The mod_proxy Cookbook - Linux Foundation Events

The mod_proxy Cookbook - Linux Foundation Events
The mod_proxy Cookbook
A collection of proxy recipes to
suit your discerning palate
Daniel Ruggeri
Who is This Guy?
●
About Daniel Ruggeri
– Infrastructure
– DRuggeri
●
guy with a love for code
<at> apache.org
Standard Disclaimer
– I'm
speaking personally and not on behalf of my employer. The
examples and comments are my personal opinions and should
not be considered the official practices or positions of
MasterCard.
Between You and Lunch
●
About this presentation
– Not
just mod_proxy
– Know
●
thine application
Warning – eye charts ahead!
– Examples
– Included
●
may be hard to read
for completeness
Download this presentation!
–
http://people.apache.org/~druggeri/presentations/proxyCookbook.odp
What's New and Hot?
Embers - Ed Suominen - CC BY-NC 2.0 - https://www.flickr.com/photos/edsuom/
Newness - websockets
●
WebSocket (RFC6455) support
– Full
duplex socket
– Upgraded
connection via HTTP/1.1
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
ProxyPass /ws2/
ws://echo.websocket.org/
Newness - UDS
●
Unix Domain Socket
– Local
–A
connection only
socket without all that TCP stuff
– Pipe
separator
ProxyPass / unix:/var/run/superApp.sock|http://localhost/
Newness - mod_proxy_express
●
Express
–
Mass name-based, switch-like proxying
–
Target server selection is driven by DBM file
DBM file:
www.homeawayfromhome.com
http://10.0.1.25
login.homeawayfromhome.com
http://10.0.2.15
Config file:
ProxyExpressEnable on
ProxyExpressDBMFile /path/to/mapfile
One done - Daniel Kulinski - CC BY-NC-SA 2.0 - https://www.flickr.com/photos/didmyself/6530389351
How to Be a Good Proxy
●
Connection Marshaling/Protocol Enforcement
●
Load Balancing/Session Stickiness
●
Connection Pooling/TCP and SSL Offload
●
Failover/Health Monitoring
●
Dynamic Modification
●
Traffic shaping/Caching/Compression
●
Attack Mitigation (Security)
Connection Marshaling/Protocol Enforcement
Dalian Traffic Cops 06 - SnoShuu - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/snoshuu/
Playing Traffic Cop
●
Separates clients and servers
●
The difference between forward and reverse proxy
–
●
Forward proxy
–
●
What does the client know?
mod_proxy_connect for SSL
Reverse proxy uses mod_proxy_(ajp|http|ftp|scgi|fcgi|wstunnel)
–
mod_ssl and SSLProxyEngine for SSL
Forward Proxy Example
●
WARNING: Do not proceed until you know how to lock this
down!
LoadModule proxy_connect_module modules/mod_proxy_connect.so
<VirtualHost 10.1.2.3:8888>
ProxyRequests On
<Proxy *>
Require ip 192.168
</Proxy>
</VirtualHost>
Reverse Proxy Examples
●
In a Location block
<Location /application>
ProxyPass http://backend.local/application
</Location>
●
Standalone ProxyPass directive
ProxyPass /application http://backend.local/application
ProxyPassReverse /application http://backend.local/application
Reverse Proxy Examples
●
As a ProxyPassMatch
ProxyPassMatch /application/.*.do http://backend.local/application/
●
In the Rewrite engine
RewriteCond %{HTTP_COOKIE} TOP_SECRET_ACCESS
RewriteRule ^/admin/(.*) http://backend.local/admin/ [P]
Reverse Proxy Examples
●
As a Balancer
<Proxy balancer://mycluster>
Balancer
BalancerMember http://1.2.3.4:8009 route=Mercury
BalancerMember http://1.2.3.5:8009 route=Venus
ProxySet lbmethod=byrequests nonce=None stickysession=JSESSIONID
</Proxy>
Workers
ProxyPass /myApp/ balancer://mycluster/myApp/
Reverse Proxy Examples
●
As a DB (2.4)
ProxyExpressEnable on
ProxyExpressDBMFile /path/to/mapfile
●
As a Handler (2.4.10+)
<FilesMatch \.php$>
# Unix sockets require 2.4.7 or later
SetHandler
</FilesMatch>
"proxy:unix:/path/to/app.sock|fcgi://localhost/"
Load Balancing/Traffic Distribution
network - Martin Abegglen - CC BY-SA 2.0 - https://www.flickr.com/photos/twicepix/4333178624
Load Distribution
●
byrequests
–
●
bytraffic
–
●
Perform balancing based on how many pending requests exist for a backend
heartbeat
–
●
Perform balancing by byte count (in response body) served
bybusyness
–
●
Perform balancing based solely on requests served
Perform balancing based on What mod_heartbeat tells us
???
