Apache Middleware Engineering Specialist

Role: Apache /Middleware Engineering Specialist

Location: Toronto ON

Contract

Job Specification:

Apache HTTP Server & Tomcat Design Ansible Automation Engineer

Role Summary

Design resilient secure and scalable Apache HTTP Server (httpd) and Apache Tomcat platforms for Java web applications. Build Ansible automation to provision harden operate and upgrade httpd and Tomcat across dev/stage/prod. Partner with SRE Security and App teams to deliver high availability predictable performance and hands-off operations via GitOps and CI/CD.

Title options:

• Senior Web Platform Engineer (Apache/Tomcat & Ansible)
• Web Middleware Platform Engineer (Ansible)
• Infrastructure Engineer Apache & Tomcat Automation

Responsibilities

Architecture & Operations (Apache HTTPD Tomcat)

• Design reverse proxy and app tier topologies:
  • Single or dual Apache HTTPD layers (edge and internal) terminating TLS; modproxyhttp or AJP (with hardening) to Tomcat.
  • Active/active Tomcat clusters with load balancing & health checks (at Apache layer or external LB).
  • Session management strategy: sticky sessions via cookie or session replication/Redis-backed sessions when stickiness is not possible.
• Performance engineering:
  • Apache MPM tuning (event/prefork) worker counts KeepAlive compression caching (modcache) HTTP/2 where feasible.
  • Tomcat connector threads acceptCount connectionTimeout JVM sizing (Xms/Xmx) GC tuning (G1/Parallel) and thread pools.
  • Connection reuse (HTTP keep-alive) upstream timeouts and proper buffer sizing.
• High availability & scaling:
  • Multi-AZ/region design zero-downtime rolling deploys blue/green cutovers.
  • Canarying via path/host routing and weighted backends (LB or Apache ProxyPass with status routes).
• Security hardening:
  • TLS 1.2 (ideally 1.3) with strong cipher suites HSTS OCSP stapling; cert rotation via ACME/Lets Encrypt or enterprise PKI.
  • Disable insecure HTTP methods; harden headers (CSP X-Frame-Options X-Content-Type-Options).
  • For AJP bind to localhost or private subnets set secretRequiredtrue with secret or disable AJP unless required.
  • Tomcat hardening: remove default apps lock down manager/host-manager JMX protection minimal privileges log sanitization.
• Lifecycle management:
  • Patch upgrade and config rollouts with Ansible; drift detection & remediation.
  • Runbooks for incident handling failover and rollbacks.

Ansible Automation

• Develop idempotent Ansible roles and collections-based playbooks for:
  • OS hardening users/groups limits sysctl firewalld/ufw.
  • Apache install vhosts TLS reverse proxy config headers logrotate.
  • Tomcat install (tar or distro) systemd service connectors JVM/GC flags keystores logging.
  • Application deployment hooks (WAR rollout with pre/post checks) health checks and rollback.
  • Rolling updates (serial strategy) blue/green or canary via inventory groups or variables.
  • Integrations: JMX exporter modstatus metrics/log shipping agents.
• Safety guards: pre-flight checks (ports disk Java version) post-verify (HTTP 200/health JMX metrics thresholds) and automated backout.

Collaboration & Governance

• Partner with App teams for capacity route maps and deployment patterns.
• Define standards runbooks and design docs; perform DR tests.
• Align with security frameworks (CIS SOC2/ISO/PCI as applicable).

Minimum Qualifications

• 5 years administering Apache HTTP Server and Apache Tomcat in production at scale.
• 3 years Ansible (roles collections Molecule CI/CD).
• Strong Linux (RHEL) networking TLS/PKI and load balancing fundamentals.
• JVM operation basics (heap/GC) and Java web app deployment experience.