tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien Terrestris <aterrest...@gmail.com>
Subject Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP ----> TOMCAT - Does not work
Date Thu, 30 Jul 2015 16:13:48 GMT
Hi,

in your server.xml, add this before your acces log valve :

<Valve className="org.apache.catalina.valves.RemoteIpValve" />

It's working for our hosting behind F5

2015-07-30 18:09 GMT+02:00 Christopher Schultz <chris@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lew,
>
> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>> I am new to Tomcat.
>
> Welcome to the community.
>
>> I'm still struggling with many of the concepts. That said here we
>> go:
>>
>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>
> If possible, upgrade to 8.0.latest.
>
>> Client is using VIP to connect to an F5 via HTTPS  (port 443)
>
> Sorry... what's "VIP"?
>
>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>
>> Our F5 team indicates that they are sure they have configured the
>> F5 properly (they do it all the time for HTTP Server and Jboss
>> Application Server installations. They have not done this with
>> Tomcat before)
>
> If everyone is speaking HTTP, it should be the same.
>
>> I have created an access log valve at the engine level to see what
>> the request looks like. <Valve
>> className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>> pattern="%h %H %l %u %t &quot;%r&quot; %s %b" />
>>
>> I see requests that are direct connected to the Tomcat host
>> directly, either from a client accessing the web application
>> hosted on the tomcat server (via HTTP) or from the F5 for
>> healthcheck purposes in the log (also via HTTP). I do not see any
>> client requests that use the VIP showing up in the log.
>
> So the F5 can get to you (healthcheck) but client requests don't make
> it through? Sounds like a problem mapping the actual incoming requests
> to Tomcat.
>
>> So my first question is: Why do I not see the VIP driven requests
>> in the log? Am I not logging correctly? Does not seeing the
>> requests in the log mean they are not making it to the Tomcat
>> server?
>
> The log looks properly configured. If they aren't in the log, they
> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
> see if any traffic is coming over. Try something like tcpdump or
> Wireshark to see if anything is coming in.
>
>> Thinking that this might be a proxy problem I tried this which
>> didn't work
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>
>> I've recently begun reading about the proxy support valve but am
>> still digesting the information. At this point I am not even sure
>> how I might use it.
>
> Tomcat treats proxies just like any other HTTP client, so it shouldn't
> require much study (until you want to get the client's REAL ip
> address, for instance).
>
> How is the F5 set up to route requests to Tomcat? Is it done by URL
> pattern or something? Or anything that comes-in for a specific IP goes
> to Tomcat?
>
> Can you confirm if the F5 is even getting the requests?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVukxDAAoJEBzwKT+lPKRY0zwP/0VZOjQDkISaYP0Ru1t3lkeQ
> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
> KzR1B84xsFJx3TKedH1vOTGLM54+KLX/aFiPAdUsZJQVVJmZ61OPEDR1KiHu3O/F
> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
> rHT6P/DUjhJcIT6DTRjc
> =PNJY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message