Not sure if this is still the case, but I don't believe that mod_jk allows SSL connections between Apache and Tomcat. This is why mod_proxy_httpd is often used. If that bit of security is important to your organization, something to keep in mind. If this is not the case for mod_jk, I would love to know since I would prefer to use mod_jk.
=G= On Tue, Mar 6, 2018 at 2:03 PM, Herb Burnswell <[email protected]> wrote: > Daniel, > > Thanks. I'm reading the docs on sticky sessions. There is a lot of > conflicting "how to's" out there but I'm making progress. > > HB > > On Wed, Feb 28, 2018 at 12:21 PM, Daniel Ferradal <[email protected]> > wrote: > >> > 3: Regarding my inquiry about potential better options, I was more >> referring >> > to the idea of maybe using Tomcat as a proxy to Tomcat backend >> application. >> > I've read it can be done was wondering if the like to like might provide >> > advantages. I am personally not as familiar with Tomcat as I am with >> HTTPD >> > and therefore would prefer using HTTPD if there are no significant >> reasons >> > to use Tomcat --> Tomcat. >> >> IMO it is better to leave the application server to do what it is >> supposed to do, handle dynamic content generation. While leaving >> static content as well as balancing to httpd, which is what it does >> best. >> >> > >> > 4: The sticky sessions need makes sense. >> > >> > I have attempted to set up the sticky sessions configuration in HTTPD >> but >> > unfortunately I must not have it set up properly. It's probably best >> if I >> > create a new thread for that issue and will do so. >> >> Sticky sessions can be very tricky to setup correctly. >> >> In mod_proxy_balancer docs it documents very well that you probably >> need to set all these three elements correctly according to how tomcat >> was setup: >> >> stickysession (the most obvious) >> scolonpathdelim >> route - according to the value jvmroute the tomcats have setup. >> >> >> >> > >> > Thanks again for your guidance. >> > >> > HB >> > >> > On Fri, Feb 23, 2018 at 12:57 AM, Daniel Ferradal <[email protected] >> > >> > wrote: >> >> >> >> Hello, >> >> >> >> I'll try to answer point by point the best I can. >> >> >> >> 1º You can only use one balancer method, so choose the best strategy >> >> for your case. There is plenty on the description for each in the docs >> >> (TL to explain here). >> >> 2º No, it does not, you choose one and use only one that suites you >> >> best for a specific balancer. >> >> 3º Inside httpd the only non-third party choice that I know is >> >> mod_proxy_balancer, so yes, by all means use it. Unless you find a >> >> more suitable product for your needs. >> >> 4º That will precisely mean you need to use sticky sessions and define >> >> how to properly handle them at the balancer level, why? because as >> >> long as nodes are up and running you want to deliver the session to >> >> the specific node dealing with that session or session will be lost. >> >> It is when that backend node is down that httpd should look for other >> >> nodes to deliver the session. Afaik is called session persistence. Or >> >> at least this is the usual way to balance with sessions dealt by a >> >> backend cluster. >> >> >> >> About docs you can also visit: >> >> http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html >> >> and mod_proxy itself: http://httpd.apache.org/docs/2 >> .4/mod/mod_proxy.html >> >> >> >> Cheers! >> >> >> >> 2018-02-23 1:48 GMT+01:00 Herb Burnswell <[email protected] >> >: >> >> > All, >> >> > >> >> > I am looking for some guidance on using HTTPD as a proxy and load >> >> > balancer >> >> > to a backend Tomcat application. Specifically, I'm interested in >> how to >> >> > best handle the balancing of requests. The configuration would be >> very >> >> > much >> >> > like the 'typical implementation' shown in this Reverse Proxy Guide: >> >> > https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html (I'm >> using >> >> > version 2.4.6): >> >> > >> >> > +--------------------- + >> >> > | Firewall Public | >> >> > +--------------------- + >> >> > +-------------------------------------------+ >> >> > | +------+ +-------+ +-------+ | >> >> > | | httpd| | httpd | | httpd | | >> >> > | | 1 | | 2 | | 3 | | >> >> > | +------+ +-------+ +-------+ | >> >> > +-------------------------------------------+ >> >> > +---------------------- + >> >> > | Firewall Private | >> >> > +---------------------- + >> >> > +---------------------------------------------+ >> >> > | +--------+ +---------+ +--------+ | >> >> > | | tomcat| |tomcat | |tomcat | | >> >> > | | 1 | | 2 | | 3 | | >> >> > | +--------+ +---------+ +--------+ | >> >> > +---------------------------------------------+ >> >> > >> >> > >> >> > We have this working fine with a vanity URL to a VIP on our public >> >> > firewall >> >> > --> to the 3 httpd proxy load balancer pool --> to one of the 3 >> backend >> >> > Tomcat server pool. We want everything to run over SSL and the >> >> > currently >> >> > working config on the httpd servers is basic: >> >> > >> >> > <VirtualHost _default_:443> >> >> > >> >> > ServerName example.com >> >> > >> >> > SSLEngine on >> >> > SSLProtocol all -SSLv2 -SSLv3 >> >> > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA >> >> > >> >> > SSLCertificateFile /etc/pki/tls/certs/ssl.crt >> >> > >> >> > # ------------------------------------------------ >> >> > # Proxy Load Balancer >> >> > # ------------------------------------------------ >> >> > >> >> > <Proxy balancer://mycluster> >> >> > >> >> > BalancerMember https://app1.example.com:9009 >> >> > BalancerMember https://app2.example.com:9009 >> >> > >> >> > </Proxy> >> >> > >> >> > SSLProxyEngine on >> >> > SSLProxyVerify none >> >> > SSLProxyCheckPeerCN off >> >> > SSLProxyCheckPeerName off >> >> > SSLProxyCheckPeerExpire off >> >> > >> >> > ProxyPass / balancer://mycluster/ >> >> > ProxyPassReverse / balancer://mycluster/ >> >> > >> >> > </VirtualHost> >> >> > >> >> > >> >> > As mentioned, this works fine. But now we need to dig into the >> request >> >> > management. I read here: >> >> > https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html that >> the >> >> > scheduler algorithm is provided by 'at least one of': >> >> > >> >> > mod_lbmethod_byrequests >> >> > mod_lbmethod_bytraffic >> >> > mod_lbmethod_bybusyness >> >> > mod_lbmethod_heartbeat >> >> > >> >> > Questions: >> >> > >> >> > 1. Am I correct in reading 'at least one of' that multiple of these >> >> > algorithms can be used together? If so, is there a hierarchy between >> >> > them? >> >> > >> >> > 2. Does it make sense to use multiple algorithms? >> >> > >> >> > - It sounds like each could be desirable: >> >> > mod_lbmethod_byrequests -> We do want to have an even distribution of >> >> > request/sessions. >> >> > >> >> > mod_lbmethod_bytraffic -> Some requests/sessions could be more >> intensive >> >> > than others. >> >> > >> >> > mod_lbmethod_bybusyness -> Sounds similar to byrequests? >> >> > >> >> > mod_lbmethod_heartbeat -> Definately need to backend to be listening >> but >> >> > would be nice to distribute or overlook a server based upon response >> >> > time. >> >> > Is that part of how this works? >> >> > >> >> > 3. Is using HTTPD mod_proxy_balancer the best way to handle what we >> are >> >> > looking to do? Or are there better options? >> >> > >> >> > 4. On the backend we plan on using Tomcat session clustering for high >> >> > availability. That being the case, would that mean that we would NOT >> >> > want >> >> > to use sticky sessions at the HTTPD level in case a backend Tomcat >> node >> >> > goes >> >> > offline and the session is picked up on one of the other nodes? >> >> > >> >> > Sorry if I've confused anything here, any guidance is greatly >> >> > appreciated. >> >> > I'm happy to read any documentation directed to.. >> >> > >> >> > Thanks in advance, >> >> > >> >> > HB >> >> > >> >> >> >> >> >> >> >> -- >> >> Daniel Ferradal >> >> HTTPD Docs. I translate to Spanish. >> >> #httpd help at Freenode >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [email protected] >> >> For additional commands, e-mail: [email protected] >> >> >> > >> >> >> >> -- >> Daniel Ferradal >> HTTPD is the best! >> #httpd help at Freenode >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