–
Some rumblings of what is coming
Load Distribution
●
Asymmetric distribution
– loadfactor
– higher
●
number == higher load
+H option for hot-standby
– Disables
– Don’t
●
option for BalancerMember
worker until others are unavailable
forget lbset as another option
Selective proxying using ! and ordering
– Do
not proxy certain paths
Example: Weighting
<Proxy balancer://mycluster>
BalancerMember http://1.2.3.4:8009 loadfactor=2
BalancerMember http://1.2.3.5:8009 smax=10 loadfactor=2
#Less powerful server – fewer requests
BalancerMember http://1.2.3.6:8009 smax=1 loadfactor=1
</Proxy>
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID
Example: Hot Standby
<Proxy balancer://hotcluster>
BalancerMember http://1.2.3.4:8009
BalancerMember http://1.2.3.5:8009
#Hot standby
BalancerMember http://1.2.3.6:8009 status=+H
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass / balancer://hotcluster/
Example: Selective Proxying
<Proxy balancer://AppCluster1>
BalancerMember http://1.2.3.4:8009
BalancerMember http://1.2.3.5:8009
</Proxy>
<Proxy balancer://AppCluster2>
BalancerMember http://9.8.7.6:8080
BalancerMember http://9.8.7.5:8080
</Proxy>
ProxyPass /static/ !
ProxyPass /applicationA/ balancer://AppCluster1/
ProxyPass /applicationB/ balancer://AppCluster2/
ProxyPass / balancer://hotcluster/
Worker Statuses
●
Disabled (D)
–
●
Stopped (S)
–
●
Will not be used due to error.
Drain (N)
–
●
Will only be used if no other viable workers are available.
Error (E)
–
●
Will always be considered available.
Hot Standby (H)
–
●
Worker is administratively stopped.
Ignore Errors (I)
–
●
Worker is disabled and will not accept any requests.
Will only accept existing sticky sessions for its route.
Redirect*
–
New requests without sessions will go here.
Sticky Sessions
Gecko-017 - VinceFL - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/vlopresti1964/9780815161
Session Persistence
●
Session replication can be expensive
●
Built-in (as designed)
– mod_proxy_balancer
– Not
●
always compatible or easy
Roll your own
– Use
●
includes facilities to do this
the built-in functions but tweak to your liking
Route parameter comes into play
A Sticky Matter
●
Many different formats for session identifiers based on backend.
–
●
●
Cookies, URLs, formats, etc
You have to know a lot
–
Name of the cookie
–
Values contained
Built-in is not 100% compatible.
–
(2.2) Requires dot or semicolon as a delimiter
–
(2.4) stickysessionsep can be anything
Universal Sticky!!!
LoadModule headers_module modules/mod_headers.so
<Proxy balancer://DanielCluster>
BalancerMember http://1.2.3.4:8009 route=mercury
BalancerMember http://1.2.3.5:8009 route=venus
ProxySet stickysession=DanielsApp_STICKY
</Proxy>
Header add Set-Cookie
"DanielsApp_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;"
env=BALANCER_ROUTE_CHANGED
ProxyPass /daniel/ balancer://DanielCluster/daniel/
Connection Pooling/TCP and SSL Offload
Quiet Cove pool at night - Ricky Brigante - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/insidethemagic/7021197905
Get in the Pool
●
So easy it is almost automatic
●
Parameters
– max
– smax
– ttl
hard maximum
soft maximum (aggressive TTL cleanup)
time allowed to be idle
●
Other parameters come into play
●
Complications...
