tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: VERY HIGH TRAFFIC TUNING
Date Fri, 11 Jul 2014 16:59:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 7/10/14, 5:40 PM, André Warnier wrote:
> Christopher Schultz wrote: ...
> 
>> 
>> Interesting... load average is a crude measure of activity; I
>> suppose that having those timeouts means that there is activity
>> on a thread even when there is no real "work" to be done. I do
>> recommend leaving the timeouts set to their defaults (-1 =
>> infinite).
> 
> In general terms, I would definitely not put the connectionTimeout
> nor the keepAliveTimeout to infinite, if that is what you meant
> here.

In fact, it is exactly what I meant.

> ConnectionTimeout infinite seems like a perfect setup for a DOS
> attack. Keep-alive timeout infinite seems like the perfect way to
> block a lot of threads doing nothing (and opening yourself to
> another kind of DOS attack).

Anyone allowing outsiders to make AJP connections to their Tomcat
backends deserves to be DOS'd.

> However, in this case, we are talking about the AJP Connector,
> which processes requests coming in via Apache httpd and mod_jk, so
> I guess that one can rely on the Apache front-end not to relay
> anything nasty to Tomcat.

Right.

> Presumably, the Apache httpd configuration does not have infinite 
> connection timeout nor keep-alive timeout.

I certainly wouldn't set things up this way.

> Which in a way, raises the question of why these parameters are
> even available for setting on the AJP Connector.  Should these not
> better be left to the discretion of Apache httpd and mod_jk in the
> first place ?

These configuration directives help deal with firewalls that close
connections without either party knowing that the connection is no
longer valid. If you could not set a timeout, then the Tomcat side
could have a thread waiting forever on a connection that would never
have any data arrive ever again.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTwBftAAoJEBzwKT+lPKRYKj4P/2HY0TDBRKaij3bDcqbItWrg
aDYE8glav8UD589/cGjzoFiIuOqPXa8k2Mp1vqn9jj1K3SrndcKZzUKZARC0sGSR
6L0dTRZhYsTCnxJ5SH77d6dukuElrf82c73DbtVUQU3ZBrsk9x7iKX2V/w978wrS
jknziJ2xO5+oW+/n6Uri8zp57I2wzYLyCK3+MhyuEDqfDo3deBvsUefWiHqGJ/27
lVkhM+LLL1cgM8xddVXsbP9/Sj+bVP3k6pLdvmxx76n5KO1Og6Ib2Hg0cSH9vsJs
++Y+YVqKVzvDTGOHuUqINP6UT0eJPueaIDJzAMePDQpCcobB4iEOjHU7kqOuff5/
pWiXy0I15aPmtsQxdcGqA2ZXa0GjIKuuDH3B6QCxbsasXbt8RQ3IrfIsaB7uVW4Z
pNSNBVxxW3Vdw8//8/YV5rOAf5UxdFPkrNeYfg2l8XeK+nDV0Ioly/KDRy5V6UbR
EWZFJLLYgUsz9c39/uRpEVhbVrd7mrouswAcAPc6SQHobcymBmEsJycKab3h6HWU
2Wa+otuNVt6LGOGdfZRB7VfNwdU1ksUNd8dNmQ86ar/MtjRV5EzF4vEqGnL17l1N
PuHlHL0UlCYJRfOZcRdUHbAeP/8qYN2uaPC/uoNxv5OM3cI0Sr3PIHspDF5uv0ne
SL5SS/b2I/ursp1Ov61e
=cHY9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message