the mod proxy cookbook
play

The mod_proxy Cookbook A collection of proxy recipes to suit your - PowerPoint PPT Presentation

Dec 16, 2023 •157 likes •608 views

The mod_proxy Cookbook A collection of proxy recipes to suit your discerning palate Daniel Ruggeri Who is This Guy? About Daniel Ruggeri Infrastructure guy with a love for code DRuggeri <at> apache.org Standard Disclaimer

  1. The mod_proxy Cookbook A collection of proxy recipes to suit your discerning palate Daniel Ruggeri

  2. Who is This Guy? ● About Daniel Ruggeri – Infrastructure guy with a love for code – DRuggeri <at> apache.org ● Standard Disclaimer – I'm speaking personally and not on behalf of my employer. The examples and comments are my personal opinions and should not be considered the official practices or positions of MasterCard.

  3. Between You and Lunch ● About this presentation – Not just mod_proxy – Know thine application ● Warning – eye charts ahead! – Examples may be hard to read – Included for completeness ● Download this presentation! – http://people.apache.org/~druggeri/presentations/proxyCookbook.odp

  4. What's New and Hot? Embers - Ed Suominen - CC BY-NC 2.0 - https://www.flickr.com/photos/edsuom/

  5. Newness - websockets ● WebSocket (RFC6455) support – Full duplex socket – Upgraded connection via HTTP/1.1 LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ProxyPass /ws2/ ws://echo.websocket.org/

  6. Newness - UDS ● Unix Domain Socket – Local connection only – A socket without all that TCP stuff – Pipe separator ProxyPass / unix:/var/run/superApp.sock|http://localhost/

  7. Newness - mod_proxy_express Express ● – Mass name-based, switch-like proxying – Target server selection is driven by DBM file DBM file: www.homeawayfromhome.com http://10.0.1.25 login.homeawayfromhome.com http://10.0.2.15 Config file: ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile

  8. One done - Daniel Kulinski - CC BY-NC-SA 2.0 - https://www.flickr.com/photos/didmyself/6530389351

  9. How to Be a Good Proxy ● Connection Marshaling/Protocol Enforcement ● Load Balancing/Session Stickiness ● Connection Pooling/TCP and SSL Offload ● Failover/Health Monitoring ● Dynamic Modification ● Traffic shaping/Caching/Compression ● Attack Mitigation (Security)

  10. Connection Marshaling/Protocol Enforcement Dalian Traffic Cops 06 - SnoShuu - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/snoshuu/

  11. Playing Traffic Cop ● Separates clients and servers ● The difference between forward and reverse proxy – What does the client know? ● Forward proxy – mod_proxy_connect for SSL ● Reverse proxy uses mod_proxy_(ajp|http|ftp|scgi|fcgi|wstunnel) – mod_ssl and SSLProxyEngine for SSL

  12. Forward Proxy Example ● WARNING: Do not proceed until you know how to lock this down! LoadModule proxy_connect_module modules/mod_proxy_connect.so <VirtualHost 10.1.2.3:8888> ProxyRequests On <Proxy *> Require ip 192.168 </Proxy> </VirtualHost>

  13. Reverse Proxy Examples ● In a Location block <Location /application> ProxyPass http://backend.local/application </Location> ● Standalone ProxyPass directive ProxyPass /application http://backend.local/application ProxyPassReverse /application http://backend.local/application

  14. Reverse Proxy Examples ● As a ProxyPassMatch ProxyPassMatch /application/.*.do http://backend.local/application/ ● In the Rewrite engine RewriteCond %{HTTP_COOKIE} TOP_SECRET_ACCESS RewriteRule ^/admin/(.*) http://backend.local/admin/ [P]

  15. Reverse Proxy Examples ● As a Balancer Balancer <Proxy balancer://mycluster> BalancerMember http://1.2.3.4:8009 route=Mercury BalancerMember http://1.2.3.5:8009 route=Venus ProxySet lbmethod=byrequests nonce=None stickysession=JSESSIONID </Proxy> Workers ProxyPass /myApp/ balancer://mycluster/myApp/

