Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
From: =?iso-8859-1?Q?=22Norbert_R=F6stel=22?=
 <Norbert.Roestel@deutsche-boerse.com>
To: tomcat-dev@jakarta.apache.org
Message-ID: <C1256BD5.00257E61.00@nsgdbk01.deutsche-boerse.de>
Date: Tue, 11 Jun 2002 08:49:27 +0200
Subject: Desirable protocol extension bwetween mod_jk and tomcat
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

we like to make a short proposal about how the communication protocol
between mod_jk and the Tomcat application server could be expanded
to avoid problems with proxy firewalls between both of them.

We are using the Apache webserver (1.3.23) in conjunction with the
Tomcal application server (3.2.3). Because of security issues both
are separated by an internal firewall operating as an proxy server.

Because of reliability we have configured two machines with the Apache
webserver within our DMZ and behind the DMZ two additional machines
running the Tomcat application server. We have also configured the
load balancing within the mod_jk, so that both application servers can
be referenced from both webservers.


Packet Filter          Apache           Proxy         Tomcat Application
Firewall               Webserver        Firewall      Server
+-----+                +------+         +----+        +------+
|     |   Load       / | AP 1 | ------- |    | ------ | TC 1 |
|     |   Balancer  /  +------+  \   /  |    |        +------+
|     |    +----+  /              \ /   |    |
| FW  | -- | LB | X                X    | FW |
|     |    +----+  \              / \   |    |
|     |             \  +------+  /   \  |    |        +------+
|     |              \ | AP 1 | ------- |    | ------ | TC 1 |
+-----+                +------+         +----+        +------+


In this setup the proxy firewall causes the problems we have.

If mod_jk connects to the firewall the connection will be accepted
by the firewall without knowing if the application server behind the
firewall is up and running. From mod_jk`s point of view everything
looks fine after having established a connection to the firewall. So
mod_jk starts sending data and is waiting for a reply.

The firwall indicates, that the requested application server is down
and closes the connection to mod_jk. For mod_jk this can only be
interpreted as a network or an application error and so an 'Internal
Server Error' is raised in the connect browser window.

To avoid the problem with proxy firewalls we think the protocol
between mod_jk and tomcat could be expanded with a ping/pong message
which indicates to mod_jk that a connection to the Tomcat application
server has been established. The successfull establishment of a
connection to a process is in our scenario not sufficient. mod_jk
should be sure to be connected to the Tomcat application server before
sending data.

If the connection to the first Tomcat application server fails the
connection is still in mode 'recoverable' and mod_jk will try to reach
the second application server.

Thank you in advance,
best regards

Norbert

--
Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte
sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren
dieser E-Mail oder die unbefugte Weitergabe der enthaltenenen Informationen
ist nicht gestattet.

The information contained in this message is confidential or protected by
law. If you are not the intended recipient, please contact the sender and
delete this message. Any unauthorised copying of this message or
unauthorised distribution of the information contained herein is prohibited.


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>