Re: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different
Hi Katy, On 24.04.2013 16:38, Beavers, Melinda K (Kay) wrote: Rainer, thank you for that link!! I have put this line in my isapi_redirect.properties file: rewrite_rule_file=C:\Avaya\TomcatFilter\rewrite.properties and put my rewrite.properties file in place with just a single line in it: /apps/cepv/website/=/website/ and reset IIS. It is not working but in the debug log I never see any reference to using the rewrite file. I never see entries like described below: During startup, you should see Using rewrite rule file YOURRULESFILE in the log file, and later Loaded rewrite rule file YOURRULESFILE Between those two, you should also see lines indicating, that the contents of the file got parsed. Do you know if there's some other step I'm missing or if it has to be a certain version in order to recognize the rewrite file? First: which version are you using? Then: I assume we already know that your entries to isapi_redirect.properties work in principle, i.e. that you can confirm that some of the entries did work, just not the rewrite_rule_file entry. Correct? Next I assume you could correctly set a log file using the log_file entry and that you can now set the log level to debug using log_level=debug. When you now start up, you should get a couple of log lines containing the word Using. Post at least them or even better all startup log messages, excluding any confidential stuff. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, April 24, 2013 2:03 AM To: users@tomcat.apache.org Subject: Re: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different On 24.04.2013 06:53, Beavers, Melinda K (Kay) wrote: We have installed the IIS-Tomcat redirector (isapi_redirect.dll) on an IIS 6 server so that http://iis.company.com/website/myfile.jsp will correctly redirect according to our 'isapi_redirect.properties', 'workers.properties', and 'uriworkermap.properties ' and serve the JSP page from http://tomcat.company.com/website/myfile.jsp . That appears to be working just fine. But we actually need to have a different IIS URL. What we are trying to figure out is if we can configure it so that http://iis.company.com/apps/cepv/website/myfile.jsp will redirect and serve the JSP content at http://tomcat.company.com/website/myfile.jsp. The path on the IIS server is has two extra levels (/apps/cepv) in the URL path and does not match the path on the tomcat server where the JSP content is. We have to have those two extra levels in the IIS URL path for other technical reasons and we cannot match or include those two extra levels on the tomcat side. We have tried the following but cannot get it to work. website.worker=website_ajp13 /apps/cepv/website/*.jsp=$(website.worker) Is there anything we can do to map this correctly? Have a look at https://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting starting from If you are using Microsoft IIS as a web server Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access-log ordering
On 18.04.2013 23:58, Christopher Schultz wrote: Mark is of course right. Adding some info here concerning your log format: We are using the following format string: %a %t quot;%rquot; %s %D The value of %t is the interesting one, of course, but it's resolution is only in seconds, and we are seeing an access log file like this: 127.0.0.1 [18/Apr/2013:16:19:08 -0400] POST /request/B HTTP/1.1 200 108 127.0.0.1 [18/Apr/2013:16:19:08 -0400] POST /request/A HTTP/1.1 200 263 In TC 7 you can log start time and end time and also milliseconds: %{begin}t %{begin:msec_frac}t %{end}t %{end:msec_frac}t or (maybe a bit slower but formatted more nicely) %{begin:dd/MMM/:HH:mm:ss.SSS Z}t %{end:dd/MMM/:HH:mm:ss.SSS Z}t The %{begin:msec}t and %{end:msec}t can also be useful. They are milliseconds since the epoch, so not nicely readable for humans, but nice for doing calculations. AFAIR times are consistent if you use multiple formatting tokens, to te time for begin and end is only taken once and then the various formats use those two time values consistently. The end: prefix is the default, so it can be ommitted. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Accessing Tomcat Issue
On 30.03.2013 21:53, Chris Arnold wrote: See above and ended up having to comment this out as it is not supported in the version of mod_jk i am using. Apache finally started after commenting those out and changing the port. And i can now access http://share.domain.com Ranier, thank you for your time and instruction. Shall i send you some paypal monies? No, thanks for the offer. Have fun! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Accessing Tomcat Issue
On 30.03.2013 12:43, Chris Arnold wrote: Here is the modified virtualhost file: VirtualHost *:80 ServerName share.domain.com #RewriteEngine On #RewriteCond %{REQUEST_URI} !^/share/ #RewriteCond %{HTTPS} on #RewriteRule ^/. http://share.domain.com/share/ [P] JkMount /share|/* worker1 As mentioned I suggest to use balancer instead of worker1 here. RedirectMatch ^/$ http://share.domain.com/share/ ErrorLog /var/log/apache2/domain.com-error_log CustomLog /var/log/apache2/domain.com-access_log combined /VirtualHost OK, one thing I forgot, sorry: this config uses a load balancer worker which even if there's only one Tomcat instance involved allows a bit more of control. For this to work you need to replace the name worker1 in the above JkMount with balancer: JkMount /share|/* balancer See above. Give it a try (with! I dont understand the With! part. Is that part of the apache restart command to force? Me neither, somehow part f the text got deleted. Probably just wanted to say with the above adjustments). If it doesn't work, increase the JkLogLevel to debug and post the JK log file contents (and the Apache error log and access log entries for your test requests). Well, now apache does not start. Gives this error: error in reading worker properties from /opt/path to/worker.properties Is the path in the error the correct one? Configuration failed Seems it doesn't like something about the worker.properties file. Due to that i will post the complete workers.properties file (it is writeable): What's in the JK log? The following param doesn't exist in your old version: # error_escalation_time: seconds, default = recover_time/2 (=30) # Determines, how fast a detected error should switch from # local error state to global error state # Since: 1.2.28 worker.balancer.error_escalation_time=0 That following port likely is wrong. you need to configure the AJP port of Tomcat, something like 8009 or whataver you have chosen in server.xml. Make sure the AJP port in server.xml is not commented out. worker.worker1.port=8080 The following param doesn't exist in your old version: # - socket_connect_timeout: milliseconds, default=0 # Since: 1.2.27 worker.template.socket_connect_timeout=5000 The following params don't exist in your old version: # - ping_mode: Character, default=none # When should we use cping/cpong connection probing? # C = directly after establishing a new connection # P = directly before sending each request # I = in regular intervals for idle connections # using the watchdog thread # A = all of the above # Since: 1.2.27 worker.template.ping_mode=A # - ping_timeout: milliseconds, default=1 # Wait timeout for cpong after cping # Can be overwritten for modes C and P # Using connect_timeout and prepost_timeout. # Since: 1.2.27 worker.template.ping_timeout=1 The following param doesn't exist in your old version: # - reply_timeout: milliseconds, default=0 # Any pause longer than this timeout during waiting # for a part of the reply will abort handling the request # in mod_jk. The request will proceed running in # Tomcat, but the web server resources will be freed # and an error is send to the client. # For individual requests, the timeout can be overwritten # by the Apache environment variable JK_REPLY_TIMEOUT. # JK_REPLY_TIMEOUT since: 1.2.27 worker.template.reply_timeout=30 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Accessing Tomcat Issue
