IT Architect - Data Architecture Consultant - Expert
Spectraforce
Toronto, Ontario
4 hours ago
Job Description
Position Title: Apache HTTP Server & Tomcat Design + Ansible Automation Standards Engineer
Work Location: Toronto, Ontario
Length of Contract: 8 months with possibility of extension and conversion
Hours of Operation: 8-4, 9-5, flexible
Apache HTTP Server & Tomcat Design + Ansible Automation Engineer
Role Summary
Design resilient, secure, and scalable Apache HTTP Server (httpd) and Apache Tomcat platforms for Java web applications. Build Ansible automation to provision, harden, operate, and upgrade httpd and Tomcat across dev/stage/prod. Partner with SRE, Security, and App teams to deliver high availability, predictable performance, and hands-off operations via GitOps and CI/CD.
Title options:
• Senior Web Platform Engineer (Apache/Tomcat & Ansible)
• Web Middleware Platform Engineer (Ansible)
• Infrastructure Engineer – Apache & Tomcat Automation
Responsibilities
Architecture & Operations (Apache HTTPD + Tomcat)
• Design reverse proxy and app tier topologies:
o Single or dual Apache HTTPD layers (edge and internal), terminating TLS; mod_proxy_http or AJP (with hardening) to Tomcat.
o Active/active Tomcat clusters with load balancing & health checks (at Apache layer or external LB).
o Session management strategy: sticky sessions via cookie, or session replication/Redis-backed sessions when stickiness is not possible.
• Performance engineering:
o Apache MPM tuning (event/prefork), worker counts, KeepAlive, compression, caching (mod_cache), HTTP/2 where feasible.
o Tomcat connector threads, acceptCount, connectionTimeout, JVM sizing (Xms/Xmx), GC tuning (G1/Parallel), and thread pools.
o Connection reuse (HTTP keep-alive), upstream timeouts, and proper buffer sizing.
• High availability & scaling:
o Multi-AZ/region design, zero-downtime rolling deploys, blue/green cutovers.
o Canarying via path/host routing and weighted backends (LB or Apache ProxyPass with status routes).
• Security hardening:
o TLS 1.2+ (ideally 1.3) with strong cipher suites, HSTS, OCSP stapling; cert rotation via ACME/Let’s Encrypt or enterprise PKI.
o Disable insecure HTTP methods; harden headers (CSP, X-Frame-Options, X-Content-Type-Options).
o For AJP, bind to localhost or private subnets, set secretRequired="true" with secret, or disable AJP unless required.
o Tomcat hardening: remove default apps, lock down manager/host-manager, JMX protection, minimal privileges, log sanitization.
• Lifecycle management:
o Patch, upgrade, and config rollouts with Ansible; drift detection & remediation.
o Runbooks for incident handling, failover, and rollbacks.
Ansible Automation
• Develop idempotent Ansible roles and collections-based playbooks for:
o OS hardening, users/groups, limits, sysctl, firewalld/ufw.
o Apache install, vhosts, TLS, reverse proxy config, headers, logrotate.
o Tomcat install (tar or distro), systemd service, server.xml, connectors, JVM/GC flags, keystores, context.xml, logging.
o Application deployment hooks (WAR rollout with pre/post checks), health checks, and rollback.
o Rolling updates (serial strategy), blue/green or canary via inventory groups or variables.
o Integrations: JMX exporter, mod_status, metrics/log shipping agents.
• Safety guards: pre-flight checks (ports, disk, Java version), post-verify (HTTP 200/health, JMX metrics thresholds), and automated backout.
Collaboration & Governance
• Partner with App teams for capacity, route maps, and deployment patterns.
• Define standards, runbooks, and design docs; perform DR tests.
• Align with security frameworks (CIS, SOC2/ISO/PCI as applicable).
Must Have Requirements:
• 5+ years administering Apache HTTP Server and Apache Tomcat in production at scale.
• 3+ years Ansible (roles, collections, Molecule, CI/CD).
• Strong Linux (RHEL), networking, TLS/PKI, and load balancing fundamentals.
• JVM operation basics (heap/GC) and Java web app deployment experience.
Education:
• Post Secondary
Interviews:
• 1 round - with HM via MS Team 30 minutes
At SPECTRAFORCE, we are committed to maintaining a workplace that ensures fair compensation and wage transparency in adherence with all applicable state and local laws. This position’s starting pay is: $ 86.20/hr.
