Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Frederik, On 9/28/15 11:13 AM, Frederik Nosi wrote: > Hi, On 09/26/2015 02:04 AM, Christopher Schultz wrote: Graham, > > On 9/25/15 7:23 PM, Graham Leggett wrote: On 25 Sep 2015, at 10:33 PM, Christopher Schultzwrote: > While I obviously agree with the sentiment, I do feel bad > for the OP who has to fight this battle. It is important however to clarify that this isn’t a typical scenario, lest someone cites this thread as to why they should be doing the same thing. > 1. All the code we currently have in tcnative uses APR for > everything, and I'm not sure if APR supports AF_UNIX > sockets, or even if it would have to support them to do > this. The as-yet-unreleased v1.6 of APR does support unix domain sockets, although the docs for it don’t appear to be very clear. > 2. The plumbing required to configure an AF_UNIX socket is > non-trivial, and it's currently all wired-around using > AF_INET sockets, so it's got hostname, port, etc. I suppose > we could stuff the inode's name into the hostname and > ignore the port number or something like that, but it's > fairly hacky. Currently APR seems to accept the UDS filename where the IP address would otherwise be provided. > So this is a non-trivial amount of work, here. > > Srini, is there any chance your employer would pay someone > to write this code? Patches are always welcome, and Tomcat > is otherwise completely free… If there was a push for unix domain sockets from Tomcat it would definitely help working out whether the APR_UNIX implementation does what it needs to do, and gets properly documented and v1.6 released. > I don't really see this happening. > > I'm fairly sure that the widespread use of HTTP/2 is going to kill > AJP forever, leaving only mod_proxy_http(2) as a viable long-term > connector. Nobody is ever going to bother writing an AF_UNIX > connector for HTTP/2, so I think this idea is very likely to die in > this thread. > >> Not sure on this, as AJP is quite handy. Expecialy load balancing >> java webapps and i find mod_jk quite good at this. Remember, it's not mod_jk doing the load-balancing, it's Apache httpd. mod_jk is simply providing the channel over which the proxying is being done. In a thread on the dev list, I'm a little more defensive of AJP because of its ability to pass data out-of-band with respect to the tunneled HTTP message. There definitely is utility there. >> Out of curiosity, why do you think so? What does offer HTTP/2 >> that can be handy in a reverse proxy scenario? Compression / >> streams? It's not that I think HTTP/2 offers a particular advantage over AJP, but HTTP/2 *will* be implemented and it offers a number of advantages over AJP (specifically, encryption as part of the HTTPS protocol). Currently, AJP doesn't support the connection-oriented web protocols like Websocket, and it just seems like it will be a huge effort to get AJP to be able to tunnel everything that both HTTP and HTTP/2 offer. Since HTTP/2 is going to (eventually) have to support all this, and httpd is going to (eventually) implement HTTP/2 proxying, I'm not sure I see a great benefit to continuing to maintain AJP and mod_jk along with it. mod_jk was great when proxying was otherwise very complicated with Apache httpd. That's no longer the case, and I think it makes sense to push mod_proxy_http to support all the great features that AJP/mod_jk is currently providing. There is no great need to maintain two components that do pretty much the same thing, when one of those components (mod_jk) has a very narrow use-case and the other (mod_proxy_http) has very wide applicability. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWCWY6AAoJEBzwKT+lPKRYVboP/3t1DbLZ3IgizG6ISeuQmDJC kxlFnxhKZ5EErI3o9BUIs/e65/iWqVNNhY6AMJOPcMKEfLDc7SsF0Vu5+Y/Si4K8 5Y+s1l1t5peLJB6eNxAGaCEULE3DwBtCF2Zwok99OdGWEzXI8NzHpCUIPdJ2Uh0g ezeaY1MAkYTzs1JGsN+m7u4Z04h6khnhS6hSseFoCKyF1nFHTb+f7xjBbT9dN2CO kBANTK+CjT/WtOw3pjb9EMJ7AbRO4AgoT2gfuuol+LDTeQZiWcwQpLXLIxKN84ra rStt1ijPGVUbar4q/DHq+gbUk4CeDQwcpVqTBeos2r+GSV2BqWiGrqdTstA6qUXl evn61o0PTOA9raNTn8PIhxWhJOuKn6gQOGvW2NQzVuqAzLTqeqep8cCsvcQkjQkj NlbjSrCJR5iiP0V/Q68cqX6qgJvZcMjQ4EFHxswKxS19xg4NhHU3wW1CuhzShZxa DUfxVDTT1Jnk36CaX2ijIY/q7oxQMDfuuLub4Tmg974o4HcPuNG/c0Y72A7yZbaZ mxwfxezGGu9QAwyVzAg1EF7QOaCgO1tvIjfimuG6ye27bJeX6WTT6FDvdHFYsCjk H6e/j5qv3OLff217Y73g+LLiDlbqO+RbowBSzGNBTZtnMKaxrqG0tYObfJmk5stY mIYPp6B/CrsY3fSlPDna =QplG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
Hi, On 09/26/2015 02:04 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Graham, On 9/25/15 7:23 PM, Graham Leggett wrote: On 25 Sep 2015, at 10:33 PM, Christopher Schultzwrote: While I obviously agree with the sentiment, I do feel bad for the OP who has to fight this battle. It is important however to clarify that this isn’t a typical scenario, lest someone cites this thread as to why they should be doing the same thing. 1. All the code we currently have in tcnative uses APR for everything, and I'm not sure if APR supports AF_UNIX sockets, or even if it would have to support them to do this. The as-yet-unreleased v1.6 of APR does support unix domain sockets, although the docs for it don’t appear to be very clear. 2. The plumbing required to configure an AF_UNIX socket is non-trivial, and it's currently all wired-around using AF_INET sockets, so it's got hostname, port, etc. I suppose we could stuff the inode's name into the hostname and ignore the port number or something like that, but it's fairly hacky. Currently APR seems to accept the UDS filename where the IP address would otherwise be provided. So this is a non-trivial amount of work, here. Srini, is there any chance your employer would pay someone to write this code? Patches are always welcome, and Tomcat is otherwise completely free… If there was a push for unix domain sockets from Tomcat it would definitely help working out whether the APR_UNIX implementation does what it needs to do, and gets properly documented and v1.6 released. I don't really see this happening. I'm fairly sure that the widespread use of HTTP/2 is going to kill AJP forever, leaving only mod_proxy_http(2) as a viable long-term connector. Nobody is ever going to bother writing an AF_UNIX connector for HTTP/2, so I think this idea is very likely to die in this thread. Not sure on this, as AJP is quite handy. Expecialy load balancing java webapps and i find mod_jk quite good at this. Out of curiosity, why do you think so? What does offer HTTP/2 that can be handy in a reverse proxy scenario? Compression / streams? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWBeEhAAoJEBzwKT+lPKRYzU0QAIKV6imgl5CIyQW60QaTxERY 92VX4/s305D02r1Pp2Mji/kxmnylLgRq1ZQEwq7Jnygcm8NKPjHQQtOieSlSTHEO S/OvB8p57arsY8N5JRcf2+mequYcNx5CbeWSSbqp2DS7KEli8FKyDHKpeioNVmZX qWaWqG1mADxQBoLOgsk0opa82R18VadRQL4iKk+K28S3QLIFoIlOpi5pWOaothiV RHBPQ282FfSJMfwhqmtirS3ZyqNu9Tve/e21kz1eCeBh/9L9sOI6E2EFKcF2Mq1Q 2PPoY3EuxSIlUeVKQgZZL+QPUy3UDcWmlsm6WNxCLQRIkpSXLfmJr2JpAwJaL2if 6Ssd9nVizP29WcnKQa8qWC50vrlbOROb9OaI/2t/zjdAWFKRdyG2FKHJQB+lolxV +A+xiHIaATrcLTtkbbwm+dcUl6KFx/UMKmCLdK7+m19RDmTdeYeUSEvNXidZopb8 mZe4T87KbOrwMpqAjlehlqSOY3B993ZQu3bQdB+S1H0AdjXAL+C7umtzNX3qFb1C KmJBpmt6AhIzaLYCiwHK3sYEp0BW5PYTMrM6MNJErheGvbxmfo7yPTYsVgfmTsMM VS6kZqCXogj/FPaIna8X3UJr4BSEP5Dwx5AUZXS4qd1EcFT7gSKYD5+1vApsfUGh cjAzQL+QFx/pl3DEtG8w =whRf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
