tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Failover not working even after configuration.
Date Wed, 09 Dec 2015 20:53:36 GMT
On 09.12.2015 17:02, Kernel freak wrote:
> Hi,
>
> Thank you for finding out that mistake with port-number. What I fail to
> understand is, where to redirect the AJP request then?

Why would you need to ?

Again :

Your AJP <Connector> (in Tomcat) will *never* receive requests that are HTTPS.  It expects

(and in your configuration, receives) only requests in the AJP protocol format (from the 
Apache-httpd-side mod_jk or mod_proxy_ajp module).
(And if it received anything else, it would bitterly complain).

Also again:
Your configuration is :

User browser <-- HTTP(S) --> Apache httpd + mod_jk <- AJP -> Tomcat AJP Connector

<-->Tomcat webapp

The user's browser talks to Apache httpd using either HTTP or HTTPS.
If it is HTTPS, Apache unencrypts it.
The request is then (partially) processed in Apache httpd (parsing the headers etc.), and

then it is forwarded to (one of the) Tomcat by the mod_jk module, in AJP format (which has

no encrypted version). It is received by the AJP Connector in Tomcat (which understands 
AJP, but not HTTP/HTTPS). The AJP Connector in Tomcat makes this into a Tomcat/java HTTP 
Request object, that object is passed to the webapp, and that is what the webapp is 
dealing with.

The webapp Response object goes the opposite way.
Tomcat outputs this response through the AJP connector, which encodes it as an "AJP 
message". This message goes to the Apache mod_jk connector. The mod_jk connector decodes 
this back for Apache-httpd, into an "Apache httpd response".  Apache httpd then sends this

response back to the browser, in HTTP or HTTPS, depending on how the browser originally 
connected to httpd to send that request.

The thing to understand here, is that along with the request in AJP format that mod_jk 
sends to the Tomcat AJP Connector, there will be (optionally) a number of "SSL 
attributes", which allow the recipient webapp to know that the original browser-to-httpd 
connection was HTTPS (or not), even though Tomcat received that request through the AJP 
Connector, in non-SSL AJP format.

See here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
--> JkExtractSSL

I do not know Spring, and I do not know under what conditions it would send back https://

links or not. But this should not be a problem, if the configuration on both Apache-httpd

and Tomcat is correct.

Now, all that I am saying above, and also all your load-balancing setup, is only valid 
assuming that *all* browser-to-Tomcat communications always goes through Apache httpd.
If you allow browsers to access Tomcat directly, then all this is moot.

A browser cannot talk directly to the Tomcat AJP Connector, they would not understand 
eachother. But if your Tomcats have active HTTP/HTTPS Connectors, and the browser is able

to connect to them, then forget all the above, it will not work as you expect.
(Such connections would also bypass the load-balancing that you want).





