Question:
Could HAProxy and Mod_Cluster and Tomcat be used together ?
Either Mod_Cluster+Tomcat or HAProxy+Tomcat but not HAProxy+Mod_Cluster+Tomcat unless we are setting up multiple load balancer correct?
You can chain mod_cluster Apache HTTP Server balancer behind HAProxy, both in TCP and HTTP mode, in front of Tomcat. You could also use mod_cluster Apache HTTP Server balancer and HAProxy side-by-side, having them both sending requests to your Tomcats. The latter makes much less sense though.
If you tell me what would you like to achieve in which environment, I could help you architect the right solution. For instance: Azure, multiple datacentres, VMs, clients are plain HTTP embedded devices or Docker containers on Tutum/Docker Cloud, clients use HTTPS and certificate for authentication. You can / cannot use AJP internally between mod_cluster and Tomcat etc. Help me help you :-) -K-
Related
I'm load testing a Tomcat web application with 4 nodes. Those nodes are configured through Nginx with ip_hash:
ip_hash;
server example:8888 weight=2 max_fails=3 fail_timeout=10s;
server example:8888 weight=4 max_fails=3 fail_timeout=10s;
server example:8888 weight=2 max_fails=3 fail_timeout=10s;
server example:8888 weight=2 max_fails=3 fail_timeout=10s;
Anyway, I use Gatling for load and performance testing but everytime when I start a test all traffic is routed to one node.. Only when I change the load balance node to least_conn of round robin then the traffic is divided. But this application needs a persistent node to do the work.
Is there any way to let Gatling route the traffic to all 4 nodes during a run? Maybe with a setup configuration? I'm using this setUp right now:
setUp(scenario1.inject(
atOnceUsers(50),
rampUsers(300) over (1800 seconds),
).protocols(httpConf)
)
Thank you!
ip_hash;
Specifies that a group should use a load balancing method where requests are distributed between servers based on client IP addresses.
You should use sticky:
Enables session affinity, which causes requests from the same client to be passed to the same server in a group of servers.
Edit:
Right, I didn't see that it's for nginx plus only :(
I found this post (maybe it helps...):
https://serverfault.com/questions/832790/sticky-sessions-with-nginx-proxy
Reference to: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
There is also a version of the module for older versions of nginx:
http://dgtool.treitos.com/2013/02/nginx-as-sticky-balancer-for-ha-using.html
Reference to: https://code.google.com/archive/p/nginx-sticky-module/
I have started using Mobicents (aka Restcomm) sip servlets with Wildfly 10 but even i could not find a clear answers in documentation or anywhere else for questions i have below.
1) Do sip servlets support standalone-ha model such as in a sip dialog fail over scenario? For example in an established call, if node one fails will node to accept subsequent invites or return a 404 like response .
2) Is it required to use Mobicents (aka Restcomm) load balancer even if there is a sip load balancer in front of the servers ?
3) Does the sip application configuration,code etc.. change between standalone and standalone-ha mode? Or it is handled by Wildfly, ActiveMQ, Infinispan?
Thanks
1) Restcomm SIP Servlets on Wildfly 10 doesn't support replication yet. Only Restcomm SIP Servlets on Wildfly 7 supported product from TeleStax supports replication, Wildfly 10 is expected to be supported later this year.
2) Nope but you need to make sure your load balancer can support SIP Session affinity to always route messages from a given dialog to the same node.
3) No changes should be needed to the application. Only be conscious of what you replicate as it adds overhead in terms of network traffic and memory usage.
By default, applications in wildfly are deployed to localhost:8080/app. How to deploy application on dedicated port, i.e. open it on localhost:8282 without application name ending?
I need to change the port for certain application, not the default port.
I have not tried this, but AFAICT it should be possible to:
run a single Wildfly instance listening on multiple HTTP ports. This is, in theory at least, possible (ref: https://developer.jboss.org/thread/233414?start=0&tstart=0)
Configure undertow subsystem as a reverse proxy, and proxy your app to the other port/location (ref: http://www.mastertheboss.com/jboss-server/wildfly-8/configuring-a-reverse-proxy-with-undertow). That said, I have never used undertow for a reverse proxy and as such cannot speak for whether this really works.
Once you have done this, you have effectively just turned your Wildfly instance into an overly complex application server and reverse proxy in one. Ultimately however, the app in question would still be running on both ports, but you redirect the traffic using the proxy the way you would like.
The same proxy configuration in an Apache (ref: https://httpd.apache.org/docs/current/mod/mod_proxy.html#forwardreverse or https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/) or NGINX (ref: https://www.nginx.com/resources/admin-guide/reverse-proxy/) would be IMHO less complex and better tested in countless production scenarios.
Why do SSO providers like Ping Federate run on ports that aren't well-known like 9031. Does this enhance security? It seems like it just increases connectivity issues in organizations with strict firewall rules.
That's just a default semi-random port so that it doesn't clash with existing services on the same machine and is a high port so that the server can run under a non-privileged user account.
For production usage one would typically change it to 443 and/or run a reverse-proxy/loadbalancer in front of the SSO server (on port 443).
Generally security is managed at the perimeter of a network. For deployments I have been involved, port 443 is predominately used for SSO (e.g. PingFederate) at the perimeter. For the internal network, I have seen two models, mainly (i) change the HTTPS port in PingFederate to 443, or (ii) utilize load balancer port forwarding from 443 to 9031. I usually see item (i) for Windows deployments and item (ii) for Linux deployments where reserved ports are avoided. There really isn't a true security enhancement for either pattern.
As Hans points out, PingFederate utilizes 9031 as a default so that conflict with other processes on a server are avoided when first deploying the technology. As the SSO capability matures into an environment, the proper port for the service can be managed. The default port avoids issues when first installing that can be frustrating to folks new to the technology.
What is the best way to make a standalone java server built using J2SE Socket API high available? Using an HTTP server would have been a good choice specially for the built-in features e.g. security, clustering, transactions, etc. but the server should be capable of accepting TCP/IP socket connection from java & non-java clients (mainly legacy). Tomcat does not accept non-http TCP/IP requests? Moreover this post points out servlet for implementing socket connection it's not a good practice. What would be good approach?
After exploring online, this is what I have compe up with. A standalone java application can be made high available by using a combination of the following:
2 VM deployed with HAproxy and keepalived to form the highly available load balancing layer.
Keepalived will keep the load balancers in active-passive mode and the HAproxy will forward the requests to a cluster of backend socket based java server apps
At least 2 VM deployed with the custom socket based java server apps. The HAproxy servers will distribute the requests over these 2 VMs
Use at least 2 terracotta server to share the java server apps. Terracotta will provide the sharing of the memory and help the custom java servers to scale.
Use MySQL NDB Cluster for the database.
Any suggestions?