2. About Me
➡ Apache Software Foundation
➡ Co-founder, Director Emeritus, Member and Developer
➡ Director Emeritus
➡ Outercurve, MARSEC-XL, OSSI, OSI (ex)…
➡ Developer
➡ Mega FOSS projects
➡ O’Reilly Open Source Award: 2013
➡ European Commission: Luminary Award
➡ Open Source Chef: ConsenSys
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
3. Apache httpd 2.4
➡ Currently at version 2.4.33 (2.4.1 went GA Feb 21, 2012)
➡ Significant Improvements
➡ high-performance
➡ cloud suitability
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
4. Apache httpd 2.4 - design drivers
➡ Support for async I/O w/o dropping support for older
systems
➡ Larger selection of usable MPMs: added event, motorz,
etc...
➡ Leverage higher-performant versions of APR
➡ Increase performance
➡ Reduce memory utilization
➡ The Cloud and Reverse Proxy
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
5. Cloud and Dynamics
➡ The Cloud is a game changer for web servers
➡ The cloud is a dynamic place
➡ automated reconfiguration
➡ horizontal, not vertical scaling
➡ self-aware environments
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
OK, maybe not THAT self-aware
6. Why Dynamic Proxy Matters
➡ Apache httpd still the most frequently used front-end
➡ Proxy capabilities must be cloud friendly
➡ Front-end must be dynamic friendly
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
7. Reverse Proxy
Internet
Firewall Firewall
Cloud
Reverse Proxy Server
Transactional
Servers
Browser
➡ Operates at the server end of the transaction
➡ Completely transparent to the Web Browser – thinks the
Reverse Proxy Server is the real server
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
8. Features of Reverse Proxy Server
➡ Security
Uniform security policy can be administered
The real transactional servers are behind the firewall
➡ Delegation, Specialization, Load Balancing
➡ Caching
➡ Performance, HA
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
9. Proxy Design Drivers
➡ Becoming a robust but generic proxy implementation
➡ Support various protocols
➡ HTTP, HTTPS, HTTP/2, CONNECT, FTP
➡ AJP, FastCGI, SCGI, WSGI, UWSGI, PROXY
➡ Load balancing
➡ Clustering, failover
➡ Performance
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
10. Apache httpd 2.4 proxy
➡ Reverse Proxy Improvements
➡ Supports FastCGI, SCGI, Websockets in balancer
➡ Additional load balancing mechanisms
➡ Runtime changing of clusters w/o restarts
➡ Support for dynamic configuration
➡ mod_proxy_express
➡ mod_fcgid and fcgistarter
➡ Brand New: Support for Unix Domain Sockets
➡ Brand New: HTTP/2
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
11. Configuring Reverse Proxy
➡ Set ProxyRequests Off
➡ Apply ProxyPass, ProxyPassReverse and possibly
RewriteRule directives
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
12. Reverse Proxy Directives:
ProxyPass
➡ Allows remote server to be mapped into the space of the
local (Reverse Proxy) server
➡ There is also ProxyPassMatch which takes a regex
➡ Example:
➡ ProxyPass /secure/ http://secureserver/
➡ Presumably “secureserver” is inaccessible directly from the
internet
➡ ProxyPassMatch ^/(.*.js)$ http://js-storage.example.com/bar/$1
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
13. Reverse Proxy Directives:
ProxyPassReverse
➡ Used to specify that redirects issued by the remote server
are to be translated to use the proxy before being
returned to the client.
➡ Syntax is identical to ProxyPass; used in conjunction with
it
➡ Example:
➡ProxyPass /secure/ http://secureserver/
➡ProxyPassReverse /secure/ http://secureserver/
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
14. Simple Rev Proxy
➡ All requests for /images to a backend server
ProxyPass /images http://images.example.com/
ProxyPass <path> <scheme>://<full url>
➡ Useful, but limited
➡ What if:
images.example.com dies?
traffic for /images increases
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
15. Load Balancing
➡ mod_proxy_balancer.so
➡ mod_proxy can do native load balancing
➡ weight by actual requests
➡ weight by traffic
➡ weight by busyness
➡ lbfactors
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
16. Create a balancer “cluster”
➡ Create a balancer which contains several host nodes
➡ Apache httpd will then direct to each node as specified
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
<Proxy balancer://foo>
BalancerMember http://www1.example.com:80/ loadfactor=1
BalancerMember http://www2.example.com:80/ loadfactor=1
BalancerMember http://www3.example.com:80/ loadfactor=4 status=+h
ProxySet lbmethod=bytraffic
</Proxy>
17. Some config params
➡ For BalancerMembers:
➡ loadfactor
➡ normalized load for worker [1]
➡ lbset
➡ worker cluster number [0]
➡ retry
➡ retry timeout, in seconds, for non-ready workers [60]
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
18. Some config params
➡ For BalancerMembers (cont):
➡ connectiontimeout/timout
➡ Connection timeouts on backend [ProxyTimeout]
➡ flushpackets *
➡ Does proxy need to flush data with each chunk of data?