  Can you tell me
> that. I am as of now creating additional mail, as I changed the config and
> added a Cluster in tomcat. I just need to know what's the deal with those
> connectors, as the webapp requires https..
>
> Should I remove that redirectPort in ajp? Kindly let me know. Thank you.
>
> On Wed, Dec 9, 2015 at 4:46 PM, André Warnier (tomcat) <aw@ice-sa.com>
> wrote:
>
>>
>> On 09.12.2015 15:56, Kernel freak wrote:
>>
>>> I am working on Apache and tomcat to setup Load-balancing and fail-over.
>>> Initially I thought that load-balancing would include fail-over, but I was
>>> wrong. I thought that if one instance is not active, then consuming other
>>> instance also becomes a part of load-management.
>>>
>>
>> It should :
>> quote : http://tomcat.apache.org/connectors-doc/reference/workers.html
>>
>>   Load balancer management includes:
>>
>>      Instantiating the workers in the web server.
>>      Using the worker's load-balancing factor, perform weighed-round-robin
>> load balancing where high lbfactor means stronger machine (that is going to
>> handle more requests)
>>      Keeping requests belonging to the same session executing on the same
>> Tomcat worker.
>>      Identifying failed Tomcat workers, suspending requests to them and
>> instead fall-backing on other workers managed by the lb worker.
>>
>> The overall result is that workers managed by the same lb worker are
>> load-balanced (based on their lbfactor and current user session) and also
>> fall-backed so a single Tomcat process death will not "kill" the entire
>> site.
>>
>>
>>   Enough with the
>>
>>> terminologies, I setup fail-over, but the ironical part is fail-over
>>> itself
>>> is failing.
>>>
>>> As soon as I shut down one instance of tomcat, the entire setup is dead
>>> and
>>> I am getting 503. Can someone help me understand what is the problem.
>>>
>>>
>> Maybe the first step would be to remove the irrelevant parts of he
>> configuration below.
>> Also, please make an effort at formatting your email, in plain text.
>> What comes below is almost unreadable as it is.
>> (Even in the original mail to the list, see by yourself)
>>
>> I have reformatted what I could..
>>
>>
>> Added this in apache2.conf :
>>>
>>> JkWorkersFile /etc/apache2/workers.properties
>>> JkMount /* loadbalancer
>>>
>>> workers.properties :
>>>
>>> worker.list=loadbalancer
>>>    worker.server1.port=8010
>>>    worker.server1.host=localhost
>>>    worker.server1.type=ajp13
>>>
>>>    worker.server2.port=8011
>>>    worker.server2.host=localhost
>>>    worker.server2.type=ajp13
>>>
>>>    worker.server1.lbfactor=1
>>>    worker.server2.lbfactor=1
>>>
>>>    worker.loadbalancer.type=lb
>>>    worker.loadbalancer.balance_workers=server1,server2
>>> worker.loadbalancer.method=B
>>> worker.balancer.sticky_session=True
>>>
>>> 000-default in sites-enabled :
>>>
>>>
>>> JkMountCopy On
>>>
>>
>> <Proxy balancer://mycluster>
>>
>>>       BalancerMember ajp://localhost:8010 route=server1
>>> connectiontimeout=10
>>>       BalancerMember ajp://localhost:8011 route=server2
>>> connectiontimeout=10
>>>
>>>      ProxySet stickysession=JSESSIONID|jsessionid
>>>      Order Deny,Allow
>>>      Deny from none
>>>      Allow from all
>>> </Proxy>
>>> <VirtualHost *:80>ProxyRequests off
>>> ProxyPass /balancer-manager !
>>>
>>
>> ProxyPass /  balancer://mycluster/
>> ProxyPassReverse / balancer://mycluster/</VirtualHost>
>> <Location /balancer-manager>
>> SetHandler balancer-manager
>> Order Deny,Allow
>> Deny from none
>> Allow from all
>> </Location>
>>
>>>
>>>
>>> First tomcat's server.xml :
>>>
>>>
>> On your front-end, you are re-directing everything to the tomcats, via AJP.
>> So this Connector is superfluous, and only makes the discussion more
>> confusing :
>>
>> <Connector port="8080" proxyPort="80" protocol="HTTP/1.1"
>>> compression="force" compressionMinSize="1024"
>>>                  connectionTimeout="20000"
>>>                  redirectPort="443" URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>>
>> Same for this one. You are using AJP, so you are never accessing tomcat
>> directly via HTTPS. Useless :
>>
>> <Connector port="443" enableLookups="false" protocol="HTTP/1.1"
>>> SSLEnabled="true" maxThreads="200" compression="force"
>>>                 compressionMinSize="1024" scheme="https" secure="true"
>>> clientAuth="false"  sslProtocol="TLS"
>>>                   keystoreFile="keystore_file" keystorePass="PASSWORD"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>
>> This one is being used :
>>
>>      <Connector port="8010" protocol="AJP/1.3" redirectPort="443"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>       <Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
>>>       // No modifications inside</Engine>
>>>
>>> Second Tomcat's server.xml :
>>>
>>>
>>> useless, see above :
>>
>> <Connector port="8081" proxyPort="80" protocol="HTTP/1.1"
>>> compression="force" compressionMinSize="1024"
>>>                  connectionTimeout="20000"
>>>                  redirectPort="443" URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>> useless, see above :
>>
>>> <Connector port="443" enableLookups="false" protocol="HTTP/1.1"
>>> SSLEnabled="true" maxThreads="200" compression="force"
>>>                 compressionMinSize="1024" scheme="https" secure="true"
>>> clientAuth="false"  sslProtocol="TLS"
>>>                   keystoreFile="keystore_file" keystorePass="PASSWORD"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>
>> Used:
>>
>>>    <Connector port="8011" protocol="AJP/1.3" redirectPort="8443"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>       <Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
>>>       // No modifications here
>>>       </Engine>
>>>
>>>
>>>
>> Note : your HTTP(S) Connectors are useless, since nothing should in
>> principle ever reach tomcat via HTTP(S). But if you are going to use the
>> redirectPort="8443"
>> attribute, you may at least ensure that the corresponding port is attended
>> to.
>>
>> So, I suggest that you clean up your configuration, and repost it in a
>> more readable format. Then maybe we'll see something.
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I am working on Apache and tomcat to setup Load-balancing and
>>> fail-over. Initially I thought that load-balancing would include
>>> fail-over,
>>>    but I was wrong. I thought that if one instance is not active, then
>>> consuming other instance also becomes a part of load-management. Enough
>>> with the terminologies, I setup fail-over, but the ironical part is
>>> fail-over itself is failing.
>>>
>>> As soon as I shut down one instance of tomcat, the entire setup is
>>> dead and I am getting 503. Can someone help me understand what is the
>>> problem.
>>>
>>> Added this in apache2.conf :
>>>
>>> JkWorkersFile /etc/apache2/workers.properties
>>> JkMount /* loadbalancer
>>>
>>> workers.properties :
>>>
>>> GNU nano 2.2.6 File: workers.properties
>>>
>>>    worker.list=loadbalancer
>>>    worker.server1.port=8010
>>>    worker.server1.host=localhost
>>>    worker.server1.type=ajp13
>>>
>>>    worker.server2.port=8011
>>>    worker.server2.host=localhost
>>>    worker.server2.type=ajp13
>>>
>>>    worker.server1.lbfactor=1
>>>    worker.server2.lbfactor=1
>>>
>>>    worker.loadbalancer.type=lb
>>>    worker.loadbalancer.balance_workers=server1,server2
>>> worker.loadbalancer.method=B
>>> worker.balancer.sticky_session=True
>>>
>>> 000-default in sites-enabled :
>>>
>>> JkMountCopy On<Proxy balancer://mycluster>
>>>       BalancerMember ajp://localhost:8010 route=server1
>>> connectiontimeout=10
>>>       BalancerMember ajp://localhost:8011 route=server2
>>> connectiontimeout=10
>>>
>>>      ProxySet stickysession=JSESSIONID|jsessionid
>>>      Order Deny,Allow
>>>      Deny from none
>>>      Allow from all
>>> </Proxy>
>>> <VirtualHost *:80>ProxyRequests off
>>> ProxyPass /balancer-manager !ProxyPass /
>>> balancer://mycluster/ProxyPassReverse /
>>> balancer://mycluster/</VirtualHost>
>>> <Location /balancer-manager>SetHandler balancer-manager
>>> Order Deny,AllowDeny from noneAllow from all</Location>
>>>
>>>
>>> First tomcat's server.xml :
>>>
>>> <Connector port="8080" proxyPort="80" protocol="HTTP/1.1"
>>> compression="force" compressionMinSize="1024"
>>>                  connectionTimeout="20000"
>>>                  redirectPort="443" URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>> <Connector port="443" enableLookups="false" protocol="HTTP/1.1"
>>> SSLEnabled="true" maxThreads="200" compression="force"
>>>                 compressionMinSize="1024" scheme="https" secure="true"
>>> clientAuth="false"  sslProtocol="TLS"
>>>                   keystoreFile="keystore_file" keystorePass="PASSWORD"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>      <Connector port="8010" protocol="AJP/1.3" redirectPort="443"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>       <Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
>>>       // No modifications inside</Engine>
>>>
>>> Second Tomcat's server.xml :
>>>
>>> <Connector port="8081" proxyPort="80" protocol="HTTP/1.1"
>>> compression="force" compressionMinSize="1024"
>>>                  connectionTimeout="20000"
>>>                  redirectPort="443" URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>
>>> <Connector port="443" enableLookups="false" protocol="HTTP/1.1"
>>> SSLEnabled="true" maxThreads="200" compression="force"
>>>                 compressionMinSize="1024" scheme="https" secure="true"
>>> clientAuth="false"  sslProtocol="TLS"
>>>                   keystoreFile="keystore_file" keystorePass="PASSWORD"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>    <Connector port="8011" protocol="AJP/1.3" redirectPort="8443"
>>> URIEncoding="utf-8"
>>>    compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>> javascript,application/x-javascript,application/javascript"/>
>>>       <Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
>>>       // No modifications here
>>>       </Engine>
>>>
>>> What mistake I am making in the config for implementing load-balancing and
>>> fail-over together. Thanks a lot.
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message