tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: isapi_redirector.dll Problems - Bad Gateway?
Date Tue, 28 Dec 2010 16:11:46 GMT
oh oh. So it looks like you have been thrown to the wolves, he ?
The positive side of it, is that if you solve it, you'll be the star.

Time for some ascii-art I think.

Except for firewalls, you have the following schema :

Browser-1 <--->             <--->               - webapp
Browser-2 <--->   IIS + IR  <---> AJP + Tomcat  - webapp
...                         <--->               - webapp
Browser-n <--->             <--->               - webapp

The dotted lines represent TCP/IP connections.
IIS + IR : IIS plus the Isapi_Redirector module
AJP + Tomcat : The Tomcat <Connector protocol="AJP"> module, plus Tomcat itself, and
the applications (webapps) running in Tomcat.

A request starts at the browser, goes to IIS over a connection to port 80 (if simple 
HTTP), or port 443 (if HTTPS).
IIS sees that this request is really for Tomcat, so it passes it to its Isapi_redirector 
The Isapi_redirector module creates another connection to Tomcat's AJP "Connector", this 
time over port 8009, where presumably this AJP connector is listening.
When the AJP connector receives the request, it creates a "thread" in Tomcat to handle 
this request.
A thread is like a sub-process of tomcat; it is created to process one request, and will 
disappear when this request is processsed and it has sent the response.
To create the response, the thread "runs" one of the webapps.

Now to clear some side-issues :
- the protocol/format used between the browsers and IIS may be HTTP or HTTPS (SSL),
- but the protocol/format between the "IR" module on the IIS side, and the "AJP" module on

the Tomcat side, is neither.  It is using a special protocol/format named AJP. (So the 
notion of SSL is not relevant here; the decryption already happens at the IIS level, and 
over the AJP connection the data flows essentially "in clear".)

For this whole scheme to work, there are a few pre-requisites :
- the browsers must be able to establish a TCP/IP connection to the IIS server.  I guess 
that part works.
- the IIS server (and its IR module), must be able to establish a TCP connection to the 
AJP module of Tomcat, which is usually configured to "listen" on port # 8009.
- the numbers of requests sent at the same time by the sum of all the browsers, needs to 
be more or less matched to the number of connections that the IR module and the AJP module

can establish between themselves (otherwise some browser requests would never reach Tomcat)
- the number of simultaneous threads that the AJP connector can start inside of Tomcat, 
must also be more or less matched to the number of browser requests.  Otherwise, requests

would pile up and have to wait, for a thread to become available to take care of them.
In the long term, that is not sustainable.

So the first thing here, would be to make sure that the Tomcat AJP connector is really 
listening on port 8009.  The wish for that is indicated, inside your server.xml, by a tag

like :
  <Connector port="8009" protocol="AJP/1.3" ... />
Do you have such a tag ?

The second step would be to verify that it is really listening there.
For that, you could use the "netstat" command in a command window on the server, as follows

netstat -aon -p tcp

and look for a line that looks like this :

   TCP               LISTEN         2704

(the important part being that ":8009" part)

Do you see that ?

amythyst wrote:
> Thanks for the reply.
> With that script, how exactly would I execute that script?
> Pardon my ignorance, but I am a database developer that has been thrown into
> networking because our network admin is at a loss to what the problem is and
> doesn't seem keen on fixing it.
> According to him, all the ports that we are using are open on the
> firewall... 8080, 8081, 443, 8443 and 8009.  Tomcat is set to listen on port
> 8009 and I have configured the server.xml file to accept requests from 8009.
> When you ask how many threads I have configured you're talking about worker
> threads right?  I only have the one.
> Michael Ludwig-6 wrote:
>> amythyst schrieb am 27.12.2010 um 06:52 (-0800):
>>> Hi, yes we have a connector configured for port 8009.
>> Configured, okay; but it is not replying to your redirector's requests.
>> You can test AJP connectivity using this Perl script:
>>> Question about the firewall... IIS is set up for port 8081 and 443
>>> for our default website.  The application is running on 8080 and
>>> 8443. And as I said, tomcat is listening on 8009 to route traffic to
>>> the application.  In the firewall, I believe the network guy has set
>>> up port 8081 to allow traffic inside.  Does he also need to do
>>> something for 8009 or 8080 and 8443?
>> He needs to allow Tomcat to listen on 8009, and IIS to connect to
>> tomcat-server:8009. The other two ports your Tomcat is configured to
>> listen on should be irrelevant as far as the ISAPI redirector is
>> concerned; it does AJP, not HTTP or HTTPS.
>>> We are running the app with SSL, so it would be the secure ports I
>>> should be focusing on right?
>> Not for the AJP connection between IIS and Tomcat.
>>> Below are my worker files for the connector:
>>> # - IIS
>>> /jira/*=worker1
>> Okay.
>>> # -
>>> worker.list=worker1
>>> worker.worker1.type=ajp13
>>> worker.worker1.port=8009
>> Also okay. If you don't configure the connection_pool_size, the
>> default applies, which is 250 for IIS.
>> How many threads have you configured for your AJP connector?
>> -- 
>> Michael Ludwig
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message