Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates
 212.85.38.229 as permitted sender)
Message-ID: <52DDAFA4.7000300@ice-sa.com>
Date: Tue, 21 Jan 2014 00:22:12 +0100
From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Cannot connect from outside using Tomcat 7/APR/SSL on AWS Windows
 system
References: 
 <7215BA462D00D343B2837F9113F0131F0181A1D53E@POSTOFFICE02.polydyne.com>
 <52DB5CA1.6050603@christopherschultz.net> <52DBECD1.2080200@gmail.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D872@POSTOFFICE02.polydyne.com>
 <52DD4A05.5090507@ice-sa.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D8A4@POSTOFFICE02.polydyne.com>
 <52DD563E.8080402@ice-sa.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D8D8@POSTOFFICE02.polydyne.com>
 <52DD7D39.3020007@ice-sa.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D91B@POSTOFFICE02.polydyne.com>
 <52DD89EF.9000304@ice-sa.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D956@POSTOFFICE02.polydyne.com>
 <52DD9024.1040309@ice-sa.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D983@POSTOFFICE02.polydyne.com>
 <7215BA462D00D343B2837F9113F0131F0181A1D994@POSTOFFICE02.polydyne.com>
In-Reply-To: 
 <7215BA462D00D343B2837F9113F0131F0181A1D994@POSTOFFICE02.polydyne.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Jeffrey Janner wrote:
>> -----Original Message-----
>> From: Jeffrey Janner [mailto:Jeffrey.Janner@PolyDyne.com]
>> Sent: Monday, January 20, 2014 4:11 PM
>> To: 'Tomcat Users List'; 'Tomcat Users List'
>> Subject: RE: Cannot connect from outside using Tomcat 7/APR/SSL on AWS
>> Windows system
>>
>>> -----Original Message-----
>>> From: André Warnier [mailto:aw@ice-sa.com]
>>> Sent: Monday, January 20, 2014 3:08 PM
>>> To: Tomcat Users List
>>> Subject: Re: Cannot connect from outside using Tomcat 7/APR/SSL on
>> AWS
>>> Windows system
>>>
>>> Jeffrey Janner wrote:
>>>>> -----Original Message-----
>>>>> From: André Warnier [mailto:aw@ice-sa.com]
>>>>> Sent: Monday, January 20, 2014 2:41 PM
>>>>> To: Tomcat Users List
>>>>> Subject: Re: Cannot connect from outside using Tomcat 7/APR/SSL on
>>>>> AWS Windows system
>>>>>
>>>>> Jeffrey Janner wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: André Warnier [mailto:aw@ice-sa.com]
>>>>>>> Sent: Monday, January 20, 2014 1:47 PM
>>>>>>> To: Tomcat Users List
>>>>>>> Subject: Re: Cannot connect from outside using Tomcat 7/APR/SSL
>>>>>>> on AWS Windows system
>>>>>>>
>>>>>>> Jeffrey Janner wrote:
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: André Warnier [mailto:aw@ice-sa.com]
>>>>>>>>> Sent: Monday, January 20, 2014 11:01 AM
>>>>>>>>> To: Tomcat Users List
>>>>>>>>> Subject: Re: Cannot connect from outside using Tomcat
>> 7/APR/SSL
>>>>>>>>> on AWS Windows system
>>>>>>>>>
>>>>>>>>> Jeffrey Janner wrote:
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: André Warnier [mailto:aw@ice-sa.com]
>>>>>>>>>>> Sent: Monday, January 20, 2014 10:09 AM
>>>>>>>>>>> To: Tomcat Users List
>>>>>>>>>>> Subject: Re: Cannot connect from outside using Tomcat
>>> 7/APR/SSL
>>>>>>>>>>> on AWS Windows system
>>>>>>>>>>>
>>>>>>>>>>> Jeffrey Janner wrote:
>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>> From: Ognjen Blagojevic
>>>>>>>>>>>>> [mailto:ognjen.d.blagojevic@gmail.com]
>>>>>>>>>>>>> Sent: Sunday, January 19, 2014 9:19 AM
>>>>>>>>>>>>> To: Tomcat Users List
>>>>>>>>>>>>> Subject: Re: Cannot connect from outside using Tomcat
>>>>> 7/APR/SSL
>>>>>>>>>>>>> on AWS Windows system
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeffrey,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 19.1.2014 6:03, Christopher Schultz wrote:
>>>>>>>>>>>>>>> <Connector address="10.4.1.20" port="443"
>>>>>>>>> maxHttpHeaderSize="8192"
>>>>>>>>>>>>>> Could it be as simple as having set the "address"
>>> attribute?
