I read recently an excellent article where Randy Shoup of Ebay shares his "Scalability Best Practices".
Looks like some of the big websites have evolved in a similar way. Grown from simple, vertical, three tier-architectures (web-, app- and persistence-layer) to horizontal, service-oriented architectures with partitioned data layers (shards).
Tuesday, June 3, 2008
Saturday, May 17, 2008
Enabling Compression in Tomcat
With apache I was used to mod_deflate. After switching to just tomcat I started to look for a gzip servlet filter when I noticed that you can configure gzip in your server.xml per Connector. This means you can have different gzip configurations for port 80 and ssl port 443.
Example configuration:
This enables compression for all requests on port 80 where the response is of a certain mime type and is larger than 2k.
Link to the tomcat documentation regarding this.
Example configuration:
<connector port="80" protocol="HTTP/1.1" enablelookups="false" connectiontimeout="60000" maxthreads="150" compression="on" compressionminsize="2048" compressablemimetype="text/html,text/xml,text/javascript,application/x-javascript,application/javascript,text/css" redirectport="443">This enables compression for all requests on port 80 where the response is of a certain mime type and is larger than 2k.
Link to the tomcat documentation regarding this.
Tuesday, May 13, 2008
Moving SSL certificate from Apache to Tomcat
I finally managed to move our ssl certificates, from apache to tomcat.
First I just tried to import the existing openssl cert using the keytool. I failed miserably, gave up and went down the reissue road.
Which turned out to be really simple, even though it took thawte 2 days and a live chat before I received the new cert. And then, the live openssl certificate stopped to work! So all of a sudden I hade to switch to the pure tomcat solution a bit head of schedule.. Luckily I've had that working for while now with functional and load tests already made.
Basically, to reissue is almost like creating new certificate, except for having to pay for it. For more details, check out Thawte's supportpage.
First I just tried to import the existing openssl cert using the keytool. I failed miserably, gave up and went down the reissue road.
Which turned out to be really simple, even though it took thawte 2 days and a live chat before I received the new cert. And then, the live openssl certificate stopped to work! So all of a sudden I hade to switch to the pure tomcat solution a bit head of schedule.. Luckily I've had that working for while now with functional and load tests already made.
- Create your java keystore with a tomcat keyentry.
keytool -genkey -keyalg RSA -alias tomcat -keystore [keystore name] - Generate a CSR and submit it to Thawte, using the reissue form.
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore [keystorename] - Wait a couple of days, receive the new cert and save it into a file on your server
- Import the cert into your tomcat keystore
keytool -import -alias tomcat -trustcacerts -file mythawtecert.txt -keystore [keystorename] - Configure server.xml
<connector port="443" protocol="HTTP/1.1" sslenabled="true"
maxthreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.keystore" keystorePass="xxxx">
Basically, to reissue is almost like creating new certificate, except for having to pay for it. For more details, check out Thawte's supportpage.
Switching to a pure tomcat setup
Today I transfered our website to some new servers. I decided run a pure tomcat setup without apache in front. The problem is that the apache server did some critical and some less critical stuff that I haven't tried doing with just tomcat before (I've written the corresponding apache module in parenthesis):
- SSL (mod_ssl)
- Url redirection, critical for url canonization (mod_rewrite)
- Gzip compression (mod_deflate)
- Setting the correct cache-headers (mod_expires, mod_headers)
Subscribe to:
Posts (Atom)
