You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Larry Prikockis <lp...@vecna.com> on 2008/04/28 17:27:09 UTC
httpd SSL -> Tomcat VS. Tomcat SSL standalone?
I know the latest edition of the O'Reilly Tomcat book by Brittain and
Darwin strongly advocates the use of standalone Tomcat as opposed to the
traditional httpd->Tomcat approach, but this seems to be somewhat of a
paradigm shift for most people. I'm interested in hearing what the
wider community thinks...
Specifically, we have a webapp on a Windows 2003 server that utilizes
Apache 2.2 SSL as a frontend and mod_proxy_ajp to send requests to
Tomcat 5.5.17 (on the same server). By eliminating the Apache frontend
and just using a Tomcat SSL connector directly, we saw performance
increases that absolutely dwarfed (400+%) everything else we were
achieving by tuning various connection parameters of Apache httpd and
Tomcat.
While I would expect hitting Tomcat directly would be a little faster
than going through the Apache proxy setup, we didn't expect such
dramatic differences. In fact, when comparing Apache w/o SSL -> Tomcat,
the performance was only a little worse than hitting Tomcat HTTP directly.
My questions:
1) Any thoughts on why the Apache SSL -> Tomcat combination should be so
much slower?
2) Are there any security downsides to using Tomcat SSL directly as
opposed to fronting it with Apache httpd?
3) anyone else have any similar (or contradictory?) experiences?
thanks-
Larry Prikockis
--
Larry Prikockis
System Administrator
lprikockis@vecna.com
Phone: (240)737-2900
Vecna Technologies, Inc.
5004 Lehigh Rd
College Park, MD 20740-3821
Phone: (301) 864-7253
Fax: (301) 699-3180
240-737-1699 (office)
www.vecna.com
Better Technology, Better World (TM)
The contents of this message may be privileged and confidential.
Therefore, if this message has been received in error, please delete it
without reading it. Your receipt of this message is not intended to
waive any applicable privilege. Please do not disseminate this message
without the permission of the author.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Larry Prikockis <lp...@vecna.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Larry,
>
> Other than Mark's comments...
>
> Larry Prikockis wrote:
> | 1) Any thoughts on why the Apache SSL -> Tomcat combination should be so
> | much slower?
>
> If your transactions are short, it's certainly possible that most of the
> time is taken up by moving bits around. 400% seems like a /very/ high
> number, especially because the SSL handshake itself is probably the most
> expensive bit-moving experience. I second Mark's thoughts about either
> logging configuration or entropy games. Are you using APR with Tomcat,
> or the Java-based SSL?
Since Tomcat is running on Windows and APR is the default config, that's
what we used.
>
> | 2) Are there any security downsides to using Tomcat SSL directly as
> | opposed to fronting it with Apache httpd?
>
> No. In fact, I would argue that fewer moving parts lowers the chances of
> problems. You're simply not going to run across any buffer overflows
> exploits in Tomcat, for instance. I trust Apache httpd pretty well, but
> more complexity always means more opportunities for problems.
>
makes sense... thanks... sounds like the biggest downside is the loss of
some of the flexibility and load-balancing options that the Httpd/Tomcat
combo provide.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Larry,
Other than Mark's comments...
Larry Prikockis wrote:
| 1) Any thoughts on why the Apache SSL -> Tomcat combination should be so
| much slower?
If your transactions are short, it's certainly possible that most of the
time is taken up by moving bits around. 400% seems like a /very/ high
number, especially because the SSL handshake itself is probably the most
expensive bit-moving experience. I second Mark's thoughts about either
logging configuration or entropy games. Are you using APR with Tomcat,
or the Java-based SSL?
| 2) Are there any security downsides to using Tomcat SSL directly as
| opposed to fronting it with Apache httpd?
No. In fact, I would argue that fewer moving parts lowers the chances of
problems. You're simply not going to run across any buffer overflows
exploits in Tomcat, for instance. I trust Apache httpd pretty well, but
more complexity always means more opportunities for problems.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgWF+sACgkQ9CaO5/Lv0PDGlgCguwIuFjVvg/4ZIDwP/59EsVUG
1mUAn0qA48kBzj+ZTG1TYfJgfo58oUwM
=yLpu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Yuval Perlov <yu...@r-u-on.com>.
I believe (intuition, haven't checked) it is the latency the TCP adds
to the setup which messes up with the threads scheduler (i'll
ellaborate...)
When you are in Tomcat only, between the http header coming in (IO)
and you sending a response (again IO) you can usually get away with a
single time slice. It is a simple system with IO queueing up and very
little room for "randomness" (used in a loose way but you get my
meaning).
Once the request is divided into two separate workers with IO between
them, there are two things coming into play:
1) You are not taking full advantage of the timeslice so there is more
context switching (twice the threads doing the same work is another
way to look at it).