– TCP/HTTP
Keepalive
Example: Connection Pooling
<Proxy balancer://myCluster>
BalancerMember http://1.2.3.4:8009 smax=7 max=10 ttl=10
BalancerMember http://1.2.3.5:8009 smax=7 max=10 ttl=10
</Proxy>
ProxyPass / balancer://myCluster/
Leave the Tough Stuff to Me
●
●
Funnel all traffic into the pipeline
–
Many requests <-> one backend connection
–
keepalive is a beautiful thing
SSL benefits as well
–
HTTPS to HTTPD
–
Can run HTTP or HTTPS to backend
●
Either will be more efficient!
●
Node.js use case
Failover/Health Monitoring
Doctor Visit - Laura Smith - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/blushingmulberry/4182291013
Failure Detection
●
Failover capability for connection only
– Connection
●
SSL errors go back to user.
– ...
●
errors fail over to next backend seamlessly.
and are taken out of service as of 2.2.18.
Hung/slow backend errors go back to user.
– ...
but can be taken out of service as of 2.2.25/2.4.5 with
failontimeout.
I Don't Feel So Well
●
No heath check capability
– Requires
real, live traffic
●
Must come up with a way to work around it
●
In the future...
– Scratch
your own itch, Daniel!
Mitigating Controls
●
connectiontimeout
–
●
●
ProxyTimeout and failontimeout
–
Fail faster and mark the backend out of service
–
Warning - this may be bad for you
Failonstatus
–
●
Sets the number of seconds to wait for a TCP connection.
Mark a backend out of service if a specific HTTP status code is found
Monitoring
–
Create external monitoring to force traffic through HTTPD.
Dynamic Modification
The Pleasant Glow of Good Music - Bob Prosser - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/b-love/9723724344
Doing the Shuffle
●
BalancerManager is how one modifies members.
–
●
●
●
Good selection of parameters
Balancer
–
sticky identifier, timeout, failover, failover attempts, lbmethod
–
Workers can be added if growth is set
–
Workers can not be removed
Worker
–
loadfactor, lbset, route, redirect
–
ignore errors, draining, disabled, hot standby
Be safe out there
Lay Thine Eyes Upon It!
Balancer Manager Errata
●
Nonce usage
–
●
XML output
–
●
b, w and nonce parameters part of URL
Persistance over restart
–
●
Useful for machines
REST-like (todo)
–
●
Set the nonce or use "None" for scripting
(2.4.4) Will write state before shutdown
Be careful out there
Shaping
Pottery - o.lila - CC BY-NC-SA 2.0 - https://www.flickr.com/photos/o_lila/7905806898
Traffic Tweaking
●
Caching via mod_cache
–
Too much to cover here.
●
Compress via mod_deflate
●
Shape via...
–
mod_proxy_html, mod_headers, mod_rewrite, mod_substitute, mod_sed
–
mod_env/mod_setenvif, mod_expires, mod_*filter
●
Watch with mod_dumpio
●
The sky is the limit!
Example: Traffic Shaping
ProxyPass /app balancer://myCluster/appl
ProxyPassReverse /app balancer://myCluster/app
<Location /app>
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://127.0.0.1:7004|http://mypage|n"
RequestHeader set environment production
AddOutputFilterByType DEFLATE text/html text/xml
</Location>
Security
Learning the hard way - Ludovic Bertron -CC BY 2.0 - https://www.flickr.com/photos/23912576@N05/ -
Not in MY House...
●
Security modules
–
●
●
mod_noloris, mod_security, etc
Separation
–
Tiered approach
–
Standards enforcement
Filtering/Blocking/Restricting
–
Allow from certain hosts
–
Authn/Authz modules
–
The sky is (still) the limit!
Questions?
Scenarios?
Feedback: druggeri <at> apache.org
Download me:
http://people.apache.org/~druggeri/presentations/proxyCookbook.odp
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising