tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien Terrestris <>
Subject Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP ----> TOMCAT - Does not work
Date Fri, 31 Jul 2015 09:44:32 GMT
You're wellcome Lewis.

Chris, it looks like you had another understanding of the question, which was :
"So my first question is:  Why do I not see the VIP driven requests in the log?"

The requests were in the log, but with another client IP. At least
Tomcat provides this valve when most of other software don't.


2015-07-30 19:00 GMT+02:00 Kramer, Lewis <>:
> Sorry.  I mean thanks Aurelien.
> Hi,
> in your server.xml, add this before your acces log valve :
> <Valve className="org.apache.catalina.valves.RemoteIpValve" />
> It's working for our hosting behind F5
> 2015-07-30 18:09 GMT+02:00 Christopher Schultz <>:
>> Hash: SHA256
>> Lew,
>> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>>> I am new to Tomcat.
>> Welcome to the community.
>>> I'm still struggling with many of the concepts. That said here we
>>> go:
>>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>> If possible, upgrade to 8.0.latest.
>>> Client is using VIP to connect to an F5 via HTTPS  (port 443)
>> Sorry... what's "VIP"?
>>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>> Our F5 team indicates that they are sure they have configured the
>>> F5 properly (they do it all the time for HTTP Server and Jboss
>>> Application Server installations. They have not done this with Tomcat
>>> before)
>> If everyone is speaking HTTP, it should be the same.
>>> I have created an access log valve at the engine level to see what
>>> the request looks like. <Valve
>>> className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>>> pattern="%h %H %l %u %t &quot;%r&quot; %s %b" />
>>> I see requests that are direct connected to the Tomcat host directly,
>>> either from a client accessing the web application hosted on the
>>> tomcat server (via HTTP) or from the F5 for healthcheck purposes in
>>> the log (also via HTTP). I do not see any client requests that use
>>> the VIP showing up in the log.
>> So the F5 can get to you (healthcheck) but client requests don't make
>> it through? Sounds like a problem mapping the actual incoming requests
>> to Tomcat.
>>> So my first question is: Why do I not see the VIP driven requests in
>>> the log? Am I not logging correctly? Does not seeing the requests in
>>> the log mean they are not making it to the Tomcat server?
>> The log looks properly configured. If they aren't in the log, they
>> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
>> see if any traffic is coming over. Try something like tcpdump or
>> Wireshark to see if anything is coming in.
>>> Thinking that this might be a proxy problem I tried this which didn't
>>> work
>>> <Connector port="8080" protocol="HTTP/1.1"
>>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>> I've recently begun reading about the proxy support valve but am
>>> still digesting the information. At this point I am not even sure how
>>> I might use it.
>> Tomcat treats proxies just like any other HTTP client, so it shouldn't
>> require much study (until you want to get the client's REAL ip
>> address, for instance).
>> How is the F5 set up to route requests to Tomcat? Is it done by URL
>> pattern or something? Or anything that comes-in for a specific IP goes
>> to Tomcat?
>> Can you confirm if the F5 is even getting the requests?
>> - -chris
>> Comment: GPGTools -
>> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
>> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
>> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
>> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
>> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
>> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
>> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
>> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
>> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
>> rHT6P/DUjhJcIT6DTRjc
>> =PNJY
>> -----END PGP SIGNATURE-----
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message