On 29.03.2013 00:24, Chris Arnold wrote: Apache Tomcat/7.0.30 on SLES11 SP2. I am trying to configure access to a webapp using http://share.domain.com. This webapp uses port 8080 and works fine from inside the LAN. However, we have an apache2 server acting as a proxy and we want users to not have to type in a port number. Now when accessing http://share.domain.com, the result is directories and files are listed, the jsp files are not running. Here is my complete setup: jk.conf- # simple configuration for apache (for AJP connector, modul mod_jk.so) IfModule mod_jk.c JkWorkersFile /opt/alfresco/tomcat/workers.properties JkLogFile /var/log/alfresco/mod_jk.log JkShmFile /var/log/alfresco/shm # Log level to be used by mod_jk JkLogLevel error # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 Note that you only forward JSP-Requests here. might be OK, depending on the application. /IfModule virtualhost- VirtualHost *:80 ServerName share.domain.com #RewriteEngine On #RewriteCond %{REQUEST_URI} !^/share/ #RewriteCond %{HTTPS} on #RewriteRule ^/. http://share.paradixent.com/share/ [P] #JkMount /share/* worker1 Although the proxy rewrite rules are commented out here, later down the log indicates you are still somewhere using mod_proxy instead of mod_jk. IfModule mod_jk.c # The following line makes apache aware of the location of # the /jsp-examples context Alias /share /opt/alfresco/tomcat/webapps/share Directory /opt/alfresco/tomcat/webapps/share Options Indexes FollowSymLinks allow from all /Directory You can let Apache serve static content directly from an exploded webapp, but it is generally not recommended, because you then also open up stuff that's not expected to be made public to requests from outside. If below share there's anything that's not meant to be served by Apache, then it would be beter to copy the stuff that Apache should serve to a separate directory, which would then be the one to put into the Alias. # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 # The following line prohibits users from directly accessing WEB-INF Location /share/WEB-INF/ #AllowOverride None deny from all /Location That's one exampe for stuff you don't want to be served, META-INF as well (if existing), there could be other stuff as well. # if not specified, the global error log is used ErrorLog /var/log/apache2domain.com-error_log CustomLog /var/log/apache2/domain.com-access_log combined /IfModule /VirtualHost httpd.conf- # mod_jk Include /opt/alfresco/tomcat/conf/jk.conf Mod_jk is loaded: web:~ # /usr/sbin/httpd2 -M Loaded Modules: ... jk_module (shared) perl_module (shared) php5_module (shared) Syntax OK Here is the log from apache: [Thu Mar 28 18:40:14 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var [Thu Mar 28 18:40:28 2013] [error] [client pub ip] (70007)The timeout specified has expired: proxy: error reading status line from remote server share.paradixent.com [Thu Mar 28 18:40:28 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var What's the request you send? What's the expected response and what's the actual response? The above log snippet tells us that somewhere in your config you have mod_proxy active, which is an alternative way to connect to a backend. You should get your idea straight, for which URLs you are using mod_proxy and for which mod_jk. I would suggest to stick with one. You didn't show us your worker.properties file. You didn't show us your mod_jk log file. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Accessing Tomcat Issue
On 29.03.2013 13:10, Chris Arnold wrote: On 29.03.2013 00:24, Chris Arnold wrote: # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 Note that you only forward JSP-Requests here. might be OK, depending on the application. The application, just for reference, is alfresco #RewriteEngine On #RewriteCond %{REQUEST_URI} !^/share/ #RewriteCond %{HTTPS} on #RewriteRule ^/. http://share.paradixent.com/share/ [P] #JkMount /share/* worker1 Although the proxy rewrite rules are commented out here, later down the log indicates you are still somewhere using mod_proxy instead of mod_jk. mod_proxy is used on this installation of apache. I am told i need to use mod_jk in this instance. I need users to access this application like so: http://share.domain.com and using mod_jk is the easiest way to do this (thats what i am told) So mod_proxy is loaded but you don't want to use it to access alfresco, instead just mod_jk, right? Then don't use any ReWriteRule with the [P} flag or any Proxy... directive. OK as above, since commented, so not active. IfModule mod_jk.c # The following line makes apache aware of the location of # the /jsp-examples context Alias /share /opt/alfresco/tomcat/webapps/share Directory /opt/alfresco/tomcat/webapps/share Options Indexes FollowSymLinks allow from all /Directory You can let Apache serve static content directly from an exploded webapp, but it is generally not recommended, because you then also open up stuff that's not expected to be made public to requests from outside. I understand this If below share there's anything that's not meant to be served by Apache, then it would be beter to copy the stuff that Apache should serve to a separate directory, which would then be the one to put into the Alias. but wouldn't this still have stuff below /share open? Assume all static images, css, js are in some /path/to/my/folder/static and there's nothing else underneath it, that folder would be a place to publish directly via Alias in Apache. # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 # The following line prohibits users from directly accessing WEB-INF Location /share/WEB-INF/ #AllowOverride None deny from all /Location That's one exampe for stuff you don't want to be served, META-INF as well (if existing), there could be other stuff as well. # if not specified, the global error log is used ErrorLog /var/log/apache2domain.com-error_log CustomLog /var/log/apache2/domain.com-access_log combined /IfModule /VirtualHost httpd.conf- # mod_jk Include /opt/alfresco/tomcat/conf/jk.conf Mod_jk is loaded: web:~ # /usr/sbin/httpd2 -M Loaded Modules: ... jk_module (shared) perl_module (shared) php5_module (shared) Syntax OK Here is the log from apache: [Thu Mar 28 18:40:14 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var [Thu Mar 28 18:40:28 2013] [error] [client pub ip] (70007)The timeout specified has expired: proxy: error reading status line from remote server share.paradixent.com [Thu Mar 28 18:40:28 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var What's the request you send? i assume you are asking for the link? Which is http://share.domain.com I'm guessing here: what you want is that the request for http://share.domain.com should be forwarded to the Tomcat web application names share. For that I would put the following directives into the Apache VirtualHost that actually serves the request. - Add a redirect for the URI / to /share/ to the Apache config: RedirectMatch ^/$ http://share.domain.com/share/ - Forward all requests that point below /share to Tomcat and let them be served by the webapp: JkMount /share|/* myworker You can choose any name for myworker, but see below for workers.properties. - Remove other JkMount, Alias etc. At this step: - do not try to serve static content from Apache, first get this to work before adding the additional complexity. - do not try to make the webapp /share/ directly available under the top level directory. It is OK to redirect the a request for http://share.domain.com/ to http://share.domain.com/share/ and proceed from there as above, but it is harder to remove the share URI path component from each request. If you really need to do this, then use mod_proxy, not mod_jk. What's the expected response a login page and what's the actual response? depending on whether i have the rewrite rules commented out or not, uncommented is a directory listing. Commented out is
Re: Apache Accessing Tomcat Issue
