the mod proxy cookbook
play

The mod_proxy Cookbook A collection of proxy recipes to suit your - PowerPoint PPT Presentation

Dec 16, 2023 •157 likes •608 views

The mod_proxy Cookbook A collection of proxy recipes to suit your discerning palate Daniel Ruggeri Who is This Guy? About Daniel Ruggeri Infrastructure guy with a love for code DRuggeri <at> apache.org Standard Disclaimer

  1. The mod_proxy Cookbook A collection of proxy recipes to suit your discerning palate Daniel Ruggeri

  2. Who is This Guy? ● About Daniel Ruggeri – Infrastructure guy with a love for code – DRuggeri <at> apache.org ● Standard Disclaimer – I'm speaking personally and not on behalf of my employer. The examples and comments are my personal opinions and should not be considered the official practices or positions of MasterCard.

  3. Between You and Lunch ● About this presentation – Not just mod_proxy – Know thine application ● Warning – eye charts ahead! – Examples may be hard to read – Included for completeness ● Download this presentation! – http://people.apache.org/~druggeri/presentations/proxyCookbook.odp

  4. What's New and Hot? Embers - Ed Suominen - CC BY-NC 2.0 - https://www.flickr.com/photos/edsuom/

  5. Newness - websockets ● WebSocket (RFC6455) support – Full duplex socket – Upgraded connection via HTTP/1.1 LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ProxyPass /ws2/ ws://echo.websocket.org/

  6. Newness - UDS ● Unix Domain Socket – Local connection only – A socket without all that TCP stuff – Pipe separator ProxyPass / unix:/var/run/superApp.sock|http://localhost/

  7. Newness - mod_proxy_express Express ● – Mass name-based, switch-like proxying – Target server selection is driven by DBM file DBM file: www.homeawayfromhome.com http://10.0.1.25 login.homeawayfromhome.com http://10.0.2.15 Config file: ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile

  8. One done - Daniel Kulinski - CC BY-NC-SA 2.0 - https://www.flickr.com/photos/didmyself/6530389351

  9. How to Be a Good Proxy ● Connection Marshaling/Protocol Enforcement ● Load Balancing/Session Stickiness ● Connection Pooling/TCP and SSL Offload ● Failover/Health Monitoring ● Dynamic Modification ● Traffic shaping/Caching/Compression ● Attack Mitigation (Security)

  10. Connection Marshaling/Protocol Enforcement Dalian Traffic Cops 06 - SnoShuu - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/snoshuu/

  11. Playing Traffic Cop ● Separates clients and servers ● The difference between forward and reverse proxy – What does the client know? ● Forward proxy – mod_proxy_connect for SSL ● Reverse proxy uses mod_proxy_(ajp|http|ftp|scgi|fcgi|wstunnel) – mod_ssl and SSLProxyEngine for SSL

  12. Forward Proxy Example ● WARNING: Do not proceed until you know how to lock this down! LoadModule proxy_connect_module modules/mod_proxy_connect.so <VirtualHost 10.1.2.3:8888> ProxyRequests On <Proxy *> Require ip 192.168 </Proxy> </VirtualHost>

  13. Reverse Proxy Examples ● In a Location block <Location /application> ProxyPass http://backend.local/application </Location> ● Standalone ProxyPass directive ProxyPass /application http://backend.local/application ProxyPassReverse /application http://backend.local/application

  14. Reverse Proxy Examples ● As a ProxyPassMatch ProxyPassMatch /application/.*.do http://backend.local/application/ ● In the Rewrite engine RewriteCond %{HTTP_COOKIE} TOP_SECRET_ACCESS RewriteRule ^/admin/(.*) http://backend.local/admin/ [P]

  15. Reverse Proxy Examples ● As a Balancer Balancer <Proxy balancer://mycluster> BalancerMember http://1.2.3.4:8009 route=Mercury BalancerMember http://1.2.3.5:8009 route=Venus ProxySet lbmethod=byrequests nonce=None stickysession=JSESSIONID </Proxy> Workers ProxyPass /myApp/ balancer://mycluster/myApp/

  16. Reverse Proxy Examples ● As a DB (2.4) ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile ● As a Handler (2.4.10+) <FilesMatch \.php$> # Unix sockets require 2.4.7 or later SetHandler "proxy:unix:/path/to/app.sock|fcgi://localhost/" </FilesMatch>

  17. Load Balancing/Traffic Distribution network - Martin Abegglen - CC BY-SA 2.0 - https://www.flickr.com/photos/twicepix/4333178624

  18. Load Distribution ● byrequests – Perform balancing based solely on requests served ● bytraffic – Perform balancing by byte count (in response body) served ● bybusyness – Perform balancing based on how many pending requests exist for a backend ● heartbeat – Perform balancing based on What mod_heartbeat tells us ● ??? – Some rumblings of what is coming

  19. Load Distribution ● Asymmetric distribution – loadfactor option for BalancerMember – higher number == higher load ● +H option for hot-standby – Disables worker until others are unavailable – Don’t forget lbset as another option ● Selective proxying using ! and ordering – Do not proxy certain paths

