tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Why is Tomcat sending "Connection: close?"
Date Wed, 31 Aug 2016 22:24:39 GMT
Hi.
Please do not top-post your responses on this list.
See : http://tomcat.apache.org/lists.html#tomcat-users  # 6)
>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
> Sent: Wednesday, August 31, 2016 10:53 AM
> To: users@tomcat.apache.org
> Subject: Re: Why is Tomcat sending "Connection: close?"
>
> On 31.08.2016 17:50, John.E.Gregg@wellsfargo.com wrote:
>> All,
>>
>> I'm using Tomcat 7.0.70 and am having trouble understanding why Tomcat is sending
"Connection: close" in the response header as often as it is.  With almost no load on the
server, I get "Connection: close" pretty much every time.  The client is sending "Connection:
keep-alive" but it doesn't seem to matter.  HTTP protocol is 1.1 and response code is 200.
>>
>> In other cases I've seen Tomcat behave exactly the way the doc says the below config
should behave (100 requests per connection as long as the timeout is not exceeded) but not
this time.
>>
>> Any idea why this is occurring or where to look to debug it?  I've tried setting
breakpoints in AbstractHttp11Processor where "Connection: close" is set, but it's not hit.
>>
>> Thanks
>>
>> John
>>
>> Here is my connector config:
>>
>> <Connector port="7124"
>>           protocol="HTTP/1.1"
>>           SSLEnabled="true"
>>           maxThreads="80"
>>           maxKeepAliveRequests="100"
>>           keepAliveTimeout="10000"
>>           scheme="https"
>>           secure="true"
>>           clientAuth="true"
>>           sslProtocol="TLS"
>>           sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello,SSLv3"
>>           keystoreFile="${keystoreFile}"
>>           keystorePass="${keystorePassword}"
>>           keyAlias="test"
>>           truststoreFile="${truststoreFile}"
>>           truststorePass="${truststorePassword}"
>>           allowUnsafeLegacyRenegotiation="false"
>>                   ciphers="SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_ CBC_SHA,
>> SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES _128_CBC_SHA,
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_
>> ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_EC DSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WIT H_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_C BC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH _AES_256_CBC_SHA"
>>           />
>>
>
> Sorry to ask, but are you positive that there is *nothing* between the browser and Tomcat
? (I mean like a firewall, proxy server, etc..)
>
> > No, unfortunately not.  I put "%{Connection}i %{Connection}o" in the log config
and get
"Keep-Alive close."  IOW the client sends Keep-Alive but Tomcat responds with close.
>

There are a number of scenarios in which a webserver - not only Tomcat - would send a 
"Connection: close" header in a response, and close the connection after sending the 
response.  For the gory details, see https://tools.ietf.org/html/rfc7230#section-6.3 etc..
Simplified :

- if a webserver knows in advance the size of the response body, then it would normally 
send a "Content-length: xxx" header, followed by a response body of exactly that length. 
In such a case also, it should normally honor the keep-alive request of the client, and 
not close the connection

- if the server does not know in advance the size of the response body (e.g. it is 
generated dynamically by a script or servlet or such), then it cannot send a 
Content-length header in advance, and it has 2 choices :
   a) use a "Transfer-encoding: chunked" method, whereby the response body is "packaged" 
in successive "chunks", each with a header giving its chunk length, the sequence being 
terminated by a zero-length chunk (which tells the client that this response is finished)
   or
   b) if it cannot use (or is forbidden to use) the above for some reason, then the only 
way is to send the response body as it arrives from whatever generates it, and when that 
body ends, and it has sent the whole body to the client, close the connection.
The closing of the connection then acts for the client as a signal that the response to 
this request is finished (as there would be no way for the client otherwise to know if 
there is more to come or not).
In such a case, if the webserver were to know in advance that this is the case (before 
sending the first chunk of the response body to the client), it would be good practice for

the server to also send a "Connection: close" in the headers of the response.

So, assuming at first that there is no related bug in the Tomcat 7 code, would it be 
conceivable that the webapp would somehow generate its response in such a way that
   a) Tomcat does not know in advance the size of that response
   and
   b) Tomcat is prevented from using the "Content-encoding: chunked" method ?

I found for example this which might be relevant :
http://stackoverflow.com/questions/6299432/how-do-disable-transfer-encoding-in-tomcat-6




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message