On 29.03.2013 18:02, Chris Arnold wrote: This thread is getting kinda messy so i am going to snip a bunch of stuff and answer your latest info. Good. So mod_proxy is loaded but you don't want to use it to access alfresco, instead just mod_jk, right? Then don't use any ReWriteRule with the [P} flag or any Proxy... directive. No, if this can be done with mod_proxy, i would prefer to do that. I have been unable to get mod_proxy working so users type http://share.domain.com and get the required results (which is http://share.domain.com/share) Let's stick to mod_jk for the moment. I think you are close. Here is the modified virtualhost file: VirtualHost *:80 ServerName share.domain.com #RewriteEngine On #RewriteCond %{REQUEST_URI} !^/share/ #RewriteCond %{HTTPS} on #RewriteRule ^/. http://share.domain.com/share/ [P] JkMount /share|/* worker1 RedirectMatch ^/$ http://share.domain.com/share/ IfModule mod_jk.c # The following line makes apache aware of the location of # the /jsp-examples context #Alias /share /opt/alfresco/tomcat/webapps/share #Directory /opt/alfresco/tomcat/webapps/share #Options Indexes FollowSymLinks #allow from all #/Directory # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 #JkMount /share/*.jsp ajp13 # The following line prohibits users from directly accessing WEB-INF #Location /share/WEB-INF/ #AllowOverride None #deny from all #/Location # if not specified, the global error log is used ErrorLog /var/log/apache2/domain.com-error_log CustomLog /var/log/apache2/domain.com-access_log combined /IfModule /VirtualHost Looks good to me, you can remove the IfModule tags. They don't contain anything mod_jk specific any more and in fact if mod_jk is not loaded you'd want the whole thing to bomb at startup and not just ignore mod_jk config. You've chosen the worker name worker1. Fine. At this step: - do not try to serve static content from Apache, first get this to work before adding the additional complexity. - do not try to make the webapp /share/ directly available under the top level directory. It is OK to redirect the a request for http://share.domain.com/ to http://share.domain.com/share/ and proceed from there as above, but it is harder to remove the share URI path component from each request. If you really need to do this, then use mod_proxy, not mod_jk. Doing the above, does that take care of what you stated here? Looks good to me. Here is the new workers.properties file: .. # the final value for y will be value\something # Define two status worker: # - jk-status for read-only use # - jk-manager for read/write use worker.list=jk-status worker.jk-status.type=status worker.jk-status.read_only=true worker.list=jk-manager worker.jk-manager.type=status # We define a load balancer worker # with name balancer worker.list=balancer worker.balancer.type=lb # error_escalation_time: seconds, default = recover_time/2 (=30) # Determines, how fast a detected error should switch from # local error state to global error state # Since: 1.2.28 worker.balancer.error_escalation_time=0 # - max_reply_timeouts: number, default=0 # If there are to many reply timeouts, a worker # is put into the error state, i.e. it will become # unavailable for all sessions residing on the respective # Tomcat. The number of tolerated reply timeouts is # configured with max_reply_timeouts. The number of # timeouts occuring is divided by 2 once a minute and the # resulting counter is compared against max_reply_timeouts. # If you set max_reply_timeouts to N and the errors are # occuring equally distributed over time, you will # tolerate N/2 errors per minute. If they occur in a burst # you will tolerate N errors. # Since: 1.2.24 worker.balancer.max_reply_timeouts=10 # Now we add members to the load balancer # First member is node1, most # attributes are inherited from the # template worker.template. worker.balancer.balance_workers=worker1 worker.worker1.reference=worker.template worker.worker1.host=localhost worker.worker1.port=8080 # Activation allows to configure # whether this node should actually be used # A: active (use node fully) # D: disabled (only use, if sticky session needs this node) # S: stopped (do not use) # Since: 1.2.19 worker.worker1.activation=A # Second member is node2, most # attributes are inherited from the # template worker.template. #worker.balancer.balance_workers=node2 #worker.node2.reference=worker.template #worker.node2.host=localhost #worker.node2.port=8209 # Activation allows to configure # whether this node should actually be used # A: active (use node fully) # D: disabled (only use, if sticky session needs this node) # S: stopped (do not
Re: [tomcat 5.5.26] why are not all log4j.properties files parsed
On 26.03.2013 18:42, Mark Eggers wrote: 1. Put the right information in your subject 2. Upgrade 3. Don't post attachments - add the information inline 4. No, context loading order is not guaranteed or enforced 5. Check your applications' log files to see what format is used 6. Try using XML for your application's log4j configuration (should not make a difference) 7. Post your Tomcat's log4j.properties file inline if the above doesn't resolve your issues 8. Tell the list if / when your issues are resolved (and how) ... and check that you are not setting the system property log4j.configuration, because that will overwrite trying to find the config file via the class loader. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Where does Tomcat log the logAbandoned information?
On 22.03.2013 16:12, Pid wrote: On 22/03/2013 15:02, Julien Martin wrote: Hi Pid, Is there any other config I need to add (for instance to log4j.properties) in order for the logAbandoned logging to occur? Actually, you're right this is DBCP inside your app - so you might need to look in an app log if there is one. I see nothing in stdout nor in the tomcat logs... Maybe you're not waiting long enough or there's no abandoned connections to be logged. AFAIR DBCP doesn't use a log framework and instead uses writing System.out. So catalina.out is your friend in this case. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP suddenly Stopps acting: ajp on 7009 and 9009 : connections keept open
On 12.03.2013 11:58, David Kumar wrote: We got the connection_pool_timeout from here: https://community.jboss.org/wiki/OptimalModjk12Configuration I will have a look on the other recommended options Pick a source download of mod_jk. It contains an example configuration that should work pretty well. Don't choose the minimal example config, just the normal one. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP suddenly Stopps acting: ajp on 7009 and 9009 : connections keept open
On 14.03.2013 10:04, David Kumar wrote: Hey, thanks for note.. Attached you can find a new list. So, java is keeping these connections in close_wait. close_wait for an AJP connection seen from Tomcat means the other side - mod_jk - has closed the connection, but not Tomcat. This is often due to a shorter Timeout on the mod_jk side than on the Tomcat side. It is not a problem per se, but it is if it happens for too many connections for a too long time. I vaguely remember that you have a 10 second socket_timeout in your workers.properties. That's typically bad. Look at the example config in the source mod_jk download. It could be, that your requests in Tomcat got stuck and Tomcat still is in the state of working on the requests, therefore keeping the connection open to send back stuff finally, whereas mod_jk has already timed out. To check for that, take a couöple of threa dumps (not: heap dumps) of the running Tomcat process while the close_wait problem is visible. Check what your Tomcat threads are currently doing, e.g. are they mostly sitting idle in the thread pool or executor, or are many of them deep in your application stacks and waiting for database, locks or other stuff. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP suddenly Stopps acting: ajp on 7009 and 9009 : connections keept open