  20. Example: Weighting <Proxy balancer://mycluster> BalancerMember http://1.2.3.4:8009 loadfactor=2 BalancerMember http://1.2.3.5:8009 smax=10 loadfactor=2 #Less powerful server – fewer requests BalancerMember http://1.2.3.6:8009 smax=1 loadfactor=1 </Proxy> ProxyPass / balancer://mycluster/ stickysession=JSESSIONID

  21. Example: Hot Standby <Proxy balancer://hotcluster> BalancerMember http://1.2.3.4:8009 BalancerMember http://1.2.3.5:8009 #Hot standby BalancerMember http://1.2.3.6:8009 status=+H ProxySet lbmethod=bytraffic </Proxy> ProxyPass / balancer://hotcluster/

  22. Example: Selective Proxying <Proxy balancer://AppCluster1> BalancerMember http://1.2.3.4:8009 BalancerMember http://1.2.3.5:8009 </Proxy> <Proxy balancer://AppCluster2> BalancerMember http://9.8.7.6:8080 BalancerMember http://9.8.7.5:8080 </Proxy> ProxyPass /static/ ! ProxyPass /applicationA/ balancer://AppCluster1/ ProxyPass /applicationB/ balancer://AppCluster2/ ProxyPass / balancer://hotcluster/

  23. Worker Statuses Disabled (D) ● Worker is disabled and will not accept any requests. – Stopped (S) ● Worker is administratively stopped. – Ignore Errors (I) ● Will always be considered available. – Hot Standby (H) ● Will only be used if no other viable workers are available. – Error (E) ● Will not be used due to error. – Drain (N) ● Will only accept existing sticky sessions for its route. – Redirect* ● New requests without sessions will go here. –

  24. Sticky Sessions Gecko-017 - VinceFL - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/vlopresti1964/9780815161

  25. Session Persistence ● Session replication can be expensive ● Built-in (as designed) – mod_proxy_balancer includes facilities to do this – Not always compatible or easy ● Roll your own – Use the built-in functions but tweak to your liking ● Route parameter comes into play

  26. A Sticky Matter ● Many different formats for session identifiers based on backend. – Cookies, URLs, formats, etc ● You have to know a lot – Name of the cookie – Values contained ● Built-in is not 100% compatible. – (2.2) Requires dot or semicolon as a delimiter – (2.4) stickysessionsep can be anything

  27. Universal Sticky!!! LoadModule headers_module modules/mod_headers.so <Proxy balancer://DanielCluster> BalancerMember http://1.2.3.4:8009 route=mercury BalancerMember http://1.2.3.5:8009 route=venus ProxySet stickysession=DanielsApp_STICKY </Proxy> Header add Set-Cookie "DanielsApp_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;" env=BALANCER_ROUTE_CHANGED ProxyPass /daniel/ balancer://DanielCluster/daniel/

  28. Connection Pooling/TCP and SSL Offload Quiet Cove pool at night - Ricky Brigante - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/insidethemagic/7021197905

  29. Get in the Pool ● So easy it is almost automatic ● Parameters – max hard maximum – smax soft maximum (aggressive TTL cleanup) – ttl time allowed to be idle ● Other parameters come into play ● Complications... – TCP/HTTP Keepalive

  30. Example: Connection Pooling <Proxy balancer://myCluster> BalancerMember http://1.2.3.4:8009 smax=7 max=10 ttl=10 BalancerMember http://1.2.3.5:8009 smax=7 max=10 ttl=10 </Proxy> ProxyPass / balancer://myCluster/

  31. Leave the Tough Stuff to Me ● Funnel all traffic into the pipeline – Many requests <-> one backend connection – keepalive is a beautiful thing ● SSL benefits as well – HTTPS to HTTPD – Can run HTTP or HTTPS to backend ● Either will be more efficient! ● Node.js use case

  32. Failover/Health Monitoring Doctor Visit - Laura Smith - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/blushingmulberry/4182291013

  33. Failure Detection ● Failover capability for connection only – Connection errors fail over to next backend seamlessly. ● SSL errors go back to user. – ... and are taken out of service as of 2.2.18. ● Hung/slow backend errors go back to user. – ... but can be taken out of service as of 2.2.25/2.4.5 with failontimeout.

  34. I Don't Feel So Well ● No heath check capability – Requires real, live traffic ● Must come up with a way to work around it ● In the future... – Scratch your own itch, Daniel!

  35. Mitigating Controls ● connectiontimeout – Sets the number of seconds to wait for a TCP connection. ● ProxyTimeout and failontimeout – Fail faster and mark the backend out of service – Warning - this may be bad for you ● Failonstatus – Mark a backend out of service if a specific HTTP status code is found ● Monitoring – Create external monitoring to force traffic through HTTPD.

