Présentation PowerPoint

[Virtual Presenter] . Welcome everyone! We're here today to discuss the Reverse Proxy Profile service and the Apache 2.4 Module. We'll explore how these can be used to handle web traffic and configure parameters to adjust the reverse proxy for capacity and performance. Let's get started!.

Overview. Performance. There are several ways to optimize performance of your web application: Timeout Compression Caching Reverse Proxy Profile First three parameters can be implemented separately on each tunnel, but you can edit and modify the configuration of your Reverse Proxy to adjust his Apache configuration and timeout..

Reverse Proxy Profile.

[Audio] Ubika WAAP Gateway provides Reverse Proxy Profile service which is managed through Apache 2.4 module. This feature enables users to create tunnel for their web applications and adjust the reverse proxy for better speed and performance. To add a reverse proxy you need to select Reverse Proxy Profile which holds network configuration as well as Apache configuration available in Advanced tab. With this feature users are able to ensure their web applications work stably and securely..

[Audio] Apache is a robust web-server technology for effective and secure traffic routing. At Ubika WAAP Gateway it is set up with the multi-processing module or Worker MPM. It assists with web traffic direction and the Apache root process activates a specific quantity of child processes. This module consists of its own set of server threads along with a distinct listener thread. Administrators are able to modify the number of children through two variables: the initial number of child processes running in the Apache reverse proxy and the highest number of processes. Each child process is held responsible for supervising a particular quantity of threads and each thread looks after a single connection at one time..

[Audio] Reverse Proxy Profiles can influence the performance and capacity of a reverse proxy. A Reverse Proxy Profile is a profile that can be applied to a Reverse Proxy which can customize the capacity and performance settings. When no Reverse Proxy Profile is set for the Reverse Proxy the default '01K Connections' profile will be used which is usually appropriate in most cases. This service provides you with the ability to adjust the reverse proxy settings to your own demands..

[Audio] Apache 2.4 module provides the capability to customize the Reverse Proxy Profile service to optimize web traffic performance and capacity. When adding a new Reverse Proxy Profile certain essential options need to be configured such as Server Limit and Min/Max spare threads. Server Limit controls the maximum amount of clients Apache will handle while Min/Max spare threads is used to set the minimum and total number of idle threads on the server which helps maintain steady performance..

[Audio] '01K Connections' reverse proxy profile is an ideal solution to manage web traffic starting with 1 child process with a maximum of 100 threads each. By adjusting the 'Server Limit' parameter the maximum number of child processes can be increased up to 10. Thus it makes it possible to handle up to 1000 concurrent connections..

[Audio] "Max Clients" cannot be set directly it must be calculated by multiplying "Server Limit" and "Thread per Child". To increase the number of maximum client connections increase one or both of these two parameters. Different reverse proxy profiles are available on the system and if you need to optimize the performance of your reverse proxy switch to a different default profile or customize one. Whenever you change the reverse proxy profile configuration remember to restart the server..

[Audio] When planning to launch your service it is important to have the optimal combination of Apache's child and thread per child to handle web traffic. Our default profile is created to effectively manage traffic however for webmail websockets web applications with persistent connections a custom reverse proxy profile may be necessary. In order to adjust the Server Limit and Thread values to accommodate your application you can configure your reverse proxy to its highest potential capacity and performance..

[Audio] ubika Appliance Monitoring dashboard provides real-time insight into memory utilization and number of active children on reverse proxy so that you can quickly identify when proxy is under strain and ensure service is running at its peak..

[Audio] Mod_status module provides administrators detailed insight into server performance like tracking the number of active workers idle workers and requests being processed. Specific information like number of requests served total bytes transferred average requests per second average bytes per request and C-P-U usage are also provided. This allows administrators to monitor how server is responding to traffic to make any necessary adjustments for capacity and performance..