On 15.03.2013 11:47, André Warnier wrote: Rainer Jung wrote: On 14.03.2013 10:04, David Kumar wrote: Hey, thanks for note.. Attached you can find a new list. So, java is keeping these connections in close_wait. close_wait for an AJP connection seen from Tomcat means the other side - mod_jk - has closed the connection, but not Tomcat. This is often due to a shorter Timeout on the mod_jk side than on the Tomcat side. It is not a problem per se, but it is if it happens for too many connections for a too long time. I vaguely remember that you have a 10 second socket_timeout in your workers.properties. That's typically bad. Look at the example config in the source mod_jk download. It could be, that your requests in Tomcat got stuck and Tomcat still is in the state of working on the requests, therefore keeping the connection open to send back stuff finally, whereas mod_jk has already timed out. To check for that, take a couöple of threa dumps (not: heap dumps) of the running Tomcat process while the close_wait problem is visible. Check what your Tomcat threads are currently doing, e.g. are they mostly sitting idle in the thread pool or executor, or are many of them deep in your application stacks and waiting for database, locks or other stuff. Hi Rainer, a question to you : In a previous post, David posted the output of netstat -t -pan. In that output, there are about 1900 connections from Apache to Tomcat's AJP connectors, in state TIME_WAIT. As far as I know, this indicates that the connection is closed from the point of view of Apache, and this TIME_WAIT should last only a few sec. maximum, and then should go away. Why does he have so many though ? I can't see anything like that on any of my servers. TIME_WAIT is a state which means the connection is closed by both sides but the TCP stack still blocks the (server port, server ip, client port, client IP) quadruple for reuse to prevent long overdue packets of the old connection to disturb the new connection. It doesn't prevent new connections from being created nor are there still process resources on client or server being used for those connections (threds, buffers). It is just an entry in the OS TCP connection hash. The TIME_WAIT state is only used on the side of the connection that started the connection shutdown, i.e. that first send the FIN. The other side doesn't go into TIME_WAIT. If your clients typically start the connection shutdown you won't see the TIME_WAIT. Connections are kept in TIME_WAIT for seconds to about a minute depending on your OS and TCP tuning. For a service which uses a lot of new connections per second and initiates the shutdown for them itself it is not uncommon to see several hundreds to thousands of TIME_WAIT connections. If the count goes up into the range of 10.000-50.000 you could start running into inefficiencies of the TCP connection hash handling (depending on the OS). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP suddenly Stopps acting: ajp on 7009 and 9009 : connections keept open
On 15.03.2013 11:57, David Kumar wrote: It could be, that your requests in Tomcat got stuck and Tomcat still is in the state of working on the requests, therefore keeping the connection open to send back stuff finally, whereas mod_jk has already timed out. To check for that, take a couöple of threa dumps (not: heap dumps) of the running Tomcat process while the close_wait problem is visible. Check what your Tomcat threads are currently doing, e.g. are they mostly sitting idle in the thread pool or executor, or are many of them deep in your application stacks and waiting for database, locks or other stuff. I try to, currently we have a watchdog running, checking every 2 minutes if the tomcats are available at 7009/9009 and http. If one of the tomcats are not responding it will be restarted Please please before restarting take two thread dumps. On Linux/Unix a kill -QUIT will do that (and write the result to STDOUT, which depending on your setup likely goes to catalina.out). The QUIT signal does *not* terminate the JVM, it just quickly writes out the stacks of all threads. The interruption for the running JVM is minimal, so you can already try how this works before the process gets into the critical state. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP suddenly Stopps acting: ajp on 7009 and 9009 : connections keept open
On 15.03.2013 15:44, David Kumar wrote: Hey Rainer, attached you can find a Threaddump. Just rename it to .zip. I'm not sure waht all the stuff at the dump means. but I'm sure you know.. :-) It got stripped by the list. Can you post it somewhere and make the URL available? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is mod_jk's status-worker XML output as intended?
On 02.03.2013 15:52, Christopher Schultz wrote: All, Motivated by seeing Rainer's presentation at ApacheCon 2013, Monitoring Apache Tomcat and the Apache Web [1], I started looking at mod_jk's status worker - particularly the XML output as I believe it will be the easiest format to parse for monitoring purposes. Each worker has a number of URL mappings, but they are not actually nested within each worker's XML element. What I would have expected (and, indeed, the elements are *indented* in this way): jk:ajp_workers count=4 jk:ajp name=worker01 type=ajp13 host=localhost ... / jk:map id=1 server=www.foo.com [_default_:443] uri=/url-path ... / Note that the jk:ajp element is an unpaired tag: the jk:map elements that belong to it are not actually nested under it. The XML is well-formed: there is no spurious /jk:ajp tag or anything like that. But, it seems that there is no way to tie a jk:map element to its parent jk:ajp element -- there are no identifiers, etc. that link one to the other. Nor is there a parent-child relationship between them. Is that intentional? I would think that having those jk:map elements nested under the jk:ajp elements would be more useful. Probably not. I'll take a look next week. Ping me if no changes pop up. Is anyone using the XML format of the mod_jk status worker? Has it been frustrating to use, or is it just not that useful to inspect the jk:map elements and so nobody cares? IMHO the properties format is easier to parse. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk how to add JK_WORKER_NAME to http-header
On 03.03.2013 15:44, Christopher Schultz wrote: André, On 2/27/13 3:59 AM, André Warnier wrote: If I understand the original post correctly, the whole point would be to know, at the httpd level, which worker (Tomcat) actually processed this request, right ? If so, why not have the desired response header added at the Tomcat level ? The more or less standard workhorsse URLRewriteFilter could be used here for that. One potential irritant is that requires you to (further?) customize each of your backend servers. If you could handle this at the mod_jk level, the app server doesn't have to collude with the web server in order to perform this logging. True, but in the case of load balancing you would have to add an individual jvmRoute to server.xml n any case. So I typically just set a system property e.g. -Droute=node1 and use ${route} in server.xml. That way the file stays consistent. Setting the system property can be done in setenv.sh, where you could use shell logic to determine on what node you are running. Now: the same trick can be used when running without a load balancer. If the shell script has a way to set the target name you want to be shown, then just set a dummy system property like -Dworker=node1 and refer to the system property worker in the filter. Instead of node! etc. you could e.g. use the result of uname -n on Linux/Unix. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk how to add JK_WORKER_NAME to http-header
On 27.02.2013 09:59, André Warnier wrote: And from Schwaben too... I feel a bit naive after all the sophisticated technical stuff above, in suggesting the following, but how about : If I understand the original post correctly, the whole point would be to know, at the httpd level, which worker (Tomcat) actually processed this request, right ? If so, why not have the desired response header added at the Tomcat level ? The more or less standard workhorsse URLRewriteFilter could be used here for that. rule from.*/from set type=response-header name=TC-workername of this tomcat/set /rule and then check this on the way back in Apache.. That would also overcome Rainer's note about load-balancing above. As a matter of fact, I am quite sure that Tomcat itself already adds some kind of response header to indicate that it was involved in this, so it might just be a matter of proper Tomcat configuration. Much better :) Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk how to add JK_WORKER_NAME to http-header
On 27.02.2013 12:16, André Warnier wrote: Hi. Before you do that, you may want to have another look at this page : http://tomcat.apache.org/connectors-doc/reference/apache.html and in particular the section at the end labeled : Using SetHandler and Environment Variables I use this way of configuring the proxy-ing of requests via mod_jk, rather than the JkMount and uriworkermap style, for some (purely personal) reasons : - it keeps things in one place (the httpd config file) - I believe that it fits better in the Apache httpd configuration style, allowing you to use the classical Apache Location, LocationMatch etc.. to decide which URLs are being proxied - I find it easier that way, to mentally see where and when what happens at the Apache level when you use mod_jk + Tomcat, as in fact an Apache response handler. For example, in your case, you could set up the following section in Apache, to replace your external uri map : LocationMatch ^\/(c|group|html|image|language|layouttpl|...)\/ # in principle, for all those, pass them on to Tomcat.. SetHandler jakarta-servlet SetEnv JK_WORKER_NAME liferay-1 # but for some subset, do not pass them on, and let Apache itself handle them SetEnvIf REQUEST_URI (some condition) no-jk ... (set other filters, variables, headers, whatever) ... /LocationMatch Just so that you would know about it. Thanks Andre, in my second recipe I forgot the SetHandler jakarta-servlet. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk how to add JK_WORKER_NAME to http-header
