Not sure if this is still the case, but I don't believe that mod_jk allows
SSL connections between Apache and Tomcat.  This is why mod_proxy_httpd is
often used.  If that bit of security is important to your organization,
something to keep in mind.  If this is not the case for mod_jk, I would
love to know since I would prefer to use mod_jk.

=G=

On Tue, Mar 6, 2018 at 2:03 PM, Herb Burnswell <herbert.burnsw...@gmail.com>
wrote:

> Daniel,
>
> Thanks.  I'm reading the docs on sticky sessions.  There is a lot of
> conflicting "how to's" out there but I'm making progress.
>
> HB
>
> On Wed, Feb 28, 2018 at 12:21 PM, Daniel Ferradal <dferra...@apache.org>
> wrote:
>
>> > 3: Regarding my inquiry about potential better options, I was more
>> referring
>> > to the idea of maybe using Tomcat as a proxy to Tomcat backend
>> application.
>> > I've read it can be done was wondering if the like to like might provide
>> > advantages.  I am personally not as familiar with Tomcat as I am with
>> HTTPD
>> > and therefore would prefer using HTTPD if there are no significant
>> reasons
>> > to use Tomcat --> Tomcat.
>>
>> IMO it is better to leave the application server to do what it is
>> supposed to do, handle dynamic content generation. While leaving
>> static content as well as balancing to httpd, which is what it does
>> best.
>>
>> >
>> > 4:  The sticky sessions need makes sense.
>> >
>> > I have attempted to set up the sticky sessions configuration in HTTPD
>> but
>> > unfortunately I must not have it set up properly.  It's probably best
>> if I
>> > create a new thread for that issue and will do so.
>>
>> Sticky sessions can be very tricky to setup correctly.
>>
>> In mod_proxy_balancer docs it documents very well that you probably
>> need to set all these three elements correctly according to how tomcat
>> was setup:
>>
>> stickysession (the most obvious)
>> scolonpathdelim
>> route - according to the value jvmroute the tomcats have setup.
>>
>>
>>
>> >
>> > Thanks again for your guidance.
>> >
>> > HB
>> >
>> > On Fri, Feb 23, 2018 at 12:57 AM, Daniel Ferradal <dferra...@apache.org
>> >
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'll try to answer point by point the best I can.
>> >>
>> >> 1º You can only use one balancer method, so choose the best strategy
>> >> for your case. There is plenty on the description for each in the docs
>> >> (TL to explain here).
>> >> 2º No, it does not, you choose one and use only one that suites you
>> >> best for a specific balancer.
>> >> 3º Inside httpd the only non-third party choice that I know is
>> >> mod_proxy_balancer, so yes, by all means use it. Unless you find a
>> >> more suitable product for your needs.
>> >> 4º That will precisely mean you need to use sticky sessions and define
>> >> how to properly handle them at the balancer level, why? because as
>> >> long as nodes are up and running you  want to deliver the session to
>> >> the specific node dealing with that session or session will be lost.
>> >> It is when that backend node is down that httpd should look for other
>> >> nodes to deliver the session. Afaik is called session persistence. Or
>> >> at least this is the usual way to balance with sessions dealt by a
>> >> backend cluster.
>> >>
>> >> About docs you can also visit:
>> >> http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
>> >> and mod_proxy itself: http://httpd.apache.org/docs/2
>> .4/mod/mod_proxy.html
>> >>
>> >> Cheers!
>> >>
>> >> 2018-02-23 1:48 GMT+01:00 Herb Burnswell <herbert.burnsw...@gmail.com
>> >:
>> >> > All,
>> >> >
>> >> > I am looking for some guidance on using HTTPD as a proxy and load
>> >> > balancer
>> >> > to a backend Tomcat application.  Specifically, I'm interested in
>> how to
>> >> > best handle the balancing of requests.  The configuration would be
>> very
>> >> > much
>> >> > like the 'typical implementation' shown in this Reverse Proxy Guide:
>> >> > https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html  (I'm
>> using
>> >> > version 2.4.6):
>> >> >
>> >> > +---------------------  +
>> >> > |     Firewall Public |
>> >> > +---------------------  +
>> >> > +-------------------------------------------+
>> >> > |      +------+   +-------+  +-------+      |
>> >> > |      | httpd|   | httpd  |   | httpd |      |
