You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Bill Stoddard <bi...@wstoddard.com> on 2007/06/14 15:27:50 UTC
mod_proxy_ajp or mod_proxy_http?
I'm trying to understand why mod_proxy_ajp exists and what it provides
that mod_proxy_http doesn't.
ajp13 is a binary protocol which should make the ajp13 tomcat connector
a bit more efficient than the http11 connector; an incremental
performance improvement. obtained at the expense of added complexity.
Does mod_proxy_ajp provide any other function not available in
mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
Thanks,
Bill
Re: mod_proxy_ajp or mod_proxy_http?
Posted by Graham Leggett <mi...@sharp.fm>.
On Thu, June 14, 2007 3:27 pm, Bill Stoddard wrote:
> I'm trying to understand why mod_proxy_ajp exists and what it provides
> that mod_proxy_http doesn't.
>
> ajp13 is a binary protocol which should make the ajp13 tomcat connector
> a bit more efficient than the http11 connector; an incremental
> performance improvement. obtained at the expense of added complexity.
> Does mod_proxy_ajp provide any other function not available in
> mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
I found the one feature that AJP had on the tomcat side was seamless
integration with SSL on the httpd. Within the webapp, all the isSecure()
methods Just Worked(TM).
Apart from that, I usually deploy mod_proxy_httpd where I can, because
myself and my trusty telnet client can speak HTTP.
Regards,
Graham
--
Re: mod_proxy_ajp or mod_proxy_http?
Posted by Bill Barker <wb...@wilshire.com>.
"Bill Stoddard" <bi...@wstoddard.com> wrote in message
news:46783A95.2010806@wstoddard.com...
> William A. Rowe, Jr. wrote:
>> Bill Stoddard wrote:
>>
>>> I'm trying to understand why mod_proxy_ajp exists and what it provides
>>> that mod_proxy_http doesn't.
>>>
>>> ajp13 is a binary protocol which should make the ajp13 tomcat connector
>>> a bit more efficient than the http11 connector; an incremental
>>> performance improvement. obtained at the expense of added complexity.
>>> Does mod_proxy_ajp provide any other function not available in
>>> mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
>>>
>>
>> If it works, mod_proxy_ajp - efficient fast and slightly easier to
>> secure.
>>
> Thanks for the info everyone!
>
> Bill,
> mod_proxy_ajp is easier to secure? Does mod_proxy_ajp support SSL?
>
There are way too many Bills on this thread :).
At the moment, mod_proxy_ajp (as well as mod_jk) doesn't support encryption
between httpd and Tomcat/Geronimo/GlassFish. For most people, this isn't a
big deal, since the connection is going over an internal network (or even
localhost), so if the black hats can set up a man-in-the-middle, you have
way bigger problems on your hands :). Most people that need encryption
(e.g. going over a WAN) use SSH tunneling to solve the problem.
Mostly, the 'easier to secure' is that since you can pick your port, you can
configure firewall rules for that port accordingly. It looks like
mod_proxy_ajp supports the 'secret' feature, where Tomcat (properly
configured) will only respond if mod_proxy_ajp sends the correct 'secret'
string with the request. Basically a password auth (somewhat like BASIC),
that is marginally useful if the port is exposed to the internet, but pretty
much useless against a man-in-the-middle attack since it is sent in the
clear.
> Bill
>
Re: mod_proxy_ajp or mod_proxy_http?
Posted by Bill Stoddard <bi...@wstoddard.com>.
William A. Rowe, Jr. wrote:
> Bill Stoddard wrote:
>
>> I'm trying to understand why mod_proxy_ajp exists and what it provides
>> that mod_proxy_http doesn't.
>>
>> ajp13 is a binary protocol which should make the ajp13 tomcat connector
>> a bit more efficient than the http11 connector; an incremental
>> performance improvement. obtained at the expense of added complexity.
>> Does mod_proxy_ajp provide any other function not available in
>> mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
>>
>
> If it works, mod_proxy_ajp - efficient fast and slightly easier to secure.
>
Thanks for the info everyone!
Bill,
mod_proxy_ajp is easier to secure? Does mod_proxy_ajp support SSL?
Bill
Re: mod_proxy_ajp or mod_proxy_http?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Bill Stoddard wrote:
> I'm trying to understand why mod_proxy_ajp exists and what it provides
> that mod_proxy_http doesn't.
>
> ajp13 is a binary protocol which should make the ajp13 tomcat connector
> a bit more efficient than the http11 connector; an incremental
> performance improvement. obtained at the expense of added complexity.
> Does mod_proxy_ajp provide any other function not available in
> mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
If it works, mod_proxy_ajp - efficient fast and slightly easier to secure.
When it doesn't, hands down, mod_proxy_http. Awfully hard to decipher ajp13
when diagnosing issues through ethereal or similar.
