httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Denis McCarthy" <dmccar...@annadaletech.com>
Subject Re: [users@httpd] Very nasty ajp error when using ssl, client certificates, mod_proxy_ajp and jetty 6
Date Tue, 07 Oct 2008 14:31:46 GMT
Hi,
We upgraded Apache from 2.2.3 to 2.2.9 and it seems to have resolved
this problem for us (well, it hasn't recurred today yet, and it was
happening all the time)
Denis

On Fri, Oct 3, 2008 at 11:51 PM, George Mashini <george@mashini.org> wrote:
> Dennis,
>
> I get the same type of behavior connecting to Tomcat via AJP.  This happens
> to me without SSL.  I posted a note about it but I have not gotten any
> feedback yet.  Please keep us updated on your progress, I will do the same.
>
> George
>
> On Fri, Oct 3, 2008 at 10:41 AM, Denis McCarthy <dmccarthy@annadaletech.com>
> wrote:
>>
>> Hi,
>> We have a java application that, as part of its authentication
>> process, needs to examine the contents of a X509 certificate from the
>> client. The application is also a financial based one and therefore
>> needs to be run entirely over SSL. Our architecture consists of an
>> httpd 2.2.3 front end and a jetty 6 app server. Jetty and apache talk
>> using AJP (mod_proxy_ajp on the apache side). For most requests this
>> seems to work fine. However, occasionally we get some *extremely*
>> nasty behaviour from apache (it may be caused by jetty, but I'm not
>> sure as yet). Anyway, we get the following type messages in our apache
>> log:
>>
>> [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
>> this error code: proxy: read response failed from 172.17.102.156:8009
>> (172.17.102.156)
>> [Fri Oct 03 14:26:43 2008] [error] (70007)The timeout specified has
>> expired: ajp_ilink_receive() can't receive header
>> [Fri Oct 03 14:26:43 2008] [error] ajp_read_header: ajp_ilink_receive
>> failed
>> [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
>> this error code: proxy: read response failed from 172.17.102.156:8009
>> (172.17.102.156)
>> [Fri Oct 03 14:29:52 2008] [error] ajp_check_msg_header() got bad
>> signature 4854
>> [Fri Oct 03 14:29:52 2008] [error] ajp_ilink_receive() received bad header
>> [Fri Oct 03 14:29:52 2008] [error] ajp_read_header: ajp_ilink_receive
>> failed
>> [Fri Oct 03 14:29:52 2008] [error] (120007)APR does not understand
>> this error code: proxy: read response failed from (null)
>> (172.17.102.156)
>>
>> Now, this seems to occur only for certain connection types: For
>> example, it seems to often occur for connections from MSIE browsers,
>> as well as on occasions when our java application server times out on
>> requests (e.g. when our back end takes a very long time to come back
>> with a response). I suspect these may be related, as I've read that
>> MSIE browsers don't terminate SSL connections correctly.
>>
>> Anyway, when this occurs, the entire apache server seems to freeze up
>> for several minutes.
>>
>> Here's the relevant apache config:
>>
>>
>> Basic ssl config:
>>
>> LoadModule ssl_module modules/mod_ssl.so
>>
>> Listen 443
>>
>> #   Some MIME-types for downloading Certificates and CRLs
>> #
>> AddType application/x-x509-ca-cert .crt
>> AddType application/x-pkcs7-crl    .crl
>>
>> #   Pass Phrase Dialog:
>> #   Configure the pass phrase gathering process.
>> #   The filtering dialog program (`builtin' is a internal
>> #   terminal dialog) has to provide the pass phrase on stdout.
>> SSLPassPhraseDialog  builtin
>>
>> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout  600
>>
>>
>> SSLMutex pthread
>>
>> SSLRandomSeed startup file:/dev/urandom  256
>> SSLRandomSeed connect builtin
>>
>>
>> ServerAdmin root@localhost
>>
>> ServerName www.ourapp.com:443
>>
>> ProxyPreserveHost   On
>> ProxyPass           /our-app ajp://172.17.102.156:8009/our-app
>> ProxyPassReverse        /our-app ajp://172.17.102.156:8009/our-app
>>
>>
>> SSLEngine on
>>
>> SSLCipherSuite
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>
>> SSLCertificateFile /etc/httpd/certs/server.crt
>>
>> SSLCertificateKeyFile /etc/httpd/certs/server.key
>>
>> SSLCACertificateFile /etc/httpd/certs/ca.crt
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth  1
>>
>> SSLOptions +StdEnvVars +ExportCertData +StrictRequire
>>
>> <IfModule setenvif_module>
>>        BrowserMatch ".*MSIE.*" \
>>                nokeepalive ssl-unclean-shutdown \
>>                downgrade-1.0 force-response-1.0
>> </IfModule>
>>
>>
>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>>
>>
>> In case there's anyone familiar with jetty out there, my jetty AJP
>> config is very simple
>> <Configure id="Server" class="org.mortbay.jetty.Server">
>>
>>  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
>>  <!-- Add a AJP listener on port 8009                           -->
>>  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
>>  <Call name="addConnector">
>>    <Arg>
>>       <New class="org.mortbay.jetty.ajp.Ajp13SocketConnector">
>>         <Set name="port">8009</Set>
>>       </New>
>>    </Arg>
>>  </Call>
>>
>> </Configure>
>>
>> (The IP addresses etc. have been changed to protect the innocent)
>>
>> If anyone could give any pointers for a solution to this it'd be
>> great, as the app in question is due to go live shortly, and we'll
>> have to delay go-live until this issue is resolved.
>> Thanks
>> Denis
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>



-- 
Annadale Technologies Limited

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message