling for this brought up some mention of Unix Domain Sockets
> as part of APR, AJP etc., but I could not locate any concrete
> examples of how this can be done.

AJP certainly does not support UDS. I'm not sure about APR, but I
don't see any immediate direct support for it. You'd basically have to
write everything on top of basic libc calls.

> Appreciate if anyone that has information this can point me in the 
> right direction.

I don't think anyone is really interested in pursuing this, unfortunatel
y.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWArEbAAoJEBzwKT+lPKRY94sP/RyK69i9LpsYNBfbYplNaF+r
+ExuonGZ8clJ6lJWxNn9GJcCphLMYwIPOYPqkZlfcrZqwveAI7ZwFskSFNwInUMs
su5WiSjsAt0HEaaJKf77nTmWMQ9Y/nyp7g0ikgAnsH53AX98cFPtbqyRN8Bl8suN
7ayOQTQ7b4wDyiIEAG6U3bsiuB6QSooQJYkovvANHt9JnneyQ9ucvaq5ChL6nr/o
fxc0qQrabD8DtsZFU/S/Qd8ukl+CL0dFQ5XNbYIM9ew6loUu9xZi4vxoxLogpv/Q
PH35fy6ce7YAFzQSvN/pIBwmpB3fG32TBrdm9nQY6fogkjU1H8M81Fhe/pzDbSMS
/rtocd65thJN8uFCRz8XazF16rKO+EK5mHS8PlR2AMnIttTcZbnURrgHv9htMIUY
qtB1vPAHi1s7Mx3QF+iguh1xg0Z1wicVtYycVODNAY4m5cR9IVCHkSTD8MmIXmdS
9u/OKJSgwKRSP00YZeEGi+/+/udFwKP4oT8QJ/MxLl66L+ONHYU9Mqekk+qbk4Fp
GsDjtt+bF3aHgc3siE0sy2EE5ncqHVPP7bopqS8XzebyEKpDjhp5xcrGiNr2lMoe
G+rIS9UV7WYC2tmSfo66hvAA4mxHlwgIQj2M8bAvvf+UIKQ1j4rsTHeVT3iIHuPq
wX8gh3mju1Aa1AjJY0au
=Mo5P
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Graham Leggett]

On 23 Sep 2015, at 5:55 PM, Srinivasan Raman  wrote:

> Sorry, I should have provided more details while posting the query.
> Due to a security policy that mandates that a certain type of sensitive data 
> flowing over a communication channel must be encrypted, we are using SSL. If 
> the communication channel were to be Unix Domain sockets, we do not need to 
> encrypt the data, based on the data classification for this use-case.

Would it be possible to confirm the need for encrypting traffic over localhost?

Regards,
Graham
—


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Srinivasan Raman]

Hi Chris,
Thanks for the speedy response.
> Do you have any evidence that there is a performance advantage, here?
> localhost TCP is quite fast.

Sorry, I should have provided more details while posting the query.
Due to a security policy that mandates that a certain type of sensitive data 
flowing over a communication channel must be encrypted, we are using SSL. If 
the communication channel were to be Unix Domain sockets, we do not need to 
encrypt the data, based on the data classification for this use-case.
Thanks again,
srini_ 
> Subject: Re: Need help understanding support for Unix Domain Sockets in 
> Tomcat 7.0.x
> To: users@tomcat.apache.org
> From: ch...@christopherschultz.net
> Date: Wed, 23 Sep 2015 10:03:07 -0400
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Srini,
> 
> On 9/23/15 7:54 AM, Srinivasan Raman wrote:
> > In one use-case, for performance reasons, I wold like to explore
> > the option of connecting from a in-house software load balancer
> > running in a VM running Linux to a Tomcat instance running in the
> > same VM using Unix Domain sockets.
> 
> Do you have any evidence that there is a performance advantage, here?
> localhost TCP is quite fast.
> 
> http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-connec
> tor-td2048906.html
> 
> > Googling for this brought up some mention of Unix Domain Sockets
> > as part of APR, AJP etc., but I could not locate any concrete
> > examples of how this can be done.
> 
> AJP certainly does not support UDS. I'm not sure about APR, but I
> don't see any immediate direct support for it. You'd basically have to
> write everything on top of basic libc calls.
> 
> > Appreciate if anyone that has information this can point me in the 
> > right direction.
> 
> I don't think anyone is really interested in pursuing this, unfortunatel
> y.
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBCAAGBQJWArEbAAoJEBzwKT+lPKRY94sP/RyK69i9LpsYNBfbYplNaF+r
> +ExuonGZ8clJ6lJWxNn9GJcCphLMYwIPOYPqkZlfcrZqwveAI7ZwFskSFNwInUMs
> su5WiSjsAt0HEaaJKf77nTmWMQ9Y/nyp7g0ikgAnsH53AX98cFPtbqyRN8Bl8suN
> 7ayOQTQ7b4wDyiIEAG6U3bsiuB6QSooQJYkovvANHt9JnneyQ9ucvaq5ChL6nr/o
> fxc0qQrabD8DtsZFU/S/Qd8ukl+CL0dFQ5XNbYIM9ew6loUu9xZi4vxoxLogpv/Q
> PH35fy6ce7YAFzQSvN/pIBwmpB3fG32TBrdm9nQY6fogkjU1H8M81Fhe/pzDbSMS
> /rtocd65thJN8uFCRz8XazF16rKO+EK5mHS8PlR2AMnIttTcZbnURrgHv9htMIUY
> qtB1vPAHi1s7Mx3QF+iguh1xg0Z1wicVtYycVODNAY4m5cR9IVCHkSTD8MmIXmdS
> 9u/OKJSgwKRSP00YZeEGi+/+/udFwKP4oT8QJ/MxLl66L+ONHYU9Mqekk+qbk4Fp
> GsDjtt+bF3aHgc3siE0sy2EE5ncqHVPP7bopqS8XzebyEKpDjhp5xcrGiNr2lMoe
> G+rIS9UV7WYC2tmSfo66hvAA4mxHlwgIQj2M8bAvvf+UIKQ1j4rsTHeVT3iIHuPq
> wX8gh3mju1Aa1AjJY0au
> =Mo5P
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