On 28.09.2015 18:09, Christopher Schultz wrote: ... Not sure on this, as AJP is quite handy. Expecialy load balancing java webapps and i find mod_jk quite good at this. Remember, it's not mod_jk doing the load-balancing, it's Apache httpd. mod_jk is simply providing the channel over which the proxying is being done. I don't think that's true. In the case of mod_proxy_ajp, it is mod_proxy and mod_proxy_balancer who do the load-balancing. But mod_proxy* are not used with mod_jk; it does its own balancing. In a thread on the dev list, I'm a little more defensive of AJP because of its ability to pass data out-of-band with respect to the tunneled HTTP message. There definitely is utility there. +1. Passing Apache httpd's "environment variables" for instance, becoming "request attributes" in Tomcat. ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
Hi Chris, I did not get much in terms of reference, but here goes: 1.http://tomcat.apache.org/tomcat-7.0-doc/apr.html Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status etc), and native process handling (shared memory, NT pipes and Unix sockets). I assumed Unix sockets meant Unix domain sockets, but looks like that might not be the right assumption. 2.https://tomcat.apache.org/connectors-doc-archive/jk2/jk2/configwebex.html This page, in the section titled "/example using AF_UNIX socket", there is a sample configuration that appeared like the configuration of a Tomcat instance to enable it to communicate with an Apache instance over Unix domain sockets. However, as this page is an archived page, it is likely this is old functionality that might have been supported earlier, but no longer. Anyways, I think from your recommendation, and that of the others that too responded to this email thread, it does not appear to be available out of the box. Thanks a lot for taking the time and trouble to clarify things... srini_ > Subject: Re: Need help understanding support for Unix Domain Sockets in > Tomcat 7.0.x > To: users@tomcat.apache.org > From: ch...@christopherschultz.net > Date: Wed, 23 Sep 2015 15:28:04 -0400 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Srini, > > On 9/23/15 1:03 PM, Srinivasan Raman wrote: > > Unfortunately, the data needs to be encrypted if the communication > > is over TCP, even if it is to a process in the same VM. Any > > alternatives that you can suggest for getting Unix domain sockets > > to work with Tomcat? I did come across mention of a connector, JK, > > that mentions Unix Domain sockets - that's what got me interested > > in this. > > Reference? > > The only thing I could find was the link I posted earlier where markt > said "no you can't do that". > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWAv1EAAoJEBzwKT+lPKRYSmoP/2eT39dBHcd9xBcDJ7XgV78g > p/724e6cEeuzLozjf6belOPtnvS9W1JTznU/vQdY1ZbD6TTqy1kXsSV5U7m5I2v7 > GPZuPXswMsdgy1i2GvempMYhkQgOw39jGjHxoHIkyTga/eING3NOy5FH/JPjDVom > iV64JFm06150lpKuXfS7cQj1mFb4ib0zmVw+t3e9VwSGQVO5tFZ0a7+ldBsLikg/ > P3fLFPOBZbD9TEUWaSlz/ArDvPjAO8NUoZK/Tz9PzHDWMdBgQEUBSfSka9mQ6BJv > ggLqXxjCgfUEj8h+rWYe7Q6aPdrT6epMYbuhIslmPn02AUGuKfY4Ser+Io9tV74w > +kHjap8gHdddQjzl5pPPWoc/BQkZhAa8jEvsNzYcZsNjtIJ6FoTjLofWfdwq+2lP > XJuXr1EerC+hW5eG5lo/nGEZgzSW17nmsk7hrYXZBNb5GYLjGjATTDWuPzhICInC > /RAO5qME3PtazFpHeHeNQnFVAM/mko6+b3DpognestCv+dGv8x8WY8sDWrJL3UNE > VV6cM3ODSQMtqtjezw245ZBe1KivjW4enAa0ZYQexM069MI0eXeruTFjkt4fX4/Z > 1l24xDBbDo2Cmv9KuSc/+DOgxizLXNmq2UaMffBcu+3T7MAg9bvarJdH90Jq1cPP > DhrwRiHXgFeaTA/39qbn > =tC8V > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Graham, On 9/24/15 2:56 PM, Graham Leggett wrote: > On 23 Sep 2015, at 22:05, André Warnier (tomcat)> wrote: > >> - you convince whoever wrote that requirement, that an internal >> TCP connection within the same host, is no less secure than a >> Unix Domain socket > > +1. While I obviously agree with the sentiment, I do feel bad for the OP who has to fight this battle. It's been a while since I did socket programming in