  16. Reverse Proxy Examples ● As a DB (2.4) ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile ● As a Handler (2.4.10+) <FilesMatch \.php$> # Unix sockets require 2.4.7 or later SetHandler "proxy:unix:/path/to/app.sock|fcgi://localhost/" </FilesMatch>

  17. Load Balancing/Traffic Distribution network - Martin Abegglen - CC BY-SA 2.0 - https://www.flickr.com/photos/twicepix/4333178624

  18. Load Distribution ● byrequests – Perform balancing based solely on requests served ● bytraffic – Perform balancing by byte count (in response body) served ● bybusyness – Perform balancing based on how many pending requests exist for a backend ● heartbeat – Perform balancing based on What mod_heartbeat tells us ● ??? – Some rumblings of what is coming

  19. Load Distribution ● Asymmetric distribution – loadfactor option for BalancerMember – higher number == higher load ● +H option for hot-standby – Disables worker until others are unavailable – Don’t forget lbset as another option ● Selective proxying using ! and ordering – Do not proxy certain paths

  20. Example: Weighting <Proxy balancer://mycluster> BalancerMember http://1.2.3.4:8009 loadfactor=2 BalancerMember http://1.2.3.5:8009 smax=10 loadfactor=2 #Less powerful server – fewer requests BalancerMember http://1.2.3.6:8009 smax=1 loadfactor=1 </Proxy> ProxyPass / balancer://mycluster/ stickysession=JSESSIONID

  21. Example: Hot Standby <Proxy balancer://hotcluster> BalancerMember http://1.2.3.4:8009 BalancerMember http://1.2.3.5:8009 #Hot standby BalancerMember http://1.2.3.6:8009 status=+H ProxySet lbmethod=bytraffic </Proxy> ProxyPass / balancer://hotcluster/

  22. Example: Selective Proxying <Proxy balancer://AppCluster1> BalancerMember http://1.2.3.4:8009 BalancerMember http://1.2.3.5:8009 </Proxy> <Proxy balancer://AppCluster2> BalancerMember http://9.8.7.6:8080 BalancerMember http://9.8.7.5:8080 </Proxy> ProxyPass /static/ ! ProxyPass /applicationA/ balancer://AppCluster1/ ProxyPass /applicationB/ balancer://AppCluster2/ ProxyPass / balancer://hotcluster/

  23. Worker Statuses Disabled (D) ● Worker is disabled and will not accept any requests. – Stopped (S) ● Worker is administratively stopped. – Ignore Errors (I) ● Will always be considered available. – Hot Standby (H) ● Will only be used if no other viable workers are available. – Error (E) ● Will not be used due to error. – Drain (N) ● Will only accept existing sticky sessions for its route. – Redirect* ● New requests without sessions will go here. –

  24. Sticky Sessions Gecko-017 - VinceFL - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/vlopresti1964/9780815161

  25. Session Persistence ● Session replication can be expensive ● Built-in (as designed) – mod_proxy_balancer includes facilities to do this – Not always compatible or easy ● Roll your own – Use the built-in functions but tweak to your liking ● Route parameter comes into play

  26. A Sticky Matter ● Many different formats for session identifiers based on backend. – Cookies, URLs, formats, etc ● You have to know a lot – Name of the cookie – Values contained ● Built-in is not 100% compatible. – (2.2) Requires dot or semicolon as a delimiter – (2.4) stickysessionsep can be anything

  27. Universal Sticky!!! LoadModule headers_module modules/mod_headers.so <Proxy balancer://DanielCluster> BalancerMember http://1.2.3.4:8009 route=mercury BalancerMember http://1.2.3.5:8009 route=venus ProxySet stickysession=DanielsApp_STICKY </Proxy> Header add Set-Cookie "DanielsApp_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;" env=BALANCER_ROUTE_CHANGED ProxyPass /daniel/ balancer://DanielCluster/daniel/