  

RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Srinivasan Raman]

Hi Graham,
Unfortunately, the data needs to be encrypted if the communication is over TCP, 
even if it is to a process in the same VM.
Any alternatives that you can suggest for getting Unix domain sockets to work 
with Tomcat? I did come across mention of a connector, JK, that mentions Unix 
Domain sockets - that's what got me interested in this.
Thanks,
srini_

> Subject: Re: Need help understanding support for Unix Domain Sockets in 
> Tomcat 7.0.x
> From: minf...@sharp.fm
> Date: Wed, 23 Sep 2015 18:11:06 +0200
> To: users@tomcat.apache.org
> 
> On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote:
> 
> > Sorry, I should have provided more details while posting the query.
> > Due to a security policy that mandates that a certain type of sensitive 
> > data flowing over a communication channel must be encrypted, we are using 
> > SSL. If the communication channel were to be Unix Domain sockets, we do not 
> > need to encrypt the data, based on the data classification for this 
> > use-case.
> 
> Would it be possible to confirm the need for encrypting traffic over 
> localhost?
> 
> Regards,
> Graham
> —
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
  

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Srini,

On 9/23/15 11:55 AM, Srinivasan Raman wrote:
> Hi Chris, Thanks for the speedy response.
>> Do you have any evidence that there is a performance advantage,
>> here? localhost TCP is quite fast.
> 
> Sorry, I should have provided more details while posting the
> query.
> 
> Due to a security policy that mandates that a certain type of 
> sensitive data flowing over a communication channel must be 
> encrypted, we are using SSL. If the communication channel were to
> be Unix Domain sockets, we do not need to encrypt the data, based
> on the data classification for this use-case.

So, localhost/TCP is considered a "communication channel" while a Unix
Domain Socket is not? While I appreciate the idea that a UDS is by
definition localhost-only (if you ignore various types of
virtualization), localhost/TCP is no less secure. Is the idea that
localhost/TCP can be easily changed to non-localhost/TCP and therefore
it can never be trusted?

In an environment like that, I'm surprised they are allowing Open
Source Software to be used in the first place, or even Java. :(

- -chris

>> Subject: Re: Need help understanding support for Unix Domain
>> Sockets in Tomcat 7.0.x To: users@tomcat.apache.org From:
>> ch...@christopherschultz.net Date: Wed, 23 Sep 2015 10:03:07
>> -0400
>> 
> Srini,
> 
> On 9/23/15 7:54 AM, Srinivasan Raman wrote:
>>>> In one use-case, for performance reasons, I wold like to
>>>> explore the option of connecting from a in-house software
>>>> load balancer running in a VM running Linux to a Tomcat
>>>> instance running in the same VM using Unix Domain sockets.
> 
> Do you have any evidence that there is a performance advantage,
> here? localhost TCP is quite fast.
> 
> http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-conn
ec
>
> 
tor-td2048906.html
> 
>>>> Googling for this brought up some mention of Unix Domain
>>>> Sockets as part of APR, AJP etc., but I could not locate any
>>>> concrete examples of how this can be done.
> 
> AJP certainly does not support UDS. I'm not sure about APR, but I 
> don't see any immediate direct support for it. You'd basically have
> to write everything on top of basic libc calls.
> 
>>>> Appreciate if anyone that has information this can point me
>>>> in the right direction.
> 
> I don't think anyone is really interested in pursuing this,
> unfortunatel y.
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWAv0VAAoJEBzwKT+lPKRYzv8QAJZuJDcxXc9+CoHSgaovz6hL
+n+xMtqeYtWA0Od272g8ujOTv6Sejkku1kkWtYEdCSIF7NClyTt5254fYh3SDH69
u2ZR5x3G7EwlLA28xLsOEm/poS5E7l/RbApjx3ZVx/gfvULkTZIO+qUSiHGw2Ndh
NJTgkWYPvC8DyhcRtjBqAKbEGzIIJhCMKZNs9Rbdcm5bGFfbKBpHQkf1uDBevjCD
KN4A1yGwa3PfGKf+hiyAYCiMueWX+00Yhsz1tq0yA2NeHMl8gF69fc5m5lDLQARl
N7P3ZNleTwpgKgeagsPDPeaqPdoncFdI1/BmRN+aDYCE7FXnBi1k3EWhZXRFTHjq
HR9XwBTVqNMPJyQqOuUqIe/gV/ox0RKigZ+NaBMs5+BZcCBjTlTW3tjl2Rv9wjfK
PsvTPxhMlSTGaKqhPHsqnd3JFvFBxSS9VqHeRMS5iLu5iqOyoxLXa1K+3P3SqHR6
6j9t76gdKQYXCk+PVJhbc8NPKM60REkVMFzl/t6edjctUZz4ciyNJFpUyKGDR8vK
3ZVqh3HBJAADSVokBIBrjvVgOUDuwLXxCqRsxjdHBoQc9lqCUFjccn19Yu2iBAB/
rxwkT9mi4h7cbKlzerzs8UGSTg1Tu/qq3A/Z2isdlr1l4vriF2xiYQ6BaI+WR1WH
+ocxzCB7mYz5Mbt1erna
=crgK
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Srini,