On 26.02.2013 19:41, Jochen Wißmann wrote: Hello, i am trying to find an easy way to determine from the http-client side, which AJP13-worker handled my request. So my basic idea is to use mod_header to add mod_jk`s env-variable JK_WORKER_NAME to the Header of the http-response. I tried to get something like this working: httpd.conf: ... Header add TC-Server %{JK_WORKER_NAME}e ... All my previous attempts resulted in http-responses looking like this: HTTP/1.1 200 OK Set-Cookie: ARPT=LRWQXVS110.160.11.26CKMLQ; path=/ Date: Tue, 26 Feb 2013 18:25:31 GMT Server: Apache/2.2.22 (Unix) mod_jk/1.2.36 mod_ssl/2.2.22 OpenSSL/0.9.8x DAV/2 Set-Cookie: JSESSIONID=A4052BF60BA2007F0B0F47E2699AFDE.liferay0; Path=/ Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Wed, 26-Feb-2014 18:25:31 GMT; Path=/ Set-Cookie: COOKIE_SUPPORT=true; Expires=Wed, 26-Feb-2014 18:25:31 GMT; Path=/ Liferay-Portal: Liferay Portal Community Edition 6.0.6 CE (Bunyan / Build 6006 / February 17, 2011) ETag: 838b4ae2 Content-Length: 8043 X-Server-Ip: 110.160.11.26 TC-Server: (null) Content-Type: text/html;charset=utf-8 Why do i get TC-Server: (null) ? Using the Variable JK_WORKER_NAME to log the worker's name via mod_log_config works fine. Am i missing something? Is it even possible to access the env-variable JK_WORKER_NAME with module mod_header? Could anyone please help? Thanks! mod_jk respects the environment variable JK_WORKER_NAME when choosing a target worker, but it does not set it. mod_jk only sets a note with name JK_WORKER_NAME, which is different from an env var. The n in your log format means note. Unfortunately most variable use supported in Apache config is for env vars, not for notes, so you can't directly set the header from a note. There are two things you can experiment with: a) using an undocumented mod_rewrite feature to try to copy the note into an env var and then using that env var to set the header or b) not using the normal JkMount or uriworkermap.properties way of defining the workers responsible for handling the URIs, but instead using mod_rewrite via setting the env var JK:WORKER_NAME Ad a) Works roughly like that (untested): RewriteCond %{ENV:JK_WORKER_NAME} (.*) RewriteRule . - [ENV=WORKER:%1] Note 1: the undocumented feature of mod_rewrite is, that %{ENV:JK_WORKER_NAME} first looks for a note named JK_WORKER_NAME and only if it doesn't find it for an env var. Note 2: The RewriteRule now sets a new env var WORKER to the captured value of the note. lease choose a new variable name here, not JK_WORER_NAME. Now we add Header add TC-Server-Ip %{WORKER}e If you choose another name as WORKER for the new env var in the RewriteRule, please adjust here as well. Finally: if it doesn't work, try again by placing the Rewrite lines in a Directory/Directory block. Don't forget to switch RewriteEngine On Ad b) You can use mod_rewrite to set the env var JK_WORKER_NAME (now it is important to use that name). mod_jk will then route the request to that worker and since you had set the env var yourself, you can also copy it to a header. RewriteRule ^/c - [ENV=JK_WORKER_NAME:liferay] RewriteRule ^/c/.* - [ENV=JK_WORKER_NAME:liferay] RewriteRule ^/group - [ENV=JK_WORKER_NAME:liferay] RewriteRule ^/group/.* - [ENV=JK_WORKER_NAME:liferay] etc. and then Header add TC-Server-Ip %{JK_WORKER_NAME}e Final remarks: Your config does not really warrant this effort: you only have one worker name, so what do you expect in the header? I'm asking, because if you are using a load balancer worker (assumed name lb) in your real config, and it has sub workers for example node1 and node2 then JK_WORKER_NAME will always be lb. To actually get the chosen sub worker, only recipe 1 has a chance to work. You would there replace JK_WORJER_NAME in the RewriteCond by JK_WORKER_ROUTE. Unfortunately I think that the route note is not set before the request actually gets forwarded and that is to late for mod_rewrite to be able to copy it in an env var. In that case (load balancer and you want to know the chosen lb sub worker) we would either need to add something to mod_jk, or allow mod_headers to also support notes, or write a special small module. Having written all that, I think the following patch to mod_headers would be best. It simply adds support for notes to mod_headers (%{xxx}n notation): Index: modules/metadata/mod_headers.c === --- modules/metadata/mod_headers.c (revision 1449529) +++ modules/metadata/mod_headers.c (working copy) @@ -200,6 +200,16 @@ return (null); } +static const char *header_request_note(request_rec *r, char *a) +{ +const char *s = apr_table_get(r-notes,a); + +if (s) +return unwrap_header(r-pool, s); +else +return (null); +} + static const char *header_request_ssl_var(request_rec *r, char *name) { if (header_ssl_lookup) { @@ -853,6 +863,7
Re: Problem with nsapi_redirect.so (1.2.37) on iPlanet 7.0.15 and Solaris 11
On 19.02.2013 16:36, Andy Wang wrote: On 02/19/2013 12:11 AM, Mladen Turk wrote: On 02/18/2013 10:47 PM, Andy Wang wrote: If I execute startserv as the non-privileged user rather than root or do this on Solaris 10, no problems. Any ideas why systhread_start (this is an iPlanet NSAPI function) would fail here as root? Did you tried to check the ulimit. Seems like webservd once when switched to non privileged user cannot create threads either because of some security settings or lack of resources. Yeah, sorry, I should have mentioned it. -u is 29995 -n is 1024 both are identical for the root role or the webservd user. I'm not that familiar with Solaris 11 and what they did to the root as a role instead of a regular user so I wasn't sure what other resource configuration to look at. What does confuse me though is the thread pool stuff in the webserver itself (as well as the built-in servlet engine) seem fully functional so this issue seems specific to the jk_init call to systhread_start. It will be tedious, but if we want to check whether the OS disallows some syscalls when running as suid under root, then truss should provide insight. So run iPlanet (the iPlanet start script) under truss -f -o /some/path/tr.out once in the working config and once in the non-working one and try to find differences w.r.t. to syscalls that return an error. Once you know what you are looking after, the additional truss flags -v all -w all -r all will provide aditional insight (and a huge volume of output). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getRequestURI() in relation to Connector.URIEncoding
On 17.02.2013 23:00, Mike Wilson wrote: Mark Thomas wrote: On 17/02/2013 16:54, André Warnier wrote: Mike Wilson wrote: snip/ Example 2: path /ä in binary Unicode GET /.. [0xC3,0xA4] request.getRequestURI() - /.. [0xC3,0xA4] request.getPathInfo() - /ä snip/ I believe that your example #2 above is simply illegal. One is not supposed to send such bytes in a URL without URL-encoding them. That's per the HTTP RFC itself : RFC 2616 3.2.2 3.2.3 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.2) - RFC 2396 part 2. URI Characters and Escape Sequences (http://www.ietf.org/rfc/rfc2396.txt) And I believe that the fact that Tomcat is returning the correct translation in the corresponding request.getPathInfo() is purely accidental, and it could be argued that this is a bug in Tomcat : the request should probably have been rejected, because the requested URL was invalid. +1. It is on my list of things to do to check why this wasn't rejected with a 400 response. Mark Explicitly making this invalid is probably fine, although it might be looked upon as breaking working systems. Note that we have apparently been running with a setup sending these binary URLs for years, where mod_jk is the source of the invalid URLs. Ie, the browser sends a nice URL-encoded URL which is decoded by mod_jk before sending to Tomcat. So might be appropriate to hold off this change to a release where back compat isn't crucial? Now you throw in another component in the mix. mod_jk is not using HTTP as a protocol to talk to Tomcat and the protocol decoding is not identical with the HTTP one. Before saying such binary URLs are invalid someone would need to check the AJP protocol and the protocol parser in Tomcat about this. I doubt that such URLs are invalid - not based on any code inspection, but simply on the fact that mod_jk decoded percent encoding before forwarding for a long time (5.5 years, from Oct. 2001 to May 2007, version 1.2.0 to 1.2.22). Since version 1.2.24 any bytes in the URI expected to be unsafe are percent encoded before forwarding. At least that's the default. If you use an non-default ForwardURIxxx option via JkOptions, then that behavior depend on the chosen setting. Nevertheless it makes sense to check and clarify. Which mod_jk version and JkOptions are you using? Can you give a real example of the original URI, the URI that mod_jk forwards (JkLogLevel debug will show it, but that's not meant for production) and how that forwarded URL should look like instead? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getRequestURI() in relation to Connector.URIEncoding
On 17.02.2013 23:57, André Warnier wrote: Mike Wilson wrote: Mark Thomas wrote: On 17/02/2013 16:54, André Warnier wrote: Mike Wilson wrote: snip/ Example 2: path /ä in binary Unicode GET /.. [0xC3,0xA4] request.getRequestURI() - /.. [0xC3,0xA4] request.getPathInfo() - /ä snip/ I believe that your example #2 above is simply illegal. One is not supposed to send such bytes in a URL without URL-encoding them. That's per the HTTP RFC itself : RFC 2616 3.2.2 3.2.3 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.2) - RFC 2396 part 2. URI Characters and Escape Sequences (http://www.ietf.org/rfc/rfc2396.txt) And I believe that the fact that Tomcat is returning the correct translation in the corresponding request.getPathInfo() is purely accidental, and it could be argued that this is a bug in Tomcat : the request should probably have been rejected, because the requested URL was invalid. +1. It is on my list of things to do to check why this wasn't rejected with a 400 response. Mark Explicitly making this invalid is probably fine, although it might be looked upon as breaking working systems. Note that we have apparently been running with a setup sending these binary URLs for years, where mod_jk is the source of the invalid URLs. Ie, the browser sends a nice URL-encoded URL which is decoded by mod_jk before sending to Tomcat. So might be appropriate to hold off this change to a release where back compat isn't crucial? Mmmm. It stretches the imagination a bit to imagine that mod_jk by default takes a valid URL and makes it invalid before forwarding it to Tomcat. The web server will first decode the URL to be able to do whatever it is configured to do. When mod_jk needs to forward the request, there's a decision needed: - using the original undecoded URL: that seems to be safe, but means it will be incompatible with any URL rewritng configured in Apache, e.g. using mod_rewrite - using the final decoded and maybe rewritten URL: this is insecure, because it can be used for double-encoding attacks. - using the final decoded and maybe rewritten URL, but re-encoding any bytes that doe not seem to be safe: that's what mod_jk currently does by default. As far as I recall, there are several options in mod_jk (ForwardURI* family) which allow to do things there, some of them unsafe. Right, see above. The default should be safe. So it raises the question : are you doing something until now which is considered as unsafe, and therefore are having that problem ? (And a linked question is whether by changing this mod_jk option you could restore operability with a Tomcat rejecting the invalid URLs). Otherwise, my feeling is that it will cost you quite a number of beers to stop Mark from fixing what could potentially be a security issue, now that he's sniffed it. :) Not sure whether Mark's sniffing changes based on the fact that we are now talking about the AJP part of the connectors. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers
On 18.02.2013 22:59, Giuseppe Sacco wrote: A side note: is it possibile to put tomcat behind a web server and make the latter encrypt in SSL? This would imply that communication between the web server and tomcat would be in clear, but how do I create the connector proxy* information? I may specify proxyName and proxyPort, but I cannot specify proxyProtocol. Is this right? Look for scheme and for secure in https://tomcat.apache.org/tomcat-7.0-doc/config/http.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors errno=110 and errno=115
On 14.02.2013 14:17, Philippe Bossu wrote: We have a mod_jk in version 1.2.28 with Apache 2.16 fronting a Tomcat server in version 6 on JDK6. We are facing long response times and timeouts from time to time. Mod_jk log files show the following errors: [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c (1035): (nodeXX) cping/cpong after connecting to the backend server failed (errno=110) [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeXX) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c (1035): (nodeXX) cping/cpong after connecting to the backend server failed (errno=110) [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeXX) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [][X] [error] ajp_service::jk_ajp_common.c (2626): (nodeXX) connecting to tomcat failed. [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeYY) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115) [][X] ] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeYY) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115) [][X] [error] ajp_service::jk_ajp_common.c (2626): (nodeYY) connecting to tomcat failed. What could be the explanations except for Tomcat Thread pool not having threads available anymore ? Thing we checked. Was there fixes in new mod_jk versions (1.2.37) regarding issues like these ? System errno numbers are platform dependent and you didn't tell us your OS. See e.g. http://www.ioplex.com/~miallen/errcmpp.html I guess oyu are on Linux and then those are expected errnos. The reason is not expected on the jk side of things. As you said, it can be your Tomcat got stuck - take Thread Dumps when this is happening to investigate, or there's a network problem including possibly firewalls in between mod_jk and Tomcat. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Using comments.apache.org for our live docs
Cross posting intentionally, because our long time users list supporters might want to comment as well. A few months ago a new Web Server committer, Daniel Gruno, suggested to use a commenting system as part of the online documentation. He wanted to include the disqus system. Some of his fellow committers were not very glad with using an external system for the users comments and he sat down and wrote an ASF commenting system. It is now running as an ASF service under comments.apache.org. It allows users to add comments to documentation pages. Comments without URLs and HTML tags are going live immediately without moderation, the other ones need moderation first. We are using it in the web server project since a few months and we observe close to no spam. Comment activity isn't to high, about 1 comments per day. Some of those are not actually docs comments and they are responded by referring the users to the users list. Some of them are really useful because they help to clarify and improve documentation. In the meantime, the trafficserver project also uses the feature. The comments are not meant to stay forever. Important content should be integrated into the docs. Technically the commenting is done by adding a few lines of html and inline JavaScript to each page, which then calls comments.apache.org. For the Tomcat docs this can be done by adding those items to the XSL stylesheet used to generate the HTML pages. I prepared a simple demo at: http://people.apache.org/~rjung/tomcat-docs-comments/tomcat-8.0-docs/ It would be nice if you would have a look and we would discuss, whether we find it useful or not. The patch for build.xml and the xsl that I applied to build the comment enabled docs can be found at http://people.apache.org/~rjung/patches/tc-trunk-comments.patch A final version would include a reference to tomcat.apache.org instead of people.apache.org/... The JavaScript checks the host header in order to disable the feature if the docs are running on a different server, e.g. inside a localhost Tomcat etc. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 7.5 + AJP Connector