  28. Connection Pooling/TCP and SSL Offload Quiet Cove pool at night - Ricky Brigante - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/insidethemagic/7021197905

  29. Get in the Pool ● So easy it is almost automatic ● Parameters – max hard maximum – smax soft maximum (aggressive TTL cleanup) – ttl time allowed to be idle ● Other parameters come into play ● Complications... – TCP/HTTP Keepalive

  30. Example: Connection Pooling <Proxy balancer://myCluster> BalancerMember http://1.2.3.4:8009 smax=7 max=10 ttl=10 BalancerMember http://1.2.3.5:8009 smax=7 max=10 ttl=10 </Proxy> ProxyPass / balancer://myCluster/

  31. Leave the Tough Stuff to Me ● Funnel all traffic into the pipeline – Many requests <-> one backend connection – keepalive is a beautiful thing ● SSL benefits as well – HTTPS to HTTPD – Can run HTTP or HTTPS to backend ● Either will be more efficient! ● Node.js use case

  32. Failover/Health Monitoring Doctor Visit - Laura Smith - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/blushingmulberry/4182291013

  33. Failure Detection ● Failover capability for connection only – Connection errors fail over to next backend seamlessly. ● SSL errors go back to user. – ... and are taken out of service as of 2.2.18. ● Hung/slow backend errors go back to user. – ... but can be taken out of service as of 2.2.25/2.4.5 with failontimeout.

  34. I Don't Feel So Well ● No heath check capability – Requires real, live traffic ● Must come up with a way to work around it ● In the future... – Scratch your own itch, Daniel!

  35. Mitigating Controls ● connectiontimeout – Sets the number of seconds to wait for a TCP connection. ● ProxyTimeout and failontimeout – Fail faster and mark the backend out of service – Warning - this may be bad for you ● Failonstatus – Mark a backend out of service if a specific HTTP status code is found ● Monitoring – Create external monitoring to force traffic through HTTPD.

  36. Dynamic Modification The Pleasant Glow of Good Music - Bob Prosser - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/b-love/9723724344

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

SNCAK2MJZOH7 &gt; Kindle \ Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Filesize: 5.41 MB Reviews Reviews These kinds of pdf is every thing and helped me

434 views • 4 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook

Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook

4XTJ3LRTBGBP \ Kindle # Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook (Paperback) Filesize: 9.73 MB Reviews Reviews Undoubtedly, this is the

353 views • 4 slides
C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS @ardalis | ardalis.com | weeklydevtips.com t h s What problems does proxy solve? Objectives How is the proxy pattern structured? Apply the

779 views • 23 slides
The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @

The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @

The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @ Rackspace Thanks for being here! OSCON 2010 The Gearman Cookbook 2 Ask questions! Grab a mic for long questions. OSCON 2010 The Gearman Cookbook 3

894 views • 53 slides
Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre WAPpy and you know it. UAG ? WAP ? eGov ? 2 Topics This Why the County invested in WAP presentation will share: Capabilities

427 views • 20 slides
January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here. Based on our experience reviewing proxy statements for Maryland public companies, we would like to call your attention to certain matters of Maryland

272 views • 12 slides
Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14 Description I Classification : Object-based structural pattern Also known as : Surrogate Purpose : Control access to a subject through

435 views • 14 slides
The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for HTTP, HTTPS (tunnel only) FTP Gopher WAIS (requires additional software) WHOIS (Squid version 2 only) Supports transparent

592 views • 35 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument Closest analog is LIS LIS is LEO; has a limited time on station for a particular storm Have several ground-based, 24x7 networks;

133 views • 10 slides
September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access

September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access

September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access rules recently adopted by the Securities and Exchange Commission have many implications for the nomination, election and service of directors under

179 views • 5 slides
DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba) Huawei Technologies Why? Digital Rights Management is something service providers have to deal with. Standard mechanisms for managing

273 views • 9 slides
Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M.

Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M.

Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M. Boudaud, Y. Gnolini, and P. Kunz Motivation High quality AMS-02 data (systematics &gt; statistical errors) Need to re-evaluate how analyses

397 views • 10 slides
Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy Servers When a user logs into Web Interface and clicks an application icon, Web Interface dynamically renders an ICA file containing the instructions

490 views • 3 slides
Meaning Internalism and Natural History Paul M. Pietroski University of Maryland Dept. of

Meaning Internalism and Natural History Paul M. Pietroski University of Maryland Dept. of

Meaning Internalism and Natural History Paul M. Pietroski University of Maryland Dept. of Linguis=cs Dept. of Philosophy Outline for the Talk Opening Act: Proper Nouns and a Wonder Dog Human Language Capacity: a seemingly miraculous

459 views • 42 slides
You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating

You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating

You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating SoundCloud's microservice architecture GOTO Berlin 2016 Intro: me Who I am and where I work Engineer in Production Engineering (platform, monitoring,

583 views • 32 slides
N A TIO N A L FO RUM F O R HEA RT D ISEA SE &amp; STRO KE PREV EN TIO N O c t o b e r 1 9 , 2 0

N A TIO N A L FO RUM F O R HEA RT D ISEA SE &amp; STRO KE PREV EN TIO N O c t o b e r 1 9 , 2 0

N A TIO N A L FO RUM F O R HEA RT D ISEA SE &amp; STRO KE PREV EN TIO N O c t o b e r 1 9 , 2 0 1 6 W a s h i n g t o n , D C Wa rre n A. Jone s, MD, F AAF P NIH E ndowe d Cha ir in He a lth Dispa ritie s Re se a rc h Close your Eyes A

704 views • 15 slides
Effec)ve Structured Query Formula)on for Session Search Dongyi

Effec)ve Structured Query Formula)on for Session Search Dongyi

11/12/12 Effec)ve Structured Query Formula)on for Session Search Dongyi Guan, Grace Hui Yang, Nazli Goharian Speaker: Grace Hui Yang Department of

341 views • 11 slides
TIF 101 Legislator Meeting September 5, 2019 franczek.com How a TIF district works franczek.com

TIF 101 Legislator Meeting September 5, 2019 franczek.com How a TIF district works franczek.com

TIF 101 Legislator Meeting September 5, 2019 franczek.com How a TIF district works franczek.com How many TIF districts? Cook County 461 City of Chicago: 144 Suburbs: 317 DuPage County 56 Lake County 44 Rest

601 views • 10 slides
Career speech In 8th grade I valued... I wanted to be an artist so I read about Aliza. Aliza is an

Career speech In 8th grade I valued... I wanted to be an artist so I read about Aliza. Aliza is an

Career speech In 8th grade I valued... I wanted to be an artist so I read about Aliza. Aliza is an artist and jeweler At palatine high school I participated in the... Esports club- top left Art club- top right Gamers club- bottom NOT ACTUAL

133 views • 12 slides
Generating Paths through Cultural Heritage Collections Samuel Fernando, Paula Goodale, Paul

Generating Paths through Cultural Heritage Collections Samuel Fernando, Paula Goodale, Paul

Generating Paths through Cultural Heritage Collections Samuel Fernando, Paula Goodale, Paul Clough, Mark Stevenson, Mark Hall, Eneko Agirre LaTeCH 2013, ACL Workshop, Sofia, Bulgaria. Outline Paths through cultural heritage collections

314 views • 28 slides
WELCOME ILLINOIS! Its our THIRD webinar together! Have you participated via chat or phone?

WELCOME ILLINOIS! Its our THIRD webinar together! Have you participated via chat or phone?

6/8/2016 WELCOME ILLINOIS! Its our THIRD webinar together! Have you participated via chat or phone? Lets go, everyone! Your Youth Worker Webinar will start soon 1 Youth Worker Certification Program Session #3 1 6/8/2016

566 views • 24 slides

More recommend