[Audio] To access the reverse proxy statistics you must create an advanced parameter profile for Reverse Proxy. Access this profile by going to the Advanced tab and using the http server-name/server-status hostname of your application via a web browser. To gain access configure the ProxyPass and Location tags with the appropriate IP addresses..

[Audio] Mod_status results offer a great visual understanding of the reverse proxy's performance. It details stats such as its uptime load C-P-U and memory usage thread availability and last requests processed in an easy-to-comprehend format. Through this you can quickly spot any discrepancies that could be affecting performance and take necessary steps to modify the reverse proxy..

Lab.

[Audio] To begin with Lab1 check the local time of your appliance. After that utilize the HTTPerf Lab to generate traffic so that you can study the visuals of the Reverse Proxy Profile. Lastly analyze the Reverse Proxy statistics using Kibana to evaluate the performance and capacity..

[Audio] We are looking at how to make an advanced parameter profile and add a server-status setup. This will enable the opposite proxy to take care of website traffic more proficiently and alter the parameters to elevate capacity and performance. The process entails using the HTTPerf lab to make web traffic and then utilizing /server-status to examine the outcomes..

Timeout.

[Audio] The Apache 2.4 Reverse Proxy Profile's Timeout parameter is essential for ensuring efficient performance. It guarantees that faulty T-C-P connections regardless of cause such as timeout can be quickly restored enabling higher traffic to be steered through the Reverse Proxy. This grants swiftness and scalability for web traffic..

[Audio] In many web configurations a reverse proxy acts as a middleman between the user’s computer and the web server. When a user connects to your web server two T-C-P connections are formed. The first connection is between the user’s computer and the reverse proxy. The second connection is between the reverse proxy and your web server and is created only after the first connection is established. This second connection allows the reverse proxy to manage the two-way communication between the user and the web server. The two-way communication is managed by sending and receiving data packets through the second T-C-P connection. This way the traffic between the user and the web server is optimized and managed for the best possible performance..

[Audio] In this slide we discuss the importance of knowing when a T-C-P connection can be closed. A TCP connection is established when a client sends a request to a server and remains active until one of the sides asks to close it. The initiator of the closing connection can either be the client or the reverse proxy and similarly between the reverse proxy and the backend server. The closing of a T-C-P connection can happen because there is no more data to be sent or because the timeout for the connection has expired. In some cases the closing process can be carried out with TCP FIN/ACK/RST/ACK. Knowing these scenarios is key in order to optimize the Reverse Proxy Profile service provided by our company..

[Audio] The Apache 2.4 module provides a variety of timeout managing solutions. To improve performance and capacity for the reverse proxy some protections are in place to limit the number of T-C-P connections generated. These include a timeout between the client and reverse proxy a timeout between the reverse proxy and the web server and a request timeout. All these protections come with a standard value but they can be adjusted by using a reverse proxy profile or by configuring a tunnel separately. This allows you to tailor your settings to meet the specific needs of your environment..

[Audio] When setting up the reverse proxy it is important to understand the “Timeout” option. This allows you to define the amount of time that a T-C-P connection between the client and server remains active before it closes. The default value for this setting is 300 seconds but it can be adjusted depending on the traffic and web application. It is best to set the “Timeout” as low as possible while still allowing most of the regular traffic to operate without issue and to make sure the “Timeout” value is greater than the “Proxy Timeout”. By properly adjusting the “Timeout” value you can ensure that your reverse proxy service is working optimally..

[Audio] Proxy Timeout is a critical parameter as it allows you to decide the span of time between the Ubika WAAP Gateway device and the web server to remain uninterrupted. By setting this value accurately you can guarantee efficient traffic management and peak performance for your web application. The default value is 60 seconds but you can always alter it depending on your traffic routine. It is essential to determine the ideal timeout setting for your domain so that your web traffic and applications work properly..