On 12.09.2012 01:52, Alex Samad - Yieldbroker wrote: okay.. worked it out. Seems like I had the application pool set to no .net framework... and integrated pipeline NOT classic. But it seem if you don't set a .net it uses the old IIS6 ISAPI reg settings ! So now I have set .net framework to 4 , even though the plugin doesn't use it (I presume) and the thread count is over the 264. oh yeah. the pain of using IIS ! Thanks for sharing the solution. Rainer -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, 11 September 2012 7:54 AM To: Tomcat Users List Subject: Re: IIS 7.5 + AJP Connector -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex, On 9/9/12 10:35 PM, Alex Samad - Yieldbroker wrote: -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Monday, 10 September 2012 12:11 PM To: Tomcat Users List Subject: RE: IIS 7.5 + AJP Connector Alex connection_pool_size is usually for pooling algorithms such as DBCP.. Are you following the DBCP configuration doc? http://commons.apache.org/dbcp/configuration.html ? so I am looking at the AJP Connector used in IIS on Windows. I believe this is the relevant page http://tomcat.apache.org/connectors-doc/reference/workers.html I believe the connection_pool_size is an indication of how many (max) worker threads are used to connect from IIS+AJP to tomcat ... So I am not sure how the BDCP is going to help me, as there is no ODBC connectivity from my RP's Just ignore Martin: he is posting random bits of information from teh intarwebs. His comments are not relevant to your question and you can pretend they were never offered. - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 7.5 + AJP Connector
On 10.09.2012 09:00, Alex Samad - Yieldbroker wrote: [snip] Whatever you are seeing, note that unknown attributes will go through silently. So the fact that there is no complaint about the configuration during startup does not mean the attributes actually make sense. You can check the config also in the status worker. I have looked at that, but it doesn't actually show the number of what it believe is the the connectpool size. It has the time out but not the size limit ! So I have setup the dev env with the new (current plugin) and I am still seeing it limit to 265... How do you measure the 265? What's your original observation? I have checked the manger page and done a dump of the config. worker.maintain=60 worker.list=jbclb,jbclbSC,jkstatus worker.jbclb.type=lb worker.jbclb.balance_workers=worker1, worker2 worker.jbclb.sticky_session=true worker.jbclb.method=Request worker.jbclb.lock=pessimistic worker.worker1.type=ajp13 worker.worker1.port=8009 worker.worker1.ping_mode=A worker.worker1.ping_timeout=3 worker.worker1.connection_pool_size=1000 worker.worker1.connection_pool_minsize=100 worker.worker1.socket_keepalive=true worker.worker1.lock=pessimistic worker.worker1.max_packet_size=65536 worker.worker2.type=ajp13 worker.worker2.port=8009 worker.worker2.ping_mode=A worker.worker2.ping_timeout=3 worker.worker2.connection_pool_size=1000 worker.worker2.connection_pool_minsize=100 worker.worker2.socket_keepalive=true worker.worker2.lock=pessimistic worker.worker2.max_packet_size=65536 Looks good. All seems to be okay ! just can't get it past 265... See above, how do you measure? Could it be limited by threading/connection handling in IIS? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 7.5 + AJP Connector
On 08.09.2012 23:35, Alex Samad - Yieldbroker wrote: Hi Sorry, I spoke to soon this is my config. I set this in my template worker.template.connection_pool_size=1000 and use the template to create 2 workers and add the 2 workers to a cluster I am guessing from my testing that the cluster needs one defined as well ! Because each worker process was limited to Don't know what is, but connection_pool_size only goes to the ajp13 workers, not to the lb worker. So are all the worker properties valid for the a LB worker ? See: http://tomcat.apache.org/connectors-doc/reference/workers.html All attributes mentioned under the heading Connection Directives only apply to the ajp13 workers, not the lb worker. I'd add a status worker and use it to inspect the situation during the observation of problems. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 7.5 + AJP Connector
On 09.09.2012 22:16, Alex Samad - Yieldbroker wrote: -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Sunday, 9 September 2012 7:03 PM To: users@tomcat.apache.org Subject: Re: IIS 7.5 + AJP Connector On 08.09.2012 23:35, Alex Samad - Yieldbroker wrote: Hi Sorry, I spoke to soon this is my config. I set this in my template worker.template.connection_pool_size=1000 and use the template to create 2 workers and add the 2 workers to a cluster I am guessing from my testing that the cluster needs one defined as well ! Because each worker process was limited to Don't know what is, but connection_pool_size only goes to the ajp13 workers, not to the lb worker. Well that's is not what I was seeing. Okay I have to setup a new environment, cause my DLL is not the latest Whatever you are seeing, note that unknown attributes will go through silently. So the fact that there is no complaint about the configuration during startup does not mean the attributes actually make sense. You can check the config also in the status worker. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tuning session replication on clusters
On 06.09.2012 15:10, kharp...@oreillyauto.com wrote: ... This actually didn't surprise me after I discovered how large the sessions were. Using JMX (VisualVM) I watched the Heap size on my two servers as I tested 7000 sessions. Heap climbed approximately 1GB. When I restarted node2, I watched node1's heap usage nearly double. This confirmed my suspicion that the replication process is putting a copy of all sessions into a new object (list I suppose?) before transmitting them. After replication finished (109 seconds), node1's heap usage went back to normal. That's a plausible explanation for your observation. You can split replication in several chunks using the config items you already observed. Even in TC 6 the DeltaManager supports: sendAllSessions (Default: true, means all session send in one message, false means split in multiple messages) sendAllSessionsSize (Default: 1000, number of sessions send per message when switch is false) sendAllSessionsWaitTime (Default: 2000; sleep pause between sending consecutive messages) The aggregation of sessions into a new object to be sent (I presume as part of the handleGET_ALL_SESSIONS?) seems to work quickly, though I'm not sure how to test how much of the 109 seconds it took to replicate was Tomcat gathering up all the sessions to send and how much was network traffic. We have a low utilization gigabit ethernet fabric connecting all servers, so transferring 1GB of data shouldn't take more than 10-12 seconds. Does anyone know if there are ways to time the different steps in the replication process? Set log level of org.apache.catalina.ha.session.DeltaManager to DEBUG or FINE depending whether you are using log4j or juli for Tomcat. If it is the network send/receive process that's slow, Try sniffing both ends for network analysis. are there transmit/receive settings for the sender/receiver that could aid in speeding up replication of large data chunks? I see there are rxBufSize and txBufSize settings on the Receiver and Transport elements, and they're set to 25/43kb. If those values represents how data is chunked then larger settings might help (similar to the throughput difference of transferring 100x 10MB files vs. 10,000x 100kb files on a network). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: When will be the tomcat version 7.0.30 released
On 06.09.2012 16:56, Sunny Mittal wrote: I upgraded to tomcat 7.0.29 version and found that it has some Out of Memory issues. So we are planning to wait and upgrade to 7.0.30. Can you tell what is the release date for tomcat 7.0.30? Current expectation is between hours and very few days. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tuning session replication on clusters