➡ on : Yes | off : No | auto : wait and see
➡ flushwait *
➡ ms to wait for data before flushing
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
19. Some config params
➡ For BalancerMembers (cont):
➡ ping
➡ Ping backend to check for availability; value is time to wait for
response
➡ status (+/-)
➡ D : Disabled
➡ S : Stopped
➡ I : Ignore errors
➡ H : Hot standby
➡ E : Error
➡ N: Drain
➡ C: Dynamic Health Check
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
20. Some config params
➡ For Balancers:
➡ lbmethod
➡ load balancing algo to use [byrequests]
➡ stickysession
➡ sticky session name (eg: JSESSIONID)
➡ maxattempts
➡ # failover tries before we bail
➡ growth
➡ Extra BalancerMember slots to allow for
➡
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
21. Some config params
➡ For Balancers:
➡ nofailover
➡ pretty freakin obvious
➡ For both:
➡ ProxySet
➡ Alternate method to set various params
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
ProxySet balancer://foo timeout=10
...
ProxyPass / balancer://foo timeout=10
22. Connection Pooling
➡ Backend connection pooling
➡ Available for named workers:
➡ eg: ProxyPass /foo ajp://bar.example.com
➡ Reusable connection to origin
➡ For threaded MPMs, can adjust size of pool (min, max, smax)
➡ For prefork: singleton
➡ Shared data held in shared memory
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
23. Some config params
➡ For BalancerMembers - connection pool:
➡ min
➡ Initial number of connections [0]
➡ max
➡ Hard maximum number of connections [1|TPC]
➡ smax:
➡ soft max - keep this number available [max]
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
24. Some config params
➡ For BalancerMembers - connection pool:
➡ disablereuser/enablereuse:
➡ bypass/enable the connection pool (firewalls)
➡ ttl
➡ time to live for connections above smax
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
25. Sessions
➡ Sticky session support
➡ aka “session affinity”
➡ Cookie based
➡ stickysession=PHPSESSID
➡ stickysession=JSESSIONID
➡ Natively easy with Tomcat
➡ May require more setup for “simple” HTTP proxying
➡ Use of mod_session helps
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
26. Failover control
➡ Cluster set with failover
➡ Group backend servers as numbered sets
➡ balancer will try lower-valued sets first
➡ If no workers are available, will try next set
➡ Hot standby
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
27. Putting it all together
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
<Proxy balancer://foo>
BalancerMember http://php1:8080/ loadfactor=1
BalancerMember http://php2:8080/ loadfactor=4
BalancerMember http://phpbkup:8080/ loadfactor=1 status=+h
BalancerMember http://phpexp:8080/ lbset=1
ProxySet lbmethod=bytraffic
</Proxy>
<Proxy balancer://javaapps>
BalancerMember ajp://tc1:8089/ loadfactor=10
BalancerMember ajp://tc2:8089/ loadfactor=40
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass /apps/ balancer://foo/
ProxyPassReverse /apps/ balancer://foo/
ProxyPass /serv/ balancer://javaapps/
ProxyPass /images/ http://images:8080/
ProxyPass /dyno h2c://pappy:80/
ProxyPass /foo unix:/home/www.socket|ajp://localhost/bar/
28. Mass Reverse Proxy
➡ We front-end a LOT of reverse proxies
➡ What a httpd.conf disaster!
➡ Slow and bloated
➡ mod_rewrite doesn’t help
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
<VirtualHost www1.example.com>
ProxyPass / http://192.168.002.2:8080
ProxyPassReverse / http://192.168.002.2:8080
</VirtualHost>
<VirtualHost www2.example.com>
ProxyPass / http://192.168.002.12:8088
ProxyPassReverse / http://192.168.002.12:8088
</VirtualHost>
<VirtualHost www3.example.com>
ProxyPass / http://192.168.002.10
ProxyPassReverse / http://192.168.002.10
</VirtualHost>
...
<VirtualHost www6341.example.com>
ProxyPass / http://192.168.211.26
ProxyPassReverse / http://192.168.211.26
</VirtualHost>
29. Mass Reverse Proxy
➡ Use the new mod_proxy_express module
➡ ProxyPass mapping obtained via db file
➡ Fast and efficient
➡ Still dynamic, with no config changes required
➡ micro-services? You betcha!