C, but IIRC it's abstract enough that binding to an AF_INET socket and an AF_UNIX socket is roughly equivalent, so it shouldn't be /that/ hard to do this, in theory. The problems I can think of are as follows: 1. All the code we currently have in tcnative uses APR for everything, and I'm not sure if APR supports AF_UNIX sockets, or even if it would have to support them to do this. 2. The plumbing required to configure an AF_UNIX socket is non-trivial, and it's currently all wired-around using AF_INET sockets, so it's got hostname, port, etc. I suppose we could stuff the inode's name into the hostname and ignore the port number or something like that, but it's fairly hacky. 3. mod_jk would need to be modified in exactly the same way. So this is a non-trivial amount of work, here. Srini, is there any chance your employer would pay someone to write this code? Patches are always welcome, and Tomcat is otherwise completely free... - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWBa+iAAoJEBzwKT+lPKRYuJcQALca4OMxIxo7t5dPEjtJeSig dG83oFkGCAR5p04Lq5PCkzMBARHt+3IWcZhEOI9HkqwtS3rxQ39KnveemuD78sRI KwndtGQnCxKbIPnRpboRA0lSZymqL5udcrQCKFMceeis9cj4bOU45hFTIA8Qekm/ qg3OIjtpCX2OKh07M9t+0lk7RO9qNuWt6jzi0qwZkRt3vxSX6i3k4ZoAIndcIFSF Ep9tTbaUng1LjzmWqYxEw492JdX6Bx1VhYIdHHv3IxFFe8DFJyYmJ+Qb1cWMqAW6 GSKaYrIR+rHYYah82CLp3pfTtPFOumodklBpLPLAzUGBnP92PUPdlHYppEBiASWH CvmIMbpvjh8YkG923ipE+XG2BVx2Fg9HL6cWnnj50urkFP9OxD48WHq/0QmzT7bo Am0HXb5a1Ujnlt2SmiWuzkIkX2tG29yEcw16Ibapr5SAYuzQe7qwrsNb+ZHH/XTa BhKPgVDhYl9p9sxPdmrgBk20EljPv5mVTLD7qC29Ng0km/9KCeXmgJ8jP+NHEpV3 uztY3GSfyClNqoQCpKRonAmxDwAJtNVjyTF9sfGxNEK77XnthULY/Ikoh24Us/HJ tQ24QHpzn3YlbOng/e6ETnLsC/sL/kyHTmXnS+V07RjG0ms+CJ9S/oGkJgIdewma UOgkLhdKmzfO/y2cgT7+ =qebF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
On 25 Sep 2015, at 10:33 PM, Christopher Schultzwrote: > While I obviously agree with the sentiment, I do feel bad for the OP > who has to fight this battle. It is important however to clarify that this isn’t a typical scenario, lest someone cites this thread as to why they should be doing the same thing. > 1. All the code we currently have in tcnative uses APR for everything, > and I'm not sure if APR supports AF_UNIX sockets, or even if it would > have to support them to do this. The as-yet-unreleased v1.6 of APR does support unix domain sockets, although the docs for it don’t appear to be very clear. > 2. The plumbing required to configure an AF_UNIX socket is > non-trivial, and it's currently all wired-around using AF_INET > sockets, so it's got hostname, port, etc. I suppose we could stuff the > inode's name into the hostname and ignore the port number or something > like that, but it's fairly hacky. Currently APR seems to accept the UDS filename where the IP address would otherwise be provided. > So this is a non-trivial amount of work, here. > > Srini, is there any chance your employer would pay someone to write > this code? Patches are always welcome, and Tomcat is otherwise > completely free… If there was a push for unix domain sockets from Tomcat it would definitely help working out whether the APR_UNIX implementation does what it needs to do, and gets properly documented and v1.6 released. Regards, Graham — - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Graham, On 9/25/15 7:23 PM, Graham Leggett wrote: > On 25 Sep 2015, at 10:33 PM, Christopher Schultz >wrote: > >> While I obviously agree with the sentiment, I do feel bad for >> the OP who has to fight this battle. > > It is important however to clarify that this isn’t a typical > scenario, lest someone cites this thread as to why they should be > doing the same thing. > >> 1. All the code we currently have in tcnative uses APR for >> everything, and I'm not sure if APR supports AF_UNIX sockets, or >> even