|
As most people know, Apache is a
terrific open source web server. I recently learned that it can also be
configured as an inexpensive SSL Offloading server, rather than
purchasing a costly hardware solution. In addition, it can perform gzip
compression to reduce file sizes and download times for your web pages.
For
those who have read previous posts, you'll know that these are both
capabilities that Tomcat has, so what's the point of offloading? By
offloading these CPU-intensive operations to a different server, you
free up resources that can be used by your application server. On the
flip side, you then have an extra tier to send data through, which may
slow down the overall page delivery. In my opinion, the true benefit is
when you combine these abilities with Apache's load balancing features,
distributing traffic between two or more back-end servers.
This
week, I worked to configure a new Apache installation to serve as an
SSL/GZip offloading server. In a future post, I hope to also explore
the load balancing capabilities and describe the setup. So without
further ado, here are the basic steps needed to configure Apache:
Step 1: Install Apache
First, you must install the Apache 2.2 web server. This guide won't go into the details of the installation, which can be found on Apache's web site. For Windows environments, you may want to install it as a service
as well. Note that if this is done on the same server as your
application server (i.e. Tomcat), you will need to move it off of port
80/443, since these will be used by the Apache proxy. (Any other ports
should do fine.)
Step 2: Setup Apache as a Reverse Proxy
A
reverse proxy is a server that acts as your web site, but behind the
scenes, is passing requests to your application server. First, enable
the proxy modules by uncommenting the following lines in the
conf/httpd.conf directory: LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
Include conf/extra/httpd-vhosts.conf
Then
open up conf/extra/httpd-vhosts.conf. This file has some instructions
on how to configure the various elements. You must setup the list of
web site domains you have, and where the reverse proxy will be pointing
to. Here is a sample configuration:
NameVirtualHost *:80
<VirtualHost>
ServerName www.domain.com:80
<Location />
ProxyPass http://appserver:8080/
ProxyPassReverse http://www.domain.com/
</Location>
</VirtualHost>
This
will take any requests for www.domain.com, and pull the pages from
appserver (port 8080). At this point, you can boot up Apache and your
application server, and requests should be proxied through Apache.
However, SSL and compression will not be working yet.
Step 3: Enable SSL
Next, uncomment the following lines in httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Within
conf/extra/httpd-ssl.conf, you must then configure a similar
VirtualHost as in step 2. Again, a sample configuration would be:
<VirtualHost *:443>
ServerName www.domain.com:443
SSLEngine on
SSLCipherSuite ALL:!ADH:! EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/cert.pem"
SSLCertificateKeyFile "C:/private.pem"
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
<Location />
ProxyPass http://appserver:8080/
ProxyPassReverse https://www.domain.com/
</Location>
</VirtualHost>
Note that certificate.pem and private_key.pem will need to point to your SSL files, which we created in a previous post.
At this point, you should be able to connect to your web site via SSL,
even if your application server doesn't support it. Note that the
communication between Apache and your application server will not be secure.
Step 4: Enable Compression
Again, in conf/httpd.conf, uncomment the following lines:
LoadModule deflate_module modules/mod_deflate.so
Then, add the following lines to the end of your conf/httpd.conf file:
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
CustomLog logs/deflate.log deflate
These
configurations will enable compression for HTML, CSS, and JavaScript
files, and will also log the compression ratios in a deflate.log file.
This helps ensure that compression is working, and you can disable
these logs if you no longer need them.
Conclusion
At
this point, everything should be running! To recap, we've setup Apache
to serve as a reverse proxy, then enabled both SSL and Compression
using modules that come with the default installation of Apache 2.2.
Next time, we hope to cover load balancing within Apache.
|