Work Location: Toronto, Ontario
Length of Contract: 8 months with possibility of extension and conversion
Hours of Operation: 8-4, 9-5, flexible
Apache HTTP Server & Tomcat Design + Ansible Automation Engineer
Role Summary
Design resilient, secure, and scalable Apache HTTP Server (httpd) and Apache Tomcat platforms for Java web applications. Build Ansible automation to provision, harden, operate, and upgrade httpd and Tomcat across dev/stage/prod. Partner with SRE, Security, and App teams to deliver high availability, predictable performance, and hands-off operations via GitOps and CI/CD.
Title options:
• Senior Web Platform Engineer (Apache/Tomcat & Ansible)
• Web Middleware Platform Engineer (Ansible)
• Infrastructure Engineer – Apache & Tomcat Automation
Responsibilities
Architecture & Operations (Apache HTTPD + Tomcat)
• Design reverse proxy and app tier topologies:
o Single or dual Apache HTTPD layers (edge and internal), terminating TLS; mod_proxy_http or AJP (with hardening) to Tomcat.
o Active/active Tomcat clusters with load balancing & health checks (at Apache layer or external LB).
o Session management strategy: sticky sessions via cookie, or session replication/Redis-backed sessions when stickiness is not possible.
• Performance engineering:
o Apache MPM tuning (event/prefork), worker counts, KeepAlive, compression, caching (mod_cache), HTTP/2 where feasible.
o Tomcat connector threads, acceptCount, connectionTimeout, JVM sizing (Xms/Xmx), GC tuning (G1/Parallel), and thread pools.
o Connection reuse (HTTP keep-alive), upstream timeouts, and proper buffer sizing.
• High availability & scaling:
o Multi-AZ/region design, zero-downtime rolling deploys, blue/green cutovers.
o Canarying via path/host routing and weighted backends (LB or Apache ProxyPass with status routes).
• Security hardening:
o TLS 1.2+ (ideally 1.3) with strong cipher suites, HSTS, OCSP stapling; cert rotation via ACME/Let’s Encrypt or enterprise PKI.
o Disable insecure HTTP methods; harden headers (CSP, X-Frame-Options, X-Content-Type-Options).
o For AJP, bind to localhost or private subnets, set secretRequired="true" with secret, or disable AJP unless required.
o Tomcat hardening: remove default apps, lock down manager/host-manager, JMX protection, minimal privileges, log sanitization.
• Lifecycle management:
o Patch, upgrade, and config rollouts with Ansible; drift detection & remediation.
o Runbooks for incident handling, failover, and rollbacks.
Ansible Automation
• Develop idempotent Ansible roles and collections-based playbooks for:
o OS hardening, users/groups, limits, sysctl, firewalld/ufw.
o Apache install, vhosts, TLS, reverse proxy config, headers, logrotate.
o Tomcat install (tar or distro), systemd service, server.xml, connectors, JVM/GC flags, keystores, context.xml, logging.
o Application deployment hooks (WAR rollout with pre/post checks), health checks, and rollback.
o Rolling updates (serial strategy), blue/green or canary via inventory groups or variables.
o Integrations: JMX exporter, mod_status, metrics/log shipping agents.
• Safety guards: pre-flight checks (ports, disk, Java version), post-verify (HTTP 200/health, JMX metrics thresholds), and automated backout.
Collaboration & Governance
• Partner with App teams for capacity, route maps, and deployment patterns.
• Define standards, runbooks, and design docs; perform DR tests.
• Align with security frameworks (CIS, SOC2/ISO/PCI as applicable).
Must Have Requirements:
• 5+ years administering Apache HTTP Server and Apache Tomcat in production at scale.
• 3+ years Ansible (roles, collections, Molecule, CI/CD).
• Strong Linux (RHEL), networking, TLS/PKI, and load balancing fundamentals.
• JVM operation basics (heap/GC) and Java web app deployment experience.
Education:
• Post Secondary
Interviews:
• 1 round - with HM via MS Team 30 minutes
Applicant Notices & Disclaimers
- For information on benefits, equal opportunity employment, and location-specific applicant notices, click here
At SPECTRAFORCE, we are committed to maintaining a workplace that ensures fair compensation and wage transparency in adherence with all applicable state and local laws. This position’s starting pay is: $ 86.20/hr.