2) There is more room for randomness in the system. In fact what we
observed in the short time we let it run is that there were times it
worked and then bursts of high CPU usage with very little happening.
Important to note: most of our requests are handled from memory (no IO
in the servlet). I believe this is a big part of it.
What seemed to help (but not enough in our case) was to reduce the
overall number of threads in the system and configure httpd to have
less threads than tomcat (strange, I know). I speculate this reduced
context switching and reduced the connection load between them.
However, throughput was still erratic at times with bursts of very
rapid processing followed by periods of "indigestion" (was not a GC
problem).
Hope this helps...
Yuval Perlov
R-U-ON
PS It is windows.
On Apr 30, 2008, at 4:37 PM, Larry Prikockis wrote:
Yuval Perlov wrote:
> Out tomcat servers are handling around 30K SSL hits every 5 minutes
> with very little effort (10% cpu average on a dual core machine,
> good response time).
> We tried to put in httpd in front thinking we can squeeze out better
> performance and memory consumption.
> The system just couldn't handle the load and we had to roll back
> (quickly) to a tomcat only configuration.
hmmm... that sounds suspiciously similar to what we had happening. I
just can't see why Apache Httpd wouldn't be able to handle SSL
connections at least as well as Tomcat, so there's clearly something
else going on here.
Is your system on Windows, Linux, something else? And what versions
of Tomcat/Apache were you using?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Larry Prikockis <lp...@vecna.com>.
Yuval Perlov wrote:
> Out tomcat servers are handling around 30K SSL hits every 5 minutes with
> very little effort (10% cpu average on a dual core machine, good
> response time).
> We tried to put in httpd in front thinking we can squeeze out better
> performance and memory consumption.
> The system just couldn't handle the load and we had to roll back
> (quickly) to a tomcat only configuration.
hmmm... that sounds suspiciously similar to what we had happening. I
just can't see why Apache Httpd wouldn't be able to handle SSL
connections at least as well as Tomcat, so there's clearly something
else going on here.
Is your system on Windows, Linux, something else? And what versions of
Tomcat/Apache were you using?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Yuval Perlov <yu...@r-u-on.com>.
Out tomcat servers are handling around 30K SSL hits every 5 minutes
with very little effort (10% cpu average on a dual core machine, good
response time).
We tried to put in httpd in front thinking we can squeeze out better
performance and memory consumption.
The system just couldn't handle the load and we had to roll back
(quickly) to a tomcat only configuration.
Hope this helps...
Yuval Perlov
www.r-u-on.com
On Apr 28, 2008, at 6:27 PM, Larry Prikockis wrote:
I know the latest edition of the O'Reilly Tomcat book by Brittain and
Darwin strongly advocates the use of standalone Tomcat as opposed to
the traditional httpd->Tomcat approach, but this seems to be somewhat
of a paradigm shift for most people. I'm interested in hearing what
the wider community thinks...
Specifically, we have a webapp on a Windows 2003 server that utilizes
Apache 2.2 SSL as a frontend and mod_proxy_ajp to send requests to
Tomcat 5.5.17 (on the same server). By eliminating the Apache
frontend and just using a Tomcat SSL connector directly, we saw
performance increases that absolutely dwarfed (400+%) everything else
we were achieving by tuning various connection parameters of Apache
httpd and Tomcat.
While I would expect hitting Tomcat directly would be a little faster
than going through the Apache proxy setup, we didn't expect such
dramatic differences. In fact, when comparing Apache w/o SSL ->
Tomcat, the performance was only a little worse than hitting Tomcat
HTTP directly.
My questions:
1) Any thoughts on why the Apache SSL -> Tomcat combination should be
so much slower?
2) Are there any security downsides to using Tomcat SSL directly as
opposed to fronting it with Apache httpd?
3) anyone else have any similar (or contradictory?) experiences?
thanks-
Larry Prikockis
--
Larry Prikockis
System Administrator
lprikockis@vecna.com
Phone: (240)737-2900
Vecna Technologies, Inc.
5004 Lehigh Rd
College Park, MD 20740-3821
Phone: (301) 864-7253
Fax: (301) 699-3180
240-737-1699 (office)
www.vecna.com
Better Technology, Better World (TM)
The contents of this message may be privileged and confidential.
Therefore, if this message has been received in error, please delete
it without reading it. Your receipt of this message is not intended to
waive any applicable privilege. Please do not disseminate this message
without the permission of the author.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Larry,
Larry Prikockis wrote:
| Mark H. Wood wrote:
|> That's certainly worth thinking about. What exactly do you mean by
|> "performance"?
|
| good point... shoulda been more specific-- we were mainly looking at raw
| connections per second and throughput type metrics. Under heavy load,
| we were seeing simple page requests taking 15-20 seconds to return while
| cpu load, memory usage, free connections (tomcat, apache and database
| pool) all looked good.
