IG ClientHandler and ReverseProxyHandler Configuration
The IG ClientHandler and ReverseProxyHandler is configured to communicate as the client to the downstream protected application.
Specific configuration that manages this communication are:
|The number of available connections to the downstream remote application|
|This is the number of IG worker threads allocated to service inbound requests and manage propagation to the downstream application. Of note, IG has an asynchronous threading-model, so a worker thread is not consumed blocking for a response from the downstream server. By default, this value is set to the number of available cores.|
|The connection timeout, or maximum time to connect to a server-side socket, before timing out and abandoning the connection attempt.|
|The socket timeout, or the maximum time a request is expected to take before a response is received, after which the request is deemed to have failed.|
Tomcat IG container and IG configuration should be done with regard to:
- the performance goals and the capabilities and limitations of the downstream system:
- expectation of some increase in response time with IG inserted as a proxy in front of the protected application, due to the extra network hop and processing required.
- IG and its container being constrained by the limitations of the downstream server and the response times of the protected application. This includes the downstream web container configuration, its JVM configuration and tuning, resource types (e.g. compiled resources), etc.
With that in mind, the configuration of IG as a proxy should be conducted as follows:
- Start with the configuration of the downstream server and protected application:
- Ensure that the web container and JVM are tuned and able to achieve performance targets.
- Test and confirm in a pre-production environment under expected load and with common use-cases.
- Ensure that the web container configuration forms the basis of configuring IG and its web container.
- Configure IG and its web container, based on the limitations of the downstream server and protected application:
- Configure the IG
ReverseProxyHandlerbased on the downstream server configuration (see below).
- Configure the IG web container (e.g. Tomcat) to correspond with the downstream server configuration:
- At this stage, IG and its web container should replicate the number of connections and timeouts of the downstream application.
- Test and tune the IG
numberOfThreadsand IG web container threads
maxThreadsto determine the optimum throughput.
- Tune the IG web container JVM to support the desired throughput:
- Ensure there is sufficient memory to accommodate peak-load for the required connections. See Tuning the JVM].
- Ensure IG and its container timeouts support latency in the protected application.
- This phase should involve an incremental optimisation exercise to settle on the best performing memory and garbage collection settings.
- Configure the IG
- Vertical scaling:
- Look to increase hardware resources, as required.
Configuring IG ClientHandler for Tomcat Container
The relationship between the Tomcat container and IG webapp is that Tomcat's
maxThreads is the number of Tomcat HTTP request threads. An IG worker thread -
numberOfWorkers - will pick up from a Tomcat request thread to propagate requests for processing downstream, via the
The Tomcat version and the selection of Tomcat HTTP Connector is very important with regards to configuring IG. Notably, IG should be configured in conjunction with the Tomcat IG container configuration. Notably:
- If using a BIO Connector (Tomcat 3.x to 8.x):
- the Tomcat maxThreads should be aligned to be close to the number of Tomcat configured connections. IG can be configured a lot lower (using an async threading model). The async IG threads are freed up immediately after the request is propagated and can service another blocking Tomcat request thread.
- Assumptions should be ratified in a pre-production performance test environment using real-life use cases.
- If using a NIO Connector:
- Tomcat maxThreads config can be a lot lower than it would be using a BIO Connector. The NIO Connector also uses an async threading model, freeing up request threads once the request is handed over to the IG worker threads.
- Therefore, the config of IG worker threads - numberOfWorkers should be closely aligned with your Tomcat request threads - maxThreads.
- It is still necessary to test the IG worker config throughput/ errors incrementally in this deployment to identify optimum throughput.
Configuring IG ClientHandler for Standalone