  36. Dynamic Modification The Pleasant Glow of Good Music - Bob Prosser - CC BY-NC-ND 2.0 - https://www.flickr.com/photos/b-love/9723724344

Recommend

Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

SNCAK2MJZOH7 &gt; Kindle \ Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Filesize: 5.41 MB Reviews Reviews These kinds of pdf is every thing and helped me

434 views • 4 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook

Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook

4XTJ3LRTBGBP \ Kindle # Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook (Paperback) Windows Presentation Foundation Cookbook (Paperback) Filesize: 9.73 MB Reviews Reviews Undoubtedly, this is the

353 views • 4 slides
C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS @ardalis | ardalis.com | weeklydevtips.com t h s What problems does proxy solve? Objectives How is the proxy pattern structured? Apply the

779 views • 23 slides
The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @

The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @

The Gearman Cookbook OSCON 2010 Eric Day http://oddments.org/ Senior Software Engineer @ Rackspace Thanks for being here! OSCON 2010 The Gearman Cookbook 2 Ask questions! Grab a mic for long questions. OSCON 2010 The Gearman Cookbook 3

894 views • 53 slides
Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre WAPpy and you know it. UAG ? WAP ? eGov ? 2 Topics This Why the County invested in WAP presentation will share: Capabilities

427 views • 20 slides
January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here. Based on our experience reviewing proxy statements for Maryland public companies, we would like to call your attention to certain matters of Maryland

272 views • 12 slides
Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14 Description I Classification : Object-based structural pattern Also known as : Surrogate Purpose : Control access to a subject through

435 views • 14 slides
The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for HTTP, HTTPS (tunnel only) FTP Gopher WAIS (requires additional software) WHOIS (Squid version 2 only) Supports transparent

592 views • 35 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument Closest analog is LIS LIS is LEO; has a limited time on station for a particular storm Have several ground-based, 24x7 networks;

133 views • 10 slides
September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access

September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access

September 29, 2010 Maryland Law Implications of the SEC's Proxy Access Rules The proxy access rules recently adopted by the Securities and Exchange Commission have many implications for the nomination, election and service of directors under

179 views • 5 slides
DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba) Huawei Technologies Why? Digital Rights Management is something service providers have to deal with. Standard mechanisms for managing

273 views • 9 slides
Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M.

Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M.

Fitting B/C cosmic-ray data in the AMS-02 era: a cookbook L. Derome, D. Maurin, P. Salati, M. Boudaud, Y. Gnolini, and P. Kunz Motivation High quality AMS-02 data (systematics &gt; statistical errors) Need to re-evaluate how analyses

397 views • 10 slides
Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy Servers When a user logs into Web Interface and clicks an application icon, Web Interface dynamically renders an ICA file containing the instructions

490 views • 3 slides
SWEN 383 Software Design Principles &amp; Patterns The Proxy Pattern Basic Proxy * Overview

SWEN 383 Software Design Principles &amp; Patterns The Proxy Pattern Basic Proxy * Overview

SWEN 383 Software Design Principles &amp; Patterns The Proxy Pattern Basic Proxy * Overview Joe and Mary want to sign a contract. Joe is in Canada. Mary is in Argentina. * Overview Joe asks Sandy to be a proxy for Mary. Mary asks Pedro to

467 views • 25 slides
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as a server while talking with

365 views • 32 slides
Services for institutional investors September 2017 INDEX o Reasons for a Spanish proxy advisor

Services for institutional investors September 2017 INDEX o Reasons for a Spanish proxy advisor

Member for Spain &amp; Portugal of the international partnership of local independent proxy advisors Services for institutional investors September 2017 INDEX o Reasons for a Spanish proxy advisor o ECGS and their partners o Proxy advisors

547 views • 29 slides
GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February 2013 1 Outline Introduction to GSS-API Using GSS-API Introduction to GSS-Proxy GSS-Proxy components Kernel upcalls and

186 views • 18 slides
Empowering families to access and prepare meals from food pantries Creation of a cookbook and

Empowering families to access and prepare meals from food pantries Creation of a cookbook and

Empowering families to access and prepare meals from food pantries Creation of a cookbook and resource list for the food insecure in North Central Florida Kaley Mialki, MS, RDN, LDN; Joseph Olivera, MS, RDN; Ellen K Bowser, MS, RDN, LDN, RN,

635 views • 34 slides
The Matrix Cookbook [ http://matrixcookbook.com ] Kaare Brandt Petersen Michael Syskind Pedersen

The Matrix Cookbook [ http://matrixcookbook.com ] Kaare Brandt Petersen Michael Syskind Pedersen

The Matrix Cookbook [ http://matrixcookbook.com ] Kaare Brandt Petersen Michael Syskind Pedersen Version: November 14, 2008 What is this? These pages are a collection of facts (identities, approxima- tions, inequalities, relations, ...) about

985 views • 71 slides
Windows Presentation Foundation 45 Cookbook Yosifovich Pavel Windows Presentation Foundation 45

Windows Presentation Foundation 45 Cookbook Yosifovich Pavel Windows Presentation Foundation 45

Windows Presentation Foundation 45 Cookbook Yosifovich Pavel.pdf Windows Presentation Foundation 45 Cookbook Yosifovich Pavel Windows Presentation Foundation 45 Cookbook Yosifovich Pavel Why you should read this publication? This Windows

314 views • 19 slides
System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients

System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients

System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients Interposed between Web (HTTP) clients and servers. Masquerade as (represent) the server to the client. Masquerade as (represent) the client to the

617 views • 14 slides

More recommend