Yikes!
I wonder if Apache httpd was accepting and queuing more connections than
Tomcat is doing when Apache httpd is out of the picture. That might
cause more delays and fewer errors in your load test.
Are you eliminating requests that are outright refused (due to a full
server-side request processing queue) from your performance metrics? If
so, you may not be comparing the same Apache httpd configuration versus
Tomcat. Do you have the same size request queue, request processors,
etc. in both configurations?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgWPdMACgkQ9CaO5/Lv0PBY+wCeI8qJpcBwzBzq7vBkcguCG3m0
79cAn2+ua0vMx5DGsSDjwLGAdVxjRKi5
=Mxq0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by Larry Prikockis <lp...@vecna.com>.
Mark H. Wood wrote:
> On Mon, Apr 28, 2008 at 11:27:09AM -0400, Larry Prikockis wrote:
>
>> Specifically, we have a webapp on a Windows 2003 server that utilizes
>> Apache 2.2 SSL as a frontend and mod_proxy_ajp to send requests to Tomcat
>> 5.5.17 (on the same server). By eliminating the Apache frontend and just
>> using a Tomcat SSL connector directly, we saw performance increases that
>> absolutely dwarfed (400+%) everything else we were achieving by tuning
>> various connection parameters of Apache httpd and Tomcat.
>
> That's certainly worth thinking about. What exactly do you mean by
> "performance"?
good point... shoulda been more specific-- we were mainly looking at raw
connections per second and throughput type metrics. Under heavy load,
we were seeing simple page requests taking 15-20 seconds to return while
cpu load, memory usage, free connections (tomcat, apache and database
pool) all looked good.
>
>> My questions:
>> 1) Any thoughts on why the Apache SSL -> Tomcat combination should be so
>> much slower?
>
> Back-resolving client addresses to names for some reason? (Check your
> logging directives, for example.)
thought of this... but have ruled it out.
>
> Not enough entropy? Check your random-number generator setup.
thanks! this is definitely something I'll investigate.
--
Larry Prikockis
System Administrator
lprikockis@vecna.com
Phone: (240)737-2900
Vecna Technologies, Inc.
5004 Lehigh Rd
College Park, MD 20740-3821
Phone: (301) 864-7253
Fax: (301) 699-3180
240-737-1699 (office)
www.vecna.com
Better Technology, Better World (TM)
The contents of this message may be privileged and confidential.
Therefore, if this message has been received in error, please delete it
without reading it. Your receipt of this message is not intended to
waive any applicable privilege. Please do not disseminate this message
without the permission of the author.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Mon, Apr 28, 2008 at 11:27:09AM -0400, Larry Prikockis wrote:
> I know the latest edition of the O'Reilly Tomcat book by Brittain and
> Darwin strongly advocates the use of standalone Tomcat as opposed to the
> traditional httpd->Tomcat approach, but this seems to be somewhat of a
> paradigm shift for most people. I'm interested in hearing what the wider
> community thinks...
"Always do this" vs. "never do this" is a little oversimplified. Some
sites will have reasons to run HTTPD anyway, for example, so then you
get to choose between using an odd port for Tomcat and front-ending
with HTTPD. There might be other reasons (like I *loathe* keytool,
for example).
> Specifically, we have a webapp on a Windows 2003 server that utilizes
> Apache 2.2 SSL as a frontend and mod_proxy_ajp to send requests to Tomcat
> 5.5.17 (on the same server). By eliminating the Apache frontend and just
> using a Tomcat SSL connector directly, we saw performance increases that
> absolutely dwarfed (400+%) everything else we were achieving by tuning
> various connection parameters of Apache httpd and Tomcat.
That's certainly worth thinking about. What exactly do you mean by
"performance"?
o round-trip time for a single transaction?
o throughput (pour in transactions as fast as the system will take
them, for (say) an hour, and measure how many you completed per
second)?
o processor utilization under typical load?
o something else?
> My questions:
> 1) Any thoughts on why the Apache SSL -> Tomcat combination should be so
> much slower?
Back-resolving client addresses to names for some reason? (Check your
logging directives, for example.)
Not enough entropy? Check your random-number generator setup. Some
generators will stall until they can gather enough randomness to
provide a good result; others will do the best they can immediately;
some will mix several sources to produce pretty-good results even when
the blocking sources are exhausted. HTTPD is probably using OpenSSL
facilities plus its own "mixer", and I don't know what your JRE uses.
If your processor provides a source of randomness that you trust, be
sure it's being used, since a number of sources (keyboard and mouse
event timing, for example) are of little use on a server.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.