>>>>>>>>>>>>> +1
>>>>>>>>>>>>>
>>>>>>>>>>>>> BTW, setting attribute preverIPv4Stack=true on server side
>>>>>>>>>>>>> doesn't mean anything for the client. The client will try
>>>>>>>>>>>>> to connect with
>>>>>>>>>>> the
>>>>>>>>>>>>> protocol he prefers. The client may also fall back to
>> other
>>>>>>>>>>>>> protocol (e.g. if IPv6 connection fails several times, try
>>>>> with
>>>>>>>>> IPv4).
>>>>>>>>>>>>> I see that access log is not configured. Is there a reason
>>>>>>>>>>>>> for
>>>>>>>>> that?
>>>>>>>>>>>>> Without access log you can't tell if the remote request
>>>>> reaches
>>>>>>>>>>>>> Tomcat or not. So, for start, I suggest you configure
>>>>>>>>>>>>> access log for Tomcat 7 and report back if something is
>>>>>>>>>>>>> logged
>>> after
>>>>>>>>>>>>> you
>>>>>>> try
>>>>>>>>>>>>> to connect from the remote host. Note that Tomcat may
>>>>>>>>>>>>> postpone writes
>>>>>>>>>>> to
>>>>>>>>>>>>> the log files, so make sure you stop Tomcat before you
>>>>>>>>>>>>> check
>>>>>>> your
>>>>>>>>>>> logs.
>>>>>>>>>>>>> If there is no record of remote requests in Tomcat 7
>> access
>>>>>>> logs,
>>>>>>>>> I
>>>>>>>>>>>>> suggest you analyze what is going on with Wireshark or
>> some
>>>>>>> other
>>>>>>>>>>>>> packet analyzer. You can that see if the client:
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. tries to connect using IPv6 or IPv4, 2. is falling
>> back,
>>> 3.
>>>>>>>>>>>>> which exactly IPv4/v6 adress does it use, 4. is TCP three-
>>> way
>>>>>>>>>>>>> handshake successfull.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Only when you confirm that three-way handshake is
>>> succsessful
>>>>>>> and
>>>>>>>>>>>>> that the destionation IP adress is IPv4 "10.4.1.20", you
>>>>>>>>>>>>> may say
>>>>>>>>>>> that
>>>>>>>>>>>>> the request should have reached Tomcat.
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Ognjen
>>>>>>>>>>>> Added the access log.  Absolutely 0 entries from any
>> address
>>>>>>>>>>>> that
>>>>>>>>> is
>>>>>>>>>>> not the local system.
>>>>>>>>>>> Can you configure your Tomcat-6 to run under your Java-7 ?
>>>>>>>>>>> (in the principle, I think that this should work; I don't
>>>>>>>>>>> know about the practice) This would help determine if the
>>> difference
>>>>>>>>>>> resides in the Java or the Tomcat.
>>>>>>>>>>>
>>>>>>>>>> Tried it a different way.  Since TC7 is supposed to support
>>> Java
>>>>>>>>>> 1.6,
>>>>>>>>> switched my TC7 to use the existing Java6.
>>>>>>>>>> No luck.
>>>>>>>>>> Noticed that 7.0.47 is old now.  Going to try 7.0.50.
>>>>>>>>>>
>>>>>>>>> Did you try a simple :
>>>>>>>>>
>>>>>>>>> telnet 10.4.1.20 <Tomcat listen port>
>>>>>>>>>
>>>>>>>>> (just to see if 'anything' from outside can connect to your
>>>>>>>>> AWS/Tomcat
>>>>>>>>> port)
>>>>>>>>>
>>>>>>>> Nope, just timeouts.
>>>>>>> If the connection is not rejected right away with a "connection
>>>>>>> refused by host", it normally means that a LISTEN port is opened
>>> on
>>>>> that port.
>>>>>>> Taken "strictly by the book" and according to your presumed
>>>>>>> accurate description of the symptoms above,
>>>>>>>
>>>>>>> A timeout suggests to me that the connection request packet (SYN
>>> ?)
>>>>>>> is received and accepted by the server, but that the return
>>>>>>> packet which should tell the client so (ACK ?), never makes it
>>>>>>> back to
>>> the
>>>>> client.
>>>>>>> Hence the client waits, until the timeout kicks in.
>>>>>>>
>>>>>>> Are you sure that this server has a route back to the client ?
>>>>>>>
>>>>>>> Or, are you sure that your descriptions so far are really
>>>>>>> accurate
>>> ?
>>>>>>> For example, is it really the same server on which you can make
>>>>>>> this succeed/fail just by switching the Java and/or Tomcat
>>> version,
>>>>>>> no other changes involved ?
>>>>>>> (Also see Konstantin's question about the apparent discrepancy
>>>>>>> between the netstat output and your server.xml).
>>>>>>>
>>>>>> Yep, just stopping one service and starting the other.  It's
>>>>> something weird with the server, since an identical Tomcat 6
>>>>> install wouldn't work with a copied and stripped configuration.
>>>>> I'm double- checking everything, but I think the server's tied the
>>>>> outside IP to the wrong internal IP.  Trying to come up with a way
>> to check that.
>>>>>> Note, the connectors and hosts my original posted server.xml are
>>>>> taken from my original install, but that also has another pair of
>>>>> connectors (different IPv4 address) and some hosts that should
>> only
>>>>> respond on that address, though they are all under one
>>> service/engine
>>>>> combo.  The troublesome address connectors and hosts are commented
>>>>> out in the original and the original restarted before I try to
>>>>> start the newer setups.
>>>>> Suggestion: read Part III of the article which I mentioned earlier
>>>>> (http://www.excelsior-usa.com/articles/tomcat-amazon-ec2-
>>> basic.html),
>>>>> particularly the section "Assigning an Elastic IP Address".
>>>>>
>>>>> It suggests that there is a lot more going on with AWS instances
>>> than
>>>>> merely tying up a socket to an IP address.  I don't know really,
>>>>> but maybe it is something in that area which stymies your
>> attempts..
>>>>> In the meantime, I'll go back to your quoted server.xml (the
>>>>> <Connector> entries), and see if yomething there catches my
>>>>> imagination.
>>>>> What I am thinking of, is some edge case between the AWS IP-
>> binding
>>>>> logic, and APR socket configuration.  After all, it is quite
>>> possible
>>>>> that not all such cases would have been thoroughly tested, and you
>>>>> may have stumbled inadvertently on one such.
>>>>>
>>>> Forgot to mention that I am using EIP for all mappings.  I'm not
>>> depending on "magic" from AWS.
>>>> Also, I'm working under Windows, but the basics are the same.
>>>>
>>> Unfortunately, it looks like I am a bit (much) out of my depth there.
>>> I don't know AWS at all, and the results of the DNS lookups that I'm
>>> doing on the IP and hostnames you quoted are increasing my
>> confusion..
>>> Looks like something you'll have to work out by yourself.
>>> My last suggestion would be to minimise your configuration (single
>> IP,
>>> single HTTP port, single Host, default page) and start from there.
>>>
>> Actually, that is what I was trying to do, minimize the configuration.
>> Let's see if I can do a line drawing:
>> qwdemo.polydyne.com (DNS 96.127.35.106) --> AWS firewall (allow 80/443
>> from anywhere) --> EIP mapping (aka NAT) --> server (10.4.1.20) It
>> really should be that simple of a setup.
>> Is there any way to log the internal IP a request comes in on?  I
>> wonder if the mapping is correct?
> 

I'm still out of my depth (this time for different reasons), but one page you might want 
to at least have a look at, to check if it's applicable here : 
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy%20Support

But it should not be applicable, as apparently the AWS stuff is what you say, just a NAT 
mechanism.  Tomcat should not even be aware that its real IP is not 10.4.1.20.

I don't get what's wrong.

> More interesting stuff:
> Added an Access Log Valve with the pattern '%A %h %l %u %t "%r" %s %b.
> There are two DNS entries for the <host>, each resolving to different external IPs for the server. Each is mapped to a different internal IP address both on the same network interface. However the access log shows queries to either are hitting the Primary IP for the network interface.  That is, no matter which hostname I use, the first column is always 10.4.1.20.
> Is this some limitation of the access log valve, i.e. it is just reporting the first IP address in the list for the network interface?
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org