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
ProxyExpress map file
##
##express-map.db:
##
www1.example.com http://192.168.002.2:8080
www2.example.com http://192.168.002.12:8088
www3.example.com http://192.168.002.10
...
www6341.example.com http://192.168.211.26
httpd.conf file
ProxyExpressEnable On
ProxyExpressDBMFile express-map.db
30. HeartBeat / HeartMonitor
➡ Experimental LB (load balance) method
➡ Uses multicast between gateway and reverse proxies
➡ Provides heartbeat (are you there?) capability
➡ Also provides basic load info
➡ This info stored in shm, and used for balancing
➡ Multicast can be an issue
➡ Use mod_header with %l, %i, %b (loadavg, idle, busy)
➡ but no LBmethod currently uses this :(
➡ We need a universal “load” measure
➡ Can we leverage nanomsg (MIT licensed!)
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
31. balancer-manager
➡ Embedded proxy admin web interface
➡ Allows for real-time
➡ Monitoring of stats for each worker
➡ Adjustment of worker params
➡ lbset
➡ load factor
➡ route
➡ enabled / disabled
➡ ...
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
32. Embedded Admin
➡ Allows for real-time
➡ Addition of new workers/nodes
➡ Change of LB methods
➡ Can be persistent!
➡ More RESTful
➡ Can be CLI-driven
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
33. Easy setup
<Location /balancer-manager>
SetHandler balancer-manager
Require 192.168.2.22
</Location>
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
34. @jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
36. Performance
➡ From Bryan Call’s 2014 ApacheCon preso
(http://www.slideshare.net/bryan_call/choosing-a-proxy-server-apachecon-2014)
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
• Squid&used&the&most&
CPU&again&
• NGiNX&had&latency&
issues&
• ATS&most&throughput& 0&
500&
1000&
1500&
2000&
2500&
ATS& NGiNX& Squid& Varnish& hBpd&
RPS$/$CPU$Usage$
0&
5000&
10000&
15000&
20000&
25000&
30000&
ATS& NGiNX& Squid& Varnish& hBpd&
Requests$Per$Second$
0&
5&
10&
15&
20&
25&
30&
35&
40&
ATS& NGiNX& Squid& Varnish& hBpd&
Latency$
Median&
95th&
37. nginx vs Event (typical)
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
Apache - Event MPM
0
500
1000
1500
2000
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency
38. Apache - Prefork MPM
0
500
1000
1500
2000
nginx vs Prefork (typical)
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency
39. Total req/resp time
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
Comparison - total transaction (close)
0
500
1000
1500
2000
Prefork Worker Event nginx
Increasing concurrency
40. Resp to Req. Bursts - httperf
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
100 ---> 20000
0.00
1.75
3.50
5.25
7.00
min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev
prefork worker event nginx
Increasing concurrency
41. Backend Status
➡ Dynamic Health Checks !
➡ TCP/IP Ping
➡ OPTIONS
➡ HEAD
➡ GET
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
ProxyHCExpr ok234 {%{REQUEST_STATUS} =~ /^[234]/}
ProxyHCExpr gdown {%{REQUEST_STATUS} =~ /^[5]/}
ProxyHCExpr in_maint {hc('body') !~ /Under maintenance/}
<Proxy balancer://foo/>
BalancerMember http://www.example.com/ hcmethod=GET hcexpr=in_maint hcuri=/status.php
BalancerMember http://www2.example.com/ hcmethod=HEAD hcexpr=ok234 hcinterval=10
BalancerMember http://www3.example.com/ hcmethod=TCP hcinterval=5 hcpasses=2 hcfails=3
BalancerMember http://www4.example.com/
</Proxy>
ProxyPass "/" “balancer://foo/"
ProxyPassReverse "/" “balancer://foo/"
42. What else is new?
➡ Additional protocols
➡ UWSGI, PROXY (HAproxy)
➡ Improved caching
➡ Redis (coming soon!)
➡ Memcache now mod_status aware
➡ Apache Geode
➡ FPM Improved.
➡ Performance, of course!
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
43. What’s on the horizon?
➡ Extend mod_proxy_express
➡ Adding additional protocols
➡ More dynamic configuration
➡ Adding balancers!
➡ Performance, of course!
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
44. In conclusion...
➡ For cloud environs and other, the performance and dynamic
control of Apache httpd 2.4 in reverse proxies is just
what the Dr. ordered (and flexibility remains a big
strength)
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
45. Thanks
@jimjag
This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
Twitter: @jimjag
Emails:
jim@jaguNET.com
jim@apache.org
jimjag@gmail.com
http://www.slideshare.net/jimjag/