[Audio] Enabling the Keep-Alive parameter on the Ubika WAAP Gateway provides access to two additional options: Keep-Alive timeout and Keep-Alive max requests. When this feature is turned on web traffic is handled more effectively as the same connection is reused for multiple requests over a short period of time. This can decrease latency by up to 50% resulting in an improved application performance. Keep-Alive is an efficient tool and in most cases should be enabled..

[Audio] A full T-C-P exchange for a simple request from a client is illustrated in the slide. The client first sends a S-Y-N packet to the server and the server follows up with a SYNACK packet. After the connection is established the client sends an H-T-T-P request. The server responds with the requested data which the client acknowledges to close the connection. This is a simplified version of how the Apache 2.4 Reverse Proxy Profile service deals with web traffic..

[Audio] The Apache 2.4 module is used to handle web traffic and configure parameters an important one being the "disablereuse" option. It is set to off by default but turning it on can help improve performance. To do so an advanced parameter profile must be created and the lines of code provided be added. This will ensure that the T-C-P connection between the reverse proxy and the backend server is closed when all requests are served. Activating "disablereuse" can boost the performance and capacity of the reverse proxy thus making it more effective..

[Audio] The full T-C-P exchange for a client with disablereuse=On for a simple request consists of the client sending a TCP SYN packet to the server then the server sending a SYN/ACK packet in response and the client sending an A-C-K packet to complete the three-way T-C-P handshake. After this the client sends an H-T-T-P request to the server which sends the appropriate H-T-T-P response. Lastly the client sends a TCP FIN packet to close the connection establishing a secure and reliable connection between the client and the server..

[Audio] Configuring the Request Timeouts on the Reverse Proxy Profile service is important. Request Timeouts are parameters that decide how long the Reverse Proxy Profile Service will wait for a response from the client before it sends an error message. The Apache 2.4 module is pre-set with values to avoid potential attacks to the system. Nevertheless a Request Timeout profile can be created to modify these values depending on the needs of the tunnel or the Reverse Proxy Profile Service. Adjusting the Request Timeout parameters is necessary to keep the system functioning securely and efficiently..

[Audio] The Apache 2.4 module's Request Timeout Profile feature enables you to customize web traffic and optimize the reverse proxy capacity and performance. This can be done by accessing either Setup > Tunnels > Request Timeout Profiles or Setup > Reverse Proxies > Request Timeout Profiles both of which feature the same profile settings. Adding deleting and modifying existing profiles is possible by clicking the 'Add' button. Parameters you can customize when creating a new profile include Header Timeout (in seconds) Header Rate (in bytes) Body Timeout (in seconds) and Body Rate (in bytes). A maximum timeout can be defined for both header and body by specifying an initial timeout and a limit. By tweaking these settings you can guarantee your web traffic is optimized and functioning properly..

[Audio] In order to have a successful reverse proxy configuration the timeouts must be adjusted appropriately. This process should take into account the applications’ requirements and the speed of the network connection. For applications with high I/O or requiring frequent connections timeouts should be set to smaller values. Alternatively larger timeouts may be necessary for networks with slower internet connection speeds. Additionally all equipment throughout the network should also be configured with the appropriate timeout. With careful consideration of these guidelines the reverse proxy configuration can be set to handle web traffic in an efficient manner..

Lab.

[Audio] A slow loris attack against a web application that is protected by a W-A-F can be launched by sending a request to the web application which is never completed and each request is then refreshed every 10 seconds. Awareness of this type of attack is important as it can cause harm to the web application..

[Audio] Our request timeout profile has been designed to maximize both performance and reliability. The SlowLoris attack has highlighted the benefit of the timeout profile with the performance improvement being immediately visible. Thanks to our Apache 2.4 module we are able to dynamically adjust parameters in order to ensure the best performance in any given situation..

Compression.

[Audio] Compression can be utilized to improve the data that is sent from the web server to the client. Typically web browsers inform the server what data-handling protocol they support through the Accept-Encoding header; such as gzip compress deflate br identity or *. In accordance with this the web server will use the corresponding compression protocol to reduce the data size and notify the client through the Content-Encoding header. If the web server does not have the capability to compress the data the WAAP Gateway can do it for you..