if it would have to support them to do this. > > The as-yet-unreleased v1.6 of APR does support unix domain > sockets, although the docs for it don’t appear to be very clear. > >> 2. The plumbing required to configure an AF_UNIX socket is >> non-trivial, and it's currently all wired-around using AF_INET >> sockets, so it's got hostname, port, etc. I suppose we could >> stuff the inode's name into the hostname and ignore the port >> number or something like that, but it's fairly hacky. > > Currently APR seems to accept the UDS filename where the IP > address would otherwise be provided. > >> So this is a non-trivial amount of work, here. >> >> Srini, is there any chance your employer would pay someone to >> write this code? Patches are always welcome, and Tomcat is >> otherwise completely free… > > If there was a push for unix domain sockets from Tomcat it would > definitely help working out whether the APR_UNIX implementation > does what it needs to do, and gets properly documented and v1.6 > released. I don't really see this happening. I'm fairly sure that the widespread use of HTTP/2 is going to kill AJP forever, leaving only mod_proxy_http(2) as a viable long-term connector. Nobody is ever going to bother writing an AF_UNIX connector for HTTP/2, so I think this idea is very likely to die in this thread. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWBeEhAAoJEBzwKT+lPKRYzU0QAIKV6imgl5CIyQW60QaTxERY 92VX4/s305D02r1Pp2Mji/kxmnylLgRq1ZQEwq7Jnygcm8NKPjHQQtOieSlSTHEO S/OvB8p57arsY8N5JRcf2+mequYcNx5CbeWSSbqp2DS7KEli8FKyDHKpeioNVmZX qWaWqG1mADxQBoLOgsk0opa82R18VadRQL4iKk+K28S3QLIFoIlOpi5pWOaothiV RHBPQ282FfSJMfwhqmtirS3ZyqNu9Tve/e21kz1eCeBh/9L9sOI6E2EFKcF2Mq1Q 2PPoY3EuxSIlUeVKQgZZL+QPUy3UDcWmlsm6WNxCLQRIkpSXLfmJr2JpAwJaL2if 6Ssd9nVizP29WcnKQa8qWC50vrlbOROb9OaI/2t/zjdAWFKRdyG2FKHJQB+lolxV +A+xiHIaATrcLTtkbbwm+dcUl6KFx/UMKmCLdK7+m19RDmTdeYeUSEvNXidZopb8 mZe4T87KbOrwMpqAjlehlqSOY3B993ZQu3bQdB+S1H0AdjXAL+C7umtzNX3qFb1C KmJBpmt6AhIzaLYCiwHK3sYEp0BW5PYTMrM6MNJErheGvbxmfo7yPTYsVgfmTsMM VS6kZqCXogj/FPaIna8X3UJr4BSEP5Dwx5AUZXS4qd1EcFT7gSKYD5+1vApsfUGh cjAzQL+QFx/pl3DEtG8w =whRf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
On 23 Sep 2015, at 22:05, André Warnier (tomcat)wrote: > - you convince whoever wrote that requirement, that an internal TCP > connection within the same host, is no less secure than a Unix Domain socket +1. Regards, Graham -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Srini, On 9/23/15 7:54 AM, Srinivasan Raman wrote: > In one use-case, for performance reasons, I wold like to explore > the option of connecting from a in-house software load balancer > running in a VM running Linux to a Tomcat instance running in the > same VM using Unix Domain sockets. Do you have any evidence that there is a performance advantage, here? localhost TCP is quite fast. http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-connec tor-td2048906.html > Googling for this brought up some mention of Unix Domain Sockets > as part of APR, AJP etc., but I could not locate any concrete > examples of how this can be done. AJP certainly does not support UDS. I'm not sure about APR, but I don't see any immediate direct support for it. You'd basically have to write everything on top of basic libc calls. > Appreciate if anyone that has information this can point me in the > right direction. I don't think anyone is really interested in pursuing this, unfortunatel y. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWArEbAAoJEBzwKT+lPKRY94sP/RyK69i9LpsYNBfbYplNaF+r +ExuonGZ8clJ6lJWxNn9GJcCphLMYwIPOYPqkZlfcrZqwveAI7ZwFskSFNwInUMs su5WiSjsAt0HEaaJKf77nTmWMQ9Y/nyp7g0ikgAnsH53AX98cFPtbqyRN8Bl8suN 7ayOQTQ7b4wDyiIEAG6U3bsiuB6QSooQJYkovvANHt9JnneyQ9ucvaq5ChL6nr/o fxc0qQrabD8DtsZFU/S/Qd8ukl+CL0dFQ5XNbYIM9ew6loUu9xZi4vxoxLogpv/Q PH35fy6ce7YAFzQSvN/pIBwmpB3fG32TBrdm9nQY6fogkjU1H8M81Fhe/pzDbSMS /rtocd65thJN8uFCRz8XazF16rKO+EK5mHS8PlR2AMnIttTcZbnURrgHv9htMIUY qtB1vPAHi1s7Mx3QF+iguh1xg0Z1wicVtYycVODNAY4m5cR9IVCHkSTD8MmIXmdS 9u/OKJSgwKRSP00YZeEGi+/+/udFwKP4oT8QJ/MxLl66L+ONHYU9Mqekk+qbk4Fp GsDjtt+bF3aHgc3siE0sy2EE5ncqHVPP7bopqS8XzebyEKpDjhp5xcrGiNr2lMoe G+rIS9UV7WYC2tmSfo66hvAA4mxHlwgIQj2M8bAvvf+UIKQ1j4rsTHeVT3iIHuPq wX8gh3mju1Aa1AjJY0au =Mo5P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