>> >> > |      |    1   |   |   2      |   |   3     |      |
>> >> > |      +------+   +-------+  +-------+      |
>> >> > +-------------------------------------------+
>> >> > +----------------------  +
>> >> > |     Firewall Private |
>> >> > +----------------------  +
>> >> > +---------------------------------------------+
>> >> > |    +--------+  +---------+  +--------+      |
>> >> > |    | tomcat|  |tomcat |   |tomcat |       |
>> >> > |    |   1       |  |    2      |   |   3       |      |
>> >> > |    +--------+  +---------+  +--------+      |
>> >> > +---------------------------------------------+
>> >> >
>> >> >
>> >> > We have this working fine with a vanity URL to a VIP on our public
>> >> > firewall
>> >> > --> to the 3 httpd proxy load balancer pool --> to one of the 3
>> backend
>> >> > Tomcat server pool.  We want everything to run over SSL and the
>> >> > currently
>> >> > working config on the httpd servers is basic:
>> >> >
>> >> > <VirtualHost _default_:443>
>> >> >
>> >> >         ServerName example.com
>> >> >
>> >> >         SSLEngine on
>> >> >         SSLProtocol all -SSLv2 -SSLv3
>> >> >         SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
>> >> >
>> >> >         SSLCertificateFile /etc/pki/tls/certs/ssl.crt
>> >> >
>> >> > # ------------------------------------------------
>> >> > # Proxy Load Balancer
>> >> > # ------------------------------------------------
>> >> >
>> >> > <Proxy balancer://mycluster>
>> >> >
>> >> >         BalancerMember https://app1.example.com:9009
>> >> >         BalancerMember https://app2.example.com:9009
>> >> >
>> >> > </Proxy>
>> >> >
>> >> > SSLProxyEngine on
>> >> > SSLProxyVerify none
>> >> > SSLProxyCheckPeerCN off
>> >> > SSLProxyCheckPeerName off
>> >> > SSLProxyCheckPeerExpire off
>> >> >
>> >> > ProxyPass / balancer://mycluster/
>> >> > ProxyPassReverse / balancer://mycluster/
>> >> >
>> >> > </VirtualHost>
>> >> >
>> >> >
>> >> > As mentioned, this works fine.  But now we need to dig into the
>> request
>> >> > management.  I read here:
>> >> > https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html that
>> the
>> >> > scheduler algorithm is provided by 'at least one of':
>> >> >
>> >> > mod_lbmethod_byrequests
>> >> > mod_lbmethod_bytraffic
>> >> > mod_lbmethod_bybusyness
>> >> > mod_lbmethod_heartbeat
>> >> >
>> >> > Questions:
>> >> >
>> >> > 1. Am I correct in reading 'at least one of' that multiple of these
>> >> > algorithms can be used together?  If so, is there a hierarchy between
>> >> > them?
>> >> >
>> >> > 2. Does it make sense to use multiple algorithms?
>> >> >
>> >> > - It sounds like each could be desirable:
>> >> > mod_lbmethod_byrequests -> We do want to have an even distribution of
>> >> > request/sessions.
>> >> >
>> >> > mod_lbmethod_bytraffic -> Some requests/sessions could be more
>> intensive
>> >> > than others.
>> >> >
>> >> > mod_lbmethod_bybusyness -> Sounds similar to byrequests?
>> >> >
>> >> > mod_lbmethod_heartbeat -> Definately need to backend to be listening
>> but
>> >> > would be nice to distribute or overlook a server based upon response
>> >> > time.
>> >> > Is that part of how this works?
>> >> >
>> >> > 3. Is using HTTPD mod_proxy_balancer the best way to handle what we
>> are
>> >> > looking to do?  Or are there better options?
>> >> >
>> >> > 4. On the backend we plan on using Tomcat session clustering for high
>> >> > availability.  That being the case, would that mean that we would NOT
>> >> > want
>> >> > to use sticky sessions at the HTTPD level in case a backend Tomcat
>> node
>> >> > goes
>> >> > offline and the session is picked up on one of the other nodes?
>> >> >
>> >> > Sorry if I've confused anything here, any guidance is greatly
>> >> > appreciated.
>> >> > I'm happy to read any documentation directed to..
>> >> >
>> >> > Thanks in advance,
>> >> >
>> >> > HB
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Daniel Ferradal
>> >> HTTPD Docs. I translate to Spanish.
>> >> #httpd help at Freenode
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> >> For additional commands, e-mail: users-h...@httpd.apache.org
>> >>
>> >
>>
>>
>>
>> --
>> Daniel Ferradal
>> HTTPD is the best!
>> #httpd help at Freenode
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Reply via email to