[GitHub] [tomcat] exabrial commented on pull request #532: Don't perform protection checks in Unix Domain Socket mode

[GitBox <gi...@apache.org>]

exabrial commented on PR #532:
URL: https://github.com/apache/tomcat/pull/532#issuecomment-1189381572

   Just want to say thanks! Our initial testing shows that bypassing the TCP layer and using Unix sockets is _very significant_ performance increase.... like _a lot_ faster. Pretty danged cool! We'd probably terminate TCP/TLS with Haproxy then load balance to Tomcat listening on Unix sockets.
   
   We still have a few more issues to overcome, but those are separate items or perhaps bugs, for another discussion:
   
   * We noticed the the socket file doesn't seem to get cleaned up, despite the documentation indicating it should. As a workaround, we have the systemd unit remove the file after Tomcat stops. We are trying to root cause this in Tomcat code and see if we can figure out whats wrong.
   * We noticed `request.getRemoteAddr()` and `request.getRemoteHost()` are broken (expected). We improvised a Valve to hardcode `127.0.0.1` for each and that seems to do the trick, then use the RemoteAddrValve to set the real values. A better option might be: Haproxy has something akin to AJP called "Proxy Protocol" that can pass a lot of information from the original request. There's a open bug about it that we might look into helping get across the finish line: https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 
   
   Anyway thank you! Very much appreciated!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org