Re: Re: mod_proxy_ajp or mod_proxy_http?
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: news Im Auftrag von Bill Barker
> Gesendet: Freitag, 15. Juni 2007 05:07
> An: dev@httpd.apache.org
> Betreff: Re: mod_proxy_ajp or mod_proxy_http?
>
>
>
>
> Not strictly true, it's just that it's never graduated from
> "experimental"
> due to lack of user interest. Unfortunately, it got dropped
> from the build
> (I've just fixed that), so you need to apply R547503 to get
> it. If you do
> (w/o the APR native binary installed):
> <Connector protocol="AJP/1.3" port="0"
> channelNioSocket.port="8009"
> channelNioSocket.bufferSize="16384"
> channelNioSocket.maxThreads="125"
> channelNioSocket.minSpareThreads="10"
> channelNioSocket.maxSpareThreads="50"
> />
>
> you will get the experimental NIO/AJP Connector. Of course,
> most of the
> attributes are optional (but if you can spare the memory, the
> bufferSize
> improves performance a lot if you have a lot of POST requests).
Thanks for the hints Bill.
Regards
Rüdiger
Re: mod_proxy_ajp or mod_proxy_http?
Posted by Bill Barker <wb...@wilshire.com>.
"Pl�m, R�diger, VF-Group" <ru...@vodafone.com> wrote in message
news:3B21A253728EA247A10A692547A271538DCB96@EITO-MBX03.internal.vodafone.com...
>> -----Urspr�ngliche Nachricht-----
>> Von: Bill Stoddard
>> Gesendet: Donnerstag, 14. Juni 2007 15:28
>> An: dev@httpd.apache.org
>> Betreff: mod_proxy_ajp or mod_proxy_http?
>>
>>
>> I'm trying to understand why mod_proxy_ajp exists and what it
>> provides
>> that mod_proxy_http doesn't.
>>
>> ajp13 is a binary protocol which should make the ajp13 tomcat
>> connector
>> a bit more efficient than the http11 connector; an incremental
>> performance improvement. obtained at the expense of added complexity.
>> Does mod_proxy_ajp provide any other function not available in
>> mod_proxy_http? I'm trying to decide which horse to put my
>> chips on :-)
>
>I personally prefer mod_proxy_ajp in this case, because
>
>- It avoids the need to parse the request in Tomcat again. This also
> increases the bar for proxy attacks like HTTP smuggling.
>
>- The persistent connection handling currently seems to be better compared
> to keepalive connections with HTTP. There are still some nasty race
> conditions
> when the backend closes the connection just as we send our request to it.
>
>- There is a basic health check for the backend *before* sending the
>request
> (CPING/CPONG).
>
>AFAIK the following drawbacks on Tomcat side:
>
>- No NIO AJP connector (but you can use the APR version of the connector).
Not strictly true, it's just that it's never graduated from "experimental"
due to lack of user interest. Unfortunately, it got dropped from the build
(I've just fixed that), so you need to apply R547503 to get it. If you do
(w/o the APR native binary installed):
<Connector protocol="AJP/1.3" port="0"
channelNioSocket.port="8009"
channelNioSocket.bufferSize="16384"
channelNioSocket.maxThreads="125"
channelNioSocket.minSpareThreads="10"
channelNioSocket.maxSpareThreads="50"
/>
you will get the experimental NIO/AJP Connector. Of course, most of the
attributes are optional (but if you can spare the memory, the bufferSize
improves performance a lot if you have a lot of POST requests).
>- No usage of sendfile with the AJP connector.
>
>Regards
>
>R�diger
Re: mod_proxy_ajp or mod_proxy_http?
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: Bill Stoddard
> Gesendet: Donnerstag, 14. Juni 2007 15:28
> An: dev@httpd.apache.org
> Betreff: mod_proxy_ajp or mod_proxy_http?
>
>
> I'm trying to understand why mod_proxy_ajp exists and what it
> provides
> that mod_proxy_http doesn't.
>
> ajp13 is a binary protocol which should make the ajp13 tomcat
> connector
> a bit more efficient than the http11 connector; an incremental
> performance improvement. obtained at the expense of added complexity.
> Does mod_proxy_ajp provide any other function not available in
> mod_proxy_http? I'm trying to decide which horse to put my
> chips on :-)
I personally prefer mod_proxy_ajp in this case, because
- It avoids the need to parse the request in Tomcat again. This also
increases the bar for proxy attacks like HTTP smuggling.
- The persistent connection handling currently seems to be better compared
to keepalive connections with HTTP. There are still some nasty race conditions
when the backend closes the connection just as we send our request to it.
- There is a basic health check for the backend *before* sending the request
(CPING/CPONG).
AFAIK the following drawbacks on Tomcat side:
- No NIO AJP connector (but you can use the APR version of the connector).
- No usage of sendfile with the AJP connector.
Regards
Rüdiger