On 9/23/15 1:03 PM, Srinivasan Raman wrote:
> Unfortunately, the data needs to be encrypted if the communication
> is over TCP, even if it is to a process in the same VM. Any
> alternatives that you can suggest for getting Unix domain sockets
> to work with Tomcat? I did come across mention of a connector, JK,
> that mentions Unix Domain sockets - that's what got me interested
> in this.

Reference?

The only thing I could find was the link I posted earlier where markt
said "no you can't do that".

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWAv1EAAoJEBzwKT+lPKRYSmoP/2eT39dBHcd9xBcDJ7XgV78g
p/724e6cEeuzLozjf6belOPtnvS9W1JTznU/vQdY1ZbD6TTqy1kXsSV5U7m5I2v7
GPZuPXswMsdgy1i2GvempMYhkQgOw39jGjHxoHIkyTga/eING3NOy5FH/JPjDVom
iV64JFm06150lpKuXfS7cQj1mFb4ib0zmVw+t3e9VwSGQVO5tFZ0a7+ldBsLikg/
P3fLFPOBZbD9TEUWaSlz/ArDvPjAO8NUoZK/Tz9PzHDWMdBgQEUBSfSka9mQ6BJv
ggLqXxjCgfUEj8h+rWYe7Q6aPdrT6epMYbuhIslmPn02AUGuKfY4Ser+Io9tV74w
+kHjap8gHdddQjzl5pPPWoc/BQkZhAa8jEvsNzYcZsNjtIJ6FoTjLofWfdwq+2lP
XJuXr1EerC+hW5eG5lo/nGEZgzSW17nmsk7hrYXZBNb5GYLjGjATTDWuPzhICInC
/RAO5qME3PtazFpHeHeNQnFVAM/mko6+b3DpognestCv+dGv8x8WY8sDWrJL3UNE
VV6cM3ODSQMtqtjezw245ZBe1KivjW4enAa0ZYQexM069MI0eXeruTFjkt4fX4/Z
1l24xDBbDo2Cmv9KuSc/+DOgxizLXNmq2UaMffBcu+3T7MAg9bvarJdH90Jq1cPP
DhrwRiHXgFeaTA/39qbn
=tC8V
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

[tomcat]

srini_

On 23.09.2015 19:03, Srinivasan Raman wrote:

Hi Graham,
Unfortunately, the data needs to be encrypted if the communication is over TCP, 
even if it is to a process in the same VM.
Any alternatives that you can suggest for getting Unix domain sockets to work 
with Tomcat? I did come across mention of a connector, JK, that mentions Unix 
Domain sockets - that's what got me interested in this.
Thanks,
srini_



You already got a response from Christopher, one of the Tomcat Committers.
Re-read it.

It basically boils down to this :
either
- you write this yourself from scratch, both at the Apache httpd (mod_jk/mod_proxy_ajp) 
and at the Tomcat level (AJP Connector)

or
- you convince whoever wrote that requirement, that an internal TCP connection within the 
same host, is no less secure than a Unix Domain socket


Your choice.

(Otherwise, look at "socat" : http://www.dest-unreach.org/socat/)
(I am just kidding; you would end up with two local TCP connections instead of one. But it 
/would/ use a UDS in-between. And internally, it must be doing the kind of things needed 
to "adapt" TCP to UDS and vice-versa. So maybe looking at the source code may give you an 
idea of what would be involved).




Subject: Re: Need help understanding support for Unix Domain Sockets in Tomcat 
7.0.x
From: minf...@sharp.fm
Date: Wed, 23 Sep 2015 18:11:06 +0200
To: users@tomcat.apache.org

On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote:


Sorry, I should have provided more details while posting the query.
Due to a security policy that mandates that a certain type of sensitive data 
flowing over a communication channel must be encrypted, we are using SSL. If 
the communication channel were to be Unix Domain sockets, we do not need to 
encrypt the data, based on the data classification for this use-case.


Would it be possible to confirm the need for encrypting traffic over localhost?

Regards,
Graham
—


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org