On 23 Sep 2015, at 5:55 PM, Srinivasan Ramanwrote: > Sorry, I should have provided more details while posting the query. > Due to a security policy that mandates that a certain type of sensitive data > flowing over a communication channel must be encrypted, we are using SSL. If > the communication channel were to be Unix Domain sockets, we do not need to > encrypt the data, based on the data classification for this use-case. Would it be possible to confirm the need for encrypting traffic over localhost? Regards, Graham — - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
Hi Chris, Thanks for the speedy response. > Do you have any evidence that there is a performance advantage, here? > localhost TCP is quite fast. Sorry, I should have provided more details while posting the query. Due to a security policy that mandates that a certain type of sensitive data flowing over a communication channel must be encrypted, we are using SSL. If the communication channel were to be Unix Domain sockets, we do not need to encrypt the data, based on the data classification for this use-case. Thanks again, srini_ > Subject: Re: Need help understanding support for Unix Domain Sockets in > Tomcat 7.0.x > To: users@tomcat.apache.org > From: ch...@christopherschultz.net > Date: Wed, 23 Sep 2015 10:03:07 -0400 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Srini, > > On 9/23/15 7:54 AM, Srinivasan Raman wrote: > > In one use-case, for performance reasons, I wold like to explore > > the option of connecting from a in-house software load balancer > > running in a VM running Linux to a Tomcat instance running in the > > same VM using Unix Domain sockets. > > Do you have any evidence that there is a performance advantage, here? > localhost TCP is quite fast. > > http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-connec > tor-td2048906.html > > > Googling for this brought up some mention of Unix Domain Sockets > > as part of APR, AJP etc., but I could not locate any concrete > > examples of how this can be done. > > AJP certainly does not support UDS. I'm not sure about APR, but I > don't see any immediate direct support for it. You'd basically have to > write everything on top of basic libc calls. > > > Appreciate if anyone that has information this can point me in the > > right direction. > > I don't think anyone is really interested in pursuing this, unfortunatel > y. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWArEbAAoJEBzwKT+lPKRY94sP/RyK69i9LpsYNBfbYplNaF+r > +ExuonGZ8clJ6lJWxNn9GJcCphLMYwIPOYPqkZlfcrZqwveAI7ZwFskSFNwInUMs > su5WiSjsAt0HEaaJKf77nTmWMQ9Y/nyp7g0ikgAnsH53AX98cFPtbqyRN8Bl8suN > 7ayOQTQ7b4wDyiIEAG6U3bsiuB6QSooQJYkovvANHt9JnneyQ9ucvaq5ChL6nr/o > fxc0qQrabD8DtsZFU/S/Qd8ukl+CL0dFQ5XNbYIM9ew6loUu9xZi4vxoxLogpv/Q > PH35fy6ce7YAFzQSvN/pIBwmpB3fG32TBrdm9nQY6fogkjU1H8M81Fhe/pzDbSMS > /rtocd65thJN8uFCRz8XazF16rKO+EK5mHS8PlR2AMnIttTcZbnURrgHv9htMIUY > qtB1vPAHi1s7Mx3QF+iguh1xg0Z1wicVtYycVODNAY4m5cR9IVCHkSTD8MmIXmdS > 9u/OKJSgwKRSP00YZeEGi+/+/udFwKP4oT8QJ/MxLl66L+ONHYU9Mqekk+qbk4Fp > GsDjtt+bF3aHgc3siE0sy2EE5ncqHVPP7bopqS8XzebyEKpDjhp5xcrGiNr2lMoe > G+rIS9UV7WYC2tmSfo66hvAA4mxHlwgIQj2M8bAvvf+UIKQ1j4rsTHeVT3iIHuPq > wX8gh3mju1Aa1AjJY0au > =Mo5P > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
