Load Balancing with Mod_Proxy_HTTP

Owned by Benito Gonzalez
Jun 09, 2016
4 min read

Load balancing with mod_proxy_http is quite similar to using a hardware load balancer that lacks AJP support. HTTP/S traffic is sent through Apache to the Tomcat cluster – no additional protocol is involved.

Prerequisites

Installed Software

Apache should already have been installed and tested. Installation is beyond this document, but it should be easy to find instructions if needed. Application servers should be configured and tested as well. This is crucial to avoid wasting time as the many configuration changes are ripe for human error.

Certificates

Certificates can be challenging to set up for clusters. A signed certificate by a trusted Certificate Authority will go a long way in avoiding confusion for users. This certificate should be installed in Apache. Configure and test before proceeding. A user should be able to access Apache over HTTPS without issue.

Apache should be able to use a self-signed certificate to access the Tomcats.

Network

Connectivity needs to be verified. In many enterprise networks, security is is critical. Many network administrators and server administrators implement firewalls of varying limits. With differing ownership, having all the firewalls modified to allow traffic can be daunting at certain institutions. Below is table of firewall rules for a typical installation.

ConnectionSource IP Source Port Target IPTarget Port
Open HTTP (80)AnyAnyApache IP80
Open HTTP (443)AnyAnyApache IP443
Apache to Tomcat 1Apache IPAnyTomcat 1 IP8443
Apache to Tomcat 2Apache IPAnyTomcat 2 IP8443
Apache to Tomcat 3Apache IPAnyTomcat 3 IP8443

Etc.

Allowing all traffic from Apache to the Tomcat servers on the network firewall is usually secure enough.

Once the firewall updates are completed, make sure to verify that requests to port 8443 on the Tomcat servers from Apache are working. Tomcats may be configured to listen on this port. Make sure to stop Tomcat on the servers while testing! I recommend using NetCat to test. NetCat can be configured to listen on a port and send a message to a port. To test if a connection can be made, NetCat will need to be run on both sides to be tested. On the Tomcat server run NetCat listening on port 8443 -- `nc -l 8443`. The terminal should not return a prompt until NetCat receives a request. So to send a request from Apache, run NetCat with with the following parameters -- `nc -zw 2 <Tomcat IP> 8443`, substituting "<Tomcat IP>" with the actual value. This shout return a message if successful.

The prerequisites are the hard part.

Tomcat Configuration

Server.xml Connector Addition

Tomcats will need to have a new connector configured in server.xml. Start with the 8443 HTTPS connector and add/update the following:

 <Connector port="8443" ...       
        scheme="https"
        secure="true" 
        SSLEnabled="true" 
        proxyPort="443"
        proxyName="your_company_domain_name"
     />

Most of those are standard. (See Tomcat documentation for help optimizing connector settings.) The proxy settings are simply values that are passed to your code in the request, replacing the actual values. for example, if your code queries the servername, Tomcat will reply with the proxyName value. Likewise, scheme and secure are simply values to be queried by application code. 

Server.xml jvmRoute Addition

To enable sticky sessions, the jvmRoute attribute needs to be set on the Engine stanza.

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="tomcat1">

The value for jvmRoute needs to match the identifier for the Tomcat server defined in Apache. (See below.)

Apache Configuration

Install Mod_Proxy*

Most Linux distributions install Mod_Proxy* plugins by default. This is one of the main advantages of using these modules. If you do not see proxy*.load files in your Apache installation, check with the distribution on how to download and install these common modules.

Load Plugins

The plugin needs to be loaded and configured. This can be done directly in httpd.conf or included from another file. First check if the modules listed below have already been loaded in another file during installation. Simply search the Apache config files. If not, you will need to load the module manually by adding ...

LoadModule proxy_module <path-to-modules>/mod_proxy.so
LoadModule proxy_balancer_module <path-to-modules>/mod_proxy_balancer.so
LoadModule proxy_http_module <path-to-modules>/mod_proxy_http.so

Where "<path-to-modules>" is the location to where the files are ... usually in a directory named modules.

Note that some distributions, like Debian and Ubuntu, have a command a2enmod that can be used to update Apache configuration to load the files.

$ sudo a2enmod proxy proxy_http proxy_balancer & sudo service apache2 restart

Configure Proxy Load Balancer

Next the proxy modules need to be configured. In this case, we will be matching jvmRoutes from the Tomcat server.xml files.

<IfModule proxy_module>
    ProxyRequests Off
    ProxyPass /uPortal balancer://mycluster stickysession=JSESSIONID
    ProxyPassReverse /uPortal balancer://mycluster stickysession=JSESSIONID
    <Proxy balancer://mycluster>
        BalancerMember http://<tomcat 1 IP or servername>:8443/uPortal route=tomcat1
        BalancerMember http://<tomcat 2 IP or servername>:8443/uPortal route=tomcat2
        ...
    </Proxy>
</IfModule>

Here, only the /uPortal context is being proxied. This can be changed to the / for all requests or specific contexts can be added as needed (i.e. portlet API endpoints). 

Redirecting HTTP to HTTPS

An option to consider is forwarding all HTTP traffic on port 80 to HTPS on port 443. See Apache documentation on mod_rewrite.

Test Configuration

Restart Apache and test that the configuration is working. Open a browser and point it to https://<apache_server>/uPortal/ .

 

Additional References

 https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html

Having problems with these instructions?

Please send us feedback at uportal-user@lists.ja-sig.org