httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Mashini" <geo...@mashini.org>
Subject Re: [users@httpd] Very nasty ajp error when using ssl, client certificates, mod_proxy_ajp and jetty 6
Date Fri, 03 Oct 2008 22:51:05 GMT
Dennis,

I get the same type of behavior connecting to Tomcat via AJP.  This happens
to me without SSL.  I posted a note about it but I have not gotten any
feedback yet.  Please keep us updated on your progress, I will do the same.

George

On Fri, Oct 3, 2008 at 10:41 AM, Denis McCarthy
<dmccarthy@annadaletech.com>wrote:

> Hi,
> We have a java application that, as part of its authentication
> process, needs to examine the contents of a X509 certificate from the
> client. The application is also a financial based one and therefore
> needs to be run entirely over SSL. Our architecture consists of an
> httpd 2.2.3 front end and a jetty 6 app server. Jetty and apache talk
> using AJP (mod_proxy_ajp on the apache side). For most requests this
> seems to work fine. However, occasionally we get some *extremely*
> nasty behaviour from apache (it may be caused by jetty, but I'm not
> sure as yet). Anyway, we get the following type messages in our apache
> log:
>
> [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
> this error code: proxy: read response failed from 172.17.102.156:8009
> (172.17.102.156)
> [Fri Oct 03 14:26:43 2008] [error] (70007)The timeout specified has
> expired: ajp_ilink_receive() can't receive header
> [Fri Oct 03 14:26:43 2008] [error] ajp_read_header: ajp_ilink_receive
> failed
> [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
> this error code: proxy: read response failed from 172.17.102.156:8009
> (172.17.102.156)
> [Fri Oct 03 14:29:52 2008] [error] ajp_check_msg_header() got bad signature
> 4854
> [Fri Oct 03 14:29:52 2008] [error] ajp_ilink_receive() received bad header
> [Fri Oct 03 14:29:52 2008] [error] ajp_read_header: ajp_ilink_receive
> failed
> [Fri Oct 03 14:29:52 2008] [error] (120007)APR does not understand
> this error code: proxy: read response failed from (null)
> (172.17.102.156)
>
> Now, this seems to occur only for certain connection types: For
> example, it seems to often occur for connections from MSIE browsers,
> as well as on occasions when our java application server times out on
> requests (e.g. when our back end takes a very long time to come back
> with a response). I suspect these may be related, as I've read that
> MSIE browsers don't terminate SSL connections correctly.
>
> Anyway, when this occurs, the entire apache server seems to freeze up
> for several minutes.
>
> Here's the relevant apache config:
>
>
> Basic ssl config:
>
> LoadModule ssl_module modules/mod_ssl.so
>
> Listen 443
>
> #   Some MIME-types for downloading Certificates and CRLs
> #
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
>
> #   Pass Phrase Dialog:
> #   Configure the pass phrase gathering process.
> #   The filtering dialog program (`builtin' is a internal
> #   terminal dialog) has to provide the pass phrase on stdout.
> SSLPassPhraseDialog  builtin
>
> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout  600
>
>
> SSLMutex pthread
>
> SSLRandomSeed startup file:/dev/urandom  256
> SSLRandomSeed connect builtin
>
>
> ServerAdmin root@localhost
>
> ServerName www.ourapp.com:443
>
> ProxyPreserveHost   On
> ProxyPass           /our-app ajp://172.17.102.156:8009/our-app
> ProxyPassReverse        /our-app ajp://172.17.102.156:8009/our-app
>
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/certs/server.crt
>
> SSLCertificateKeyFile /etc/httpd/certs/server.key
>
> SSLCACertificateFile /etc/httpd/certs/ca.crt
>
> SSLVerifyClient require
>
> SSLVerifyDepth  1
>
> SSLOptions +StdEnvVars +ExportCertData +StrictRequire
>
> <IfModule setenvif_module>
>        BrowserMatch ".*MSIE.*" \
>                nokeepalive ssl-unclean-shutdown \
>                downgrade-1.0 force-response-1.0
> </IfModule>
>
>
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>
>
> In case there's anyone familiar with jetty out there, my jetty AJP
> config is very simple
> <Configure id="Server" class="org.mortbay.jetty.Server">
>
>  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
>  <!-- Add a AJP listener on port 8009                           -->
>  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
>  <Call name="addConnector">
>    <Arg>
>       <New class="org.mortbay.jetty.ajp.Ajp13SocketConnector">
>         <Set name="port">8009</Set>
>       </New>
>    </Arg>
>  </Call>
>
> </Configure>
>
> (The IP addresses etc. have been changed to protect the innocent)
>
> If anyone could give any pointers for a solution to this it'd be
> great, as the app in question is due to go live shortly, and we'll
> have to delay go-live until this issue is resolved.
> Thanks
> Denis
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message