Hi Graham, Unfortunately, the data needs to be encrypted if the communication is over TCP, even if it is to a process in the same VM. Any alternatives that you can suggest for getting Unix domain sockets to work with Tomcat? I did come across mention of a connector, JK, that mentions Unix Domain sockets - that's what got me interested in this. Thanks, srini_ > Subject: Re: Need help understanding support for Unix Domain Sockets in > Tomcat 7.0.x > From: minf...@sharp.fm > Date: Wed, 23 Sep 2015 18:11:06 +0200 > To: users@tomcat.apache.org > > On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote: > > > Sorry, I should have provided more details while posting the query. > > Due to a security policy that mandates that a certain type of sensitive > > data flowing over a communication channel must be encrypted, we are using > > SSL. If the communication channel were to be Unix Domain sockets, we do not > > need to encrypt the data, based on the data classification for this > > use-case. > > Would it be possible to confirm the need for encrypting traffic over > localhost? > > Regards, > Graham > — > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Srini, On 9/23/15 11:55 AM, Srinivasan Raman wrote: > Hi Chris, Thanks for the speedy response. >> Do you have any evidence that there is a performance advantage, >> here? localhost TCP is quite fast. > > Sorry, I should have provided more details while posting the > query. > > Due to a security policy that mandates that a certain type of > sensitive data flowing over a communication channel must be > encrypted, we are using SSL. If the communication channel were to > be Unix Domain sockets, we do not need to encrypt the data, based > on the data classification for this use-case. So, localhost/TCP is considered a "communication channel" while a Unix Domain Socket is not? While I appreciate the idea that a UDS is by definition localhost-only (if you ignore various types of virtualization), localhost/TCP is no less secure. Is the idea that localhost/TCP can be easily changed to non-localhost/TCP and therefore it can never be trusted? In an environment like that, I'm surprised they are allowing Open Source Software to be used in the first place, or even Java. :( - -chris >> Subject: Re: Need help understanding support for Unix Domain >> Sockets in Tomcat 7.0.x To: users@tomcat.apache.org From: >> ch...@christopherschultz.net Date: Wed, 23 Sep 2015 10:03:07 >> -0400 >> > Srini, > > On 9/23/15 7:54 AM, Srinivasan Raman wrote: >>>> In one use-case, for performance reasons, I wold like to >>>> explore the option of connecting from a in-house software >>>> load balancer running in a VM running Linux to a Tomcat >>>> instance running in the same VM using Unix Domain sockets. > > Do you have any evidence that there is a performance advantage, > here? localhost TCP is quite fast. > > http://tomcat.10.x6.nabble.com/Unix-domain-socket-support-for-AJP-conn ec > > tor-td2048906.html > >>>> Googling for this brought up some mention of Unix Domain >>>> Sockets as part of APR, AJP etc., but I could not locate any >>>> concrete examples of how this can be done. > > AJP certainly does not support UDS. I'm not sure about APR, but I > don't see any immediate direct support for it. You'd basically have > to write everything on top of basic libc calls. > >>>> Appreciate if anyone that has information this can point me >>>> in the right direction. > > I don't think anyone is really interested in pursuing this, > unfortunatel y. > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWAv0VAAoJEBzwKT+lPKRYzv8QAJZuJDcxXc9+CoHSgaovz6hL +n+xMtqeYtWA0Od272g8ujOTv6Sejkku1kkWtYEdCSIF7NClyTt5254fYh3SDH69 u2ZR5x3G7EwlLA28xLsOEm/poS5E7l/RbApjx3ZVx/gfvULkTZIO+qUSiHGw2Ndh NJTgkWYPvC8DyhcRtjBqAKbEGzIIJhCMKZNs9Rbdcm5bGFfbKBpHQkf1uDBevjCD