113

What are the advantages and disadvantages of using mod_jk and mod_proxy for fronting a tomcat instance with apache?

I've been using mod_jk in production for years but I've heard that it's "the old way" of fronting tomcat. Should I consider changing? Would there be any benefits?

Boris Brodski
  • 8,425
  • 4
  • 40
  • 55
cherouvim
  • 31,725
  • 15
  • 104
  • 153
  • 1
    We’ve had more trouble with all `mod_proxy_*` variants and use `mod_jk` in production successfully, for both Tomcat (5.5, 6, 7) and JBoss/WildFly. – mirabilos Jan 15 '15 at 14:20

3 Answers3

90

A pros/cons comparison for those modules exists on http://blog.jboss.org/

mod_proxy

* Pros:
      o No need for a separate module compilation and maintenance. mod_proxy,
        mod_proxy_http, mod_proxy_ajp and mod_proxy_balancer comes as part of 
        standard Apache 2.2+ distribution
      o Ability to use http https or AJP protocols, even within the same 
        balancer.
* Cons:
      o mod_proxy_ajp does not support large 8K+ packet sizes.
      o Basic load balancer
      o Does not support Domain model clustering

mod_jk

* Pros:
      o Advanced load balancer
      o Advanced node failure detection
      o Support for large AJP packet sizes
* Cons:
      o Need to build and maintain a separate module
cherouvim
  • 31,725
  • 15
  • 104
  • 153
  • 2
    What if your using Apache 2.0? – blak3r Aug 05 '11 at 22:42
  • 11
    I find this blog entry http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp helpful. – CodeReaper Feb 20 '12 at 08:59
  • "Need to build and maintain a separate module" it ships with apache so you don't need to build something... – Yura Mar 14 '16 at 21:31
  • 1
    @yura - That may depend on your OS version. Centos 7.x does not appear to have the module available and it is not available by default in apache 2.4: http://httpd.apache.org/docs/2.4/mod/ – runamok Feb 15 '17 at 02:17
  • 1
    Specifically see https://wiki.apache.org/tomcat/FAQ/Connectors#Q7 who @daniel-serodio referenced... Where can I download a binary distribution of my connector? You cannot: you need to download the source and compile it for your platform. – runamok Feb 15 '17 at 02:23
  • Should it not be 8KB and not 8K? – Rui F Ribeiro Jul 25 '18 at 16:36
  • 1
    In some environments encryption is important. AJP cannot encrypt at all, while mod_proxy can switch to https. – Queeg Oct 09 '20 at 20:07
  • 1
    This answer may be out-of-date by now. `mod_proxy_ajp` does support larger packet sizes using `ProxyIOBufferSize`, and `mod_proxy` capabilities have improved quite a bit over the past decade. – Christopher Schultz Jan 22 '21 at 16:41
29

If you wish to stay in Apache land, you can also try the newer mod_proxy_ajp, which uses the AJP protocol to communicate with Tomcat instead of plain old HTTP, but which leverages mod_proxy to do the work.

Vinko Vrsalovic
  • 330,807
  • 53
  • 334
  • 373
  • Thanks. But do you know what does the proxy_ajp would offer more than jk? – cherouvim Jul 04 '09 at 10:37
  • 2
    Yes, all the controls and (relatively) ease of configuration of mod_proxy, with the speed benefits of the AJP protocol (instead of using HTTP) – Vinko Vrsalovic Jul 04 '09 at 11:19
  • 2
    AJP uses a binary format so in theory, it's suppose to provide better performance. I've never performance tested AJP vs HTTP proxying though. – Taylor Leese Aug 28 '09 at 07:20
4

AJP vs HTTP

When using mod_jk, you are using the AJP. When using mod_proxy you will use HTTP or HTTPS. And this is essentially what makes all the difference.

The Apache JServ Protocol (AJP)

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.

Pros

  • Easy to set up as the correct forwarding of HTTP headers is not required.
  • It is less resource intensive because the TCP packets are forwarded in binary format instead of doing a costly HTTP exchange.

Cons

  • Transferred data is not encrypted. It should only be used within trusted networks.

Hypertext Transfer Protocol (HTTP)

HTTP functions as a request–response protocol in the client–server computing model. A web browser, for example, may be the client and an application running on a computer hosting a website may be the server. The client submits an HTTP request message to the server. The server, which provides resources such as HTML files and other content, or performs other functions on behalf of the client, returns a response message to the client. The response contains completion status information about the request and may also contain requested content in its message body.

Pros

  • Can be encrypted with SSL/TLS making it suitable for traffic across untrusted networks.
  • It is flexible as it allows to modify the request before forwarding. For example, setting custom headers.

Cons

  • More overhead as the correct forwarding of the HTTP headers has to be ensured.
  • More resource intensive as the request is fully parsed before forwarding.
The Fool
  • 16,715
  • 5
  • 52
  • 86