[Audio] The Apache 2.4 module supports efficient traffic handling by processing H-T-T-P requests of 1 kilobyte and H-T-T-P responses of 100 kilobytes. Compression can further reduce the amount of data sent with each request. To illustrate there is a comparison between an uncompressed and compressed H-T-T-P request. This guarantees optimal performance and capacity decreasing the load on our servers and enhancing the user experience..

[Audio] In the tunnel configuration window on the "Performance" tab the "Compression Profile" parameter can be found. Selecting a profile from the list activates this parameter. The other parameter "Forward gzip encoding" can be checked if required. If checked this will ensure that the response sent by the backend remains compressed unless it has been modified in the workflow..

[Audio] On the Setup Tunnels Compression Profiles page you can configure your Compression Profile settings. Using the Add button you can create a new profile by entering the required information. Once the new profile is created a popup window will appear allowing you to make further adjustments..

[Audio] One of the most important aspects in configuring a new compression profile is choosing the right parameters. With the Apache 2.4 module you can easily adjust the reverse proxy for capacity and performance. By setting the name parameter and configuring the content types exclude browsers buffer size compression level memory level and window size you can optimize the compression for the specific needs you have for your website. With the right parameters you can ensure that your reverse proxy is providing the best performance possible..

[Audio] If you want to gain insights on the ratio of your compression creating a custom access logs profile can give you the information you need. By adding the fields %h %a %u %t "%r" %>s %b "%i" "%i" %b (%n) %b: size of the file %n: rate of compression to the profile you can get an analysis on the rate of compression of your web traffic.”.

[Audio] As you can see on the slide modern web browsers such as Firefox are equipped with tools that allow us to view the compression statistics of a file when surfing the Internet. The two columns provided are “transferred” which shows the size of the file compressed and “Size” which lists the real size of the file. With this information we can easily gain insight into the effectivity of our Reverse Proxy Profile service for adjusting capacity and performance..

Lab.

[Audio] Compression is a key component for optimizing web traffic and improving performance. The Apache 2.4 module can be used to configure and adjust parameters to enable compression. Generating some traffic on your application and analyzing the compression performance will show that the traffic is not compressed. Our Reverse Proxy Profile service allows you to tweak these parameters to obtain the desired result..

[Audio] Create a new compression profile with Apache 2.4 with all standard parameters except for the compression level set to "9". Generate some traffic and analyze the data compressed and the data uncompressed to ensure proper configuration with the new compression profile..

[Audio] To configure a Reverse Proxy Profile with Lab2 you need to enable the Apache proxy mode to act as a reverse proxy for incoming requests adjust peer certificates to establish a secure connection and validate the identity of the clients and set the write-limit to adjust the response size sent back to the client. Following these steps can help users achieve the optimum performance and secure their services..

[Audio] Compressing data is an essential part of improving performance for web traffic. In this lab it was shown that all traffic isn't compressed unless the compression profile is edited to include the content type for any text data desired to be compressed. As an example the compression profile can be modified to handle .js files which have an application/javascript content type. Verifying that javascript files are now compressed after generating some traffic will demonstrate that the profile was edited correctly. Data compression is now in effect and functioning..

[Audio] When setting up a Reverse Proxy Profile as an administrator certain configuration parameters should be taken into account. This includes maximum connection rate maximum request rate and maximum request duration. Additionally for optimal performance it is important to configure the Apache 2.4 module properly such as setting the maximum keep alive duration. With the right configuration the Reverse Proxy Profile should be able to meet capacity and performance objectives..

[Audio] Create a new custom access logs profile with Apache 2.4 module by inputting the required parameters: %h %a %u %t "%r" %>s %b "%i" "%i" %b (%n). To check that everything is working generate some traffic to your web application and verify that the compression information is present in the access logs..

Caching.