KN4A1yGwa3PfGKf+hiyAYCiMueWX+00Yhsz1tq0yA2NeHMl8gF69fc5m5lDLQARl N7P3ZNleTwpgKgeagsPDPeaqPdoncFdI1/BmRN+aDYCE7FXnBi1k3EWhZXRFTHjq HR9XwBTVqNMPJyQqOuUqIe/gV/ox0RKigZ+NaBMs5+BZcCBjTlTW3tjl2Rv9wjfK PsvTPxhMlSTGaKqhPHsqnd3JFvFBxSS9VqHeRMS5iLu5iqOyoxLXa1K+3P3SqHR6 6j9t76gdKQYXCk+PVJhbc8NPKM60REkVMFzl/t6edjctUZz4ciyNJFpUyKGDR8vK 3ZVqh3HBJAADSVokBIBrjvVgOUDuwLXxCqRsxjdHBoQc9lqCUFjccn19Yu2iBAB/ rxwkT9mi4h7cbKlzerzs8UGSTg1Tu/qq3A/Z2isdlr1l4vriF2xiYQ6BaI+WR1WH +ocxzCB7mYz5Mbt1erna =crgK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Srini, On 9/23/15 1:03 PM, Srinivasan Raman wrote: > Unfortunately, the data needs to be encrypted if the communication > is over TCP, even if it is to a process in the same VM. Any > alternatives that you can suggest for getting Unix domain sockets > to work with Tomcat? I did come across mention of a connector, JK, > that mentions Unix Domain sockets - that's what got me interested > in this. Reference? The only thing I could find was the link I posted earlier where markt said "no you can't do that". - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWAv1EAAoJEBzwKT+lPKRYSmoP/2eT39dBHcd9xBcDJ7XgV78g p/724e6cEeuzLozjf6belOPtnvS9W1JTznU/vQdY1ZbD6TTqy1kXsSV5U7m5I2v7 GPZuPXswMsdgy1i2GvempMYhkQgOw39jGjHxoHIkyTga/eING3NOy5FH/JPjDVom iV64JFm06150lpKuXfS7cQj1mFb4ib0zmVw+t3e9VwSGQVO5tFZ0a7+ldBsLikg/ P3fLFPOBZbD9TEUWaSlz/ArDvPjAO8NUoZK/Tz9PzHDWMdBgQEUBSfSka9mQ6BJv ggLqXxjCgfUEj8h+rWYe7Q6aPdrT6epMYbuhIslmPn02AUGuKfY4Ser+Io9tV74w +kHjap8gHdddQjzl5pPPWoc/BQkZhAa8jEvsNzYcZsNjtIJ6FoTjLofWfdwq+2lP XJuXr1EerC+hW5eG5lo/nGEZgzSW17nmsk7hrYXZBNb5GYLjGjATTDWuPzhICInC /RAO5qME3PtazFpHeHeNQnFVAM/mko6+b3DpognestCv+dGv8x8WY8sDWrJL3UNE VV6cM3ODSQMtqtjezw245ZBe1KivjW4enAa0ZYQexM069MI0eXeruTFjkt4fX4/Z 1l24xDBbDo2Cmv9KuSc/+DOgxizLXNmq2UaMffBcu+3T7MAg9bvarJdH90Jq1cPP DhrwRiHXgFeaTA/39qbn =tC8V -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
srini_ On 23.09.2015 19:03, Srinivasan Raman wrote: Hi Graham, Unfortunately, the data needs to be encrypted if the communication is over TCP, even if it is to a process in the same VM. Any alternatives that you can suggest for getting Unix domain sockets to work with Tomcat? I did come across mention of a connector, JK, that mentions Unix Domain sockets - that's what got me interested in this. Thanks, srini_ You already got a response from Christopher, one of the Tomcat Committers. Re-read it. It basically boils down to this : either - you write this yourself from scratch, both at the Apache httpd (mod_jk/mod_proxy_ajp) and at the Tomcat level (AJP Connector) or - you convince whoever wrote that requirement, that an internal TCP connection within the same host, is no less secure than a Unix Domain socket Your choice. (Otherwise, look at "socat" : http://www.dest-unreach.org/socat/) (I am just kidding; you would end up with two local TCP connections instead of one. But it /would/ use a UDS in-between. And internally, it must be doing the kind of things needed to "adapt" TCP to UDS and vice-versa. So maybe looking at the source code may give you an idea of what would be involved). Subject: Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x From: minf...@sharp.fm Date: Wed, 23 Sep 2015 18:11:06 +0200 To: users@tomcat.apache.org On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote: Sorry, I should have provided more details while posting the query. Due to a security policy that mandates that a certain type of sensitive data flowing over a communication channel must be encrypted, we are using SSL. If the communication channel were to be Unix Domain sockets, we do not need to encrypt the data, based on the data classification for this use-case. Would it be possible to confirm the need for encrypting traffic over localhost? Regards, Graham — - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org