I'm using Weblogic application server and Apache web server in my J2EE environment and planning to implement gzip compression of response.
Not sure, whether to implement compression on the Apache server or on the weblogic.
Unless you have a very good reason to not do so, you want to put the load of compression on the web servers since the app servers are already busy at doing other things. To use mod_weblogic together with mod_deflate, have a look at this post.
Depends whether you want the headers to be handled by apache or by the app server. You need to set the encoding type and content length headers to use gzip compression for http. Apache may be more potentially optimised for it.
Related
I have an app running on nodeJS/express and also using nginx. If I compress the served files on both systems, I suppose that slows the server response time. Therefore, when combining nginx with expressJS, do you use compression in express or compression in nginx? Or it simply doesn't matter!?
I know it may be opinion based, but I really wanted some feedback on this. Thanks in advance
NGINX supports also somewhat superior Brotli compression (aside from gzip), via 3rd party module.
So having all compression done in NGINX makes more sense.
TTFB should not be affected if you keep both (NGINX will figure out that the response is already compressed). But for that same reason (NGINX receiving an already compressed response), you won't be able to add Brotli compression support to it (if you keep it in expressJS), because the Brotli compression module expects an uncompressed response to work with.
I would like to setup mod_security as a stand alone instance protecting Tomcat instances against web application attacks. Would anyone know the pros and cons of doing this via installing mod_security as an Apache module versus installing mod_security on a reverse proxy? Has anyone implemented mod_security in either of these fashions? And if so is one preferred over the other?
There's really no difference in your two options. What non reverse proxy would you install the module on to protect Tomcat?
The question doesn't really make sense as they are both the same to you.
If you already have an Apache server, then you install ModSecurity in one of two ways:
In embedded mode by installing ModSecurity as module in the existing Apache instance you already have. The advantages are that you won't have to set up a separate Apache instance, and that the ModSecurity will have access to the environment that Apache runs under (so can see environment variables for example or log to same log files).
In a reverse proxy mode. This involves setting up a separate Apache instance, with ModSecurity on it only, and funnel all requests through it, before sending on the requests to your normal Apache. The advantages here are a dedicated web server just for ModSecurity, so you will not share resources with your existing version of Apache, if it is already resource hungry. Disadvantages are that it doubles your infrastructure and the complications that brings.
Personally I prefer option 1.
However, as you want to set up a dedicated web server in front of TomCat, the two options are identical for you. The new instance of Apache (or Nginx) that you set up will be running it in embedded mode and will act as a reverse proxy to your Tomcat server.
Personally I always think it's best to run a dedicated web server like Apache in front of any app server like Tomcat - especially on a public facing website. Granted Tomcat does include a pretty good web server (called Coyote), which may serve most of your web server needs, but a dedicated web server like Apache is more geared towards serving static content and contains other features for performance and security which make it a better end point server (including the ability to run ModSecurity for example!).
And just in case there is any confusion, Apache is actually short for Apache HTTP Server, and is sometimes called Apache httpd after the process that it runs. It is Apache's most popular bit of software hence why the name gets shortened, but Apache actually have lots of bits of software (including Apache Tomcat - usually shortened just to Tomcat).
It's the other way around as usual. It's possible to compress the communication between Apache and a J2EE server even though the client might not compressing the message?
Browser <- compressed or not -> Apache <- always compressed -> Jetty
Actually, as far as I know, AJP is always uncompressed. It's assumed that your web and application servers are "close" enough (in terms of network topology) to each other that compression is not useful, and just slows things down from the extra CPU processing.
If you're using HTTP between Apache and Jetty, then you can configure compression, yes, though I've not use Jetty and can't tell you how to configure that.
It seems that nginx buffers requests before passing it to the updstream server,while it is OK for most cases for me it is very bad :)
My case is like this:
I have nginx as a frontend server to proxy 3 different servers:
apache with a typical php app
shaveet(a open source comet server) built by me with python and gevent
a file upload server built again with gevent that proxies the uploads to rackspace cloudfiles
while accepting the upload from the client.
#3 is the problem, right now what I have is that nginx buffers all the request and then sends that to the file upload server which in turn sends it to cloudfiles instead of sending each chunk as it gets it (those making the upload faster as i can push 6-7MB/s to cloudfiles).
The reason I use nginx is to have 3 different domains with one IP if I can't do that I will have to move the fileupload server to another machine.
As soon as this [1] feature is implemented, Nginx is able to act as reverse proxy without buffering for uploads (bug client requests).
It should land in 1.7 which is the current mainline.
[1] http://trac.nginx.org/nginx/ticket/251
Update
This feature is available since 1.7.11 via the flag
proxy_request_buffering on | off;
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering
According to Gunicorn, they suggest you use nginx to actually buffer clients and prevent slowloris attacks. So this buffering is likely a good thing. However, I do see an option further down on that link I provided where it talks about removing the proxy buffer, it's not clear if this is within nginx or not, but it looks as though it is. Of course this is under the assumption you have Gunicorn running, which you do not. Perhaps it's still useful to you.
EDIT: I did some research and that buffer disable in nginx is for outbound, long-polling data. Nginx states on their wiki site that inbound requests have to be buffered before being sent upstream.
"Note that when using the HTTP Proxy Module (or even when using FastCGI), the entire client request will be buffered in nginx before being passed on to the backend proxied servers. As a result, upload progress meters will not function correctly if they work by measuring the data received by the backend servers."
Now available in nginx since version nginx-1.7.11.
See documentation
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering
To disable buffering the upload specify
proxy_request_buffering off;
I'd look into haproxy to fulfill this need.
Is it possible to use GZip compression on the ouput of files that have been created using server side includes in IIS 6? If so how?
If IIS can't do this internally, you can do it with reverse proxy techniques. Basically, the app runs on the server doing the SSI, but outsiders talk to your proxy server which does compression, and gives you a chance to do other clever things, like caching.