On 06.09.2012 16:57, Rainer Jung wrote: On 06.09.2012 15:10, kharp...@oreillyauto.com wrote: ... This actually didn't surprise me after I discovered how large the sessions were. Using JMX (VisualVM) I watched the Heap size on my two servers as I tested 7000 sessions. Heap climbed approximately 1GB. When I restarted node2, I watched node1's heap usage nearly double. This confirmed my suspicion that the replication process is putting a copy of all sessions into a new object (list I suppose?) before transmitting them. After replication finished (109 seconds), node1's heap usage went back to normal. That's a plausible explanation for your observation. You can split replication in several chunks using the config items you already observed. Even in TC 6 the DeltaManager supports: sendAllSessions (Default: true, means all session send in one message, false means split in multiple messages) sendAllSessionsSize (Default: 1000, number of sessions send per message when switch is false) sendAllSessionsWaitTime (Default: 2000; sleep pause between sending consecutive messages) I forgot one more thing: since TC 6.0.34 and 7.0.22 is it possible to decide which session attributes get replicated. So in case you have only few attributes that make up most of the big session memory *and* your application is able to transparently handle the situation, that these attributes are suddenly missing from the session, e.g. by retrieving the data again from some back end system or database, the following might help: Look for sessionAttributeFilter in http://tomcat.apache.org/tomcat-6.0-doc/config/cluster-manager.html I'm not saying it is easy, but if you want to make your application using session replication really efficient, it is a possible way to go. In addition there is a way an application can detect whether there was a node fail over, ie. a request is handled by another node as the previous request for the same session. You can hook filling missing attributes on this detection. The detection uses a feature of the ReplicationValve, which can set a request attribute that can be inspected to decide whether there was a fail over. Look for primaryIndicator in http://tomcat.apache.org/tomcat-6.0-doc/config/cluster-valve.html. If the attribute is false, you just switched nodes (fail over) and are now working on a replicated session. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: When will be the tomcat version 7.0.30 released
On 06.09.2012 17:01, Rainer Jung wrote: On 06.09.2012 16:56, Sunny Mittal wrote: I upgraded to tomcat 7.0.29 version and found that it has some Out of Memory issues. So we are planning to wait and upgrade to 7.0.30. Can you tell what is the release date for tomcat 7.0.30? Current expectation is between hours and very few days. Correct to self: it *was* already released about an hour ago. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to resolve:Recreate aclocal.m4 with macros from libtool during make of tomcat connector
On 04.09.2012 05:37, Ferdie Romero wrote: On Sep 4, 2012 11:25 AM, Ferdie Romero ferdierom...@gmail.com wrote: On Sep 3, 2012 10:43 PM, Ferdie Romero ferdierom...@gmail.com wrote: On Mon, Sep 3, 2012 at 10:07 PM, Rainer Jung rainer.j...@kippdata.de wrote: On 03.09.2012 15:46, Ferdie Romero wrote: The exact step is make and the error is I guess you are running configure first? yes, we use ./configure --with-apache=prefix How does your configure command look like? Does it automatically find your apxs or apxs2 or do you give the path to it as a configure flag? --» we don't have apxs or apxs2, is this really required? Yes. It comes with the web server. Some distribution packs it into a seperate dev package. Whoever provided you with the web server should also be able to give you the right apxs. Without apxs configure will fail with an error. What does apxs -q LIBTOOL (or apxs2 -q LIBTOOL) return? Maybe you need to add the path to apxs before calling it. --we don't have apxs or apxs2, is this really required? When being inside the native directory of the mod_jk sources: What is the result of grep -i libtool config.log after running configure? --result is connectors-1.2.37-src/native # grep -i libtool config.log configure:9934: checking if libtool supports shared libraries configure:10096: creating libtool configure:19290: result: LIBTOOL=$(SHELL) $(top_builddir)/libtool LIBTOOL='$(SHELL) $(top_builddir)/libtool' OK, that's normal. It is looking for libtool in the native directory inside the sources. The same for grep LIBTOOL Makefile? --we don't have Makefile in the src.directory of the connector Are you looking in the native directory, where you issue the make command? If it is not there, then configure did not run successfully. The same for grep macro_version= libtool? -- we don't have libtool in the src.directory of the connector Correct directory? The one where you run configure and make? version mismatch error. This libtool 2.4.2 but the definition of this LT_INIT comes from an older release. You should recreate aclocal.m4 with macros from libtool 2.4.2 and run autoconf again. It seems it tries to use your own libtool instead of the one we provide. We'll see after you respond to the above questions. Based on the guide that we are using we need to perform ./configure, make and make install for the tomcat connector. If you have all the needed auto tools installed you could run ./buildconf.sh before running configure. This will recreate configure from your own auto tools including libtool. But this is not recommended. configure should work without running buildconf and no installed libtool needed. -- we already tried using buildconf but we got the same error during make. Find the right apxs for your platform and try running configure and make again. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Facing Memory leak - 64 bit Tomcat 6.0.35 with windows 2008 R2(64 bit JVM 1.6.0_33)
On 04.09.2012 08:35, Shailendra Singh wrote: Hi, We are using 64 bit Tomcat 6.0.35 with windows 2008 R2 (64 bit JVM 1.6.0_33) and facing memory leak issues(OutOfMemoryError ) after a short interval of time( ~30 minutes). We deploy a web application on this version of tomcat and while working with the GUI part of the application we face memory leak, but same application works fine on this windows server for 32 bit JVM. Please help us if this is an issue with 64 bit Tomcat version or with 64bit JVM or with its combination. kindly let us know a solution or any work around or for this. 64 Bit JVM needs more memory than 32 Bits. The pointers are double the size. Rule of thumb says 30% additional memory, but it can vary a lot depending on the application. Try larger JVM memory settings. It is unlikely that you experience a memory leak with 64 Bit JVM but not 32 Bits running the same application. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to resolve:Recreate aclocal.m4 with macros from libtool during make of tomcat connector
On 03.09.2012 12:48, Ferdie Romero wrote: We are compiling tomcat connector 1.2.37 over tomcat 7.0.23 and apache 2.2.22 and System is hp ic: B.11.24 ia64. Unfortunately, we are encountering the version mismatch error. This libtool 2.4.2 but the definition of this LT_INIT comes from an older release. You should recreate aclocal.m4 with macros from libtool 2.4.2 and run autoconf again. Which steps are you exactly doing to build? What is the exact error you observe? Why do you want to build with your own version of libtool? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to resolve:Recreate aclocal.m4 with macros from libtool during make of tomcat connector
On 03.09.2012 15:46, Ferdie Romero wrote: The exact step is make and the error is I guess you are running configure first? How does your configure command look like? Does it automatically find your apxs or apxs2 or do you give the path to it as a configure flag? What does apxs -q LIBTOOL (or apxs2 -q LIBTOOL) return? Maybe you need to add the path to apxs before calling it. When being inside the native directory of the mod_jk sources: What is the result of grep -i libtool config.log after running configure? The same for grep LIBTOOL Makefile? The same for grep macro_version= libtool? version mismatch error. This libtool 2.4.2 but the definition of this LT_INIT comes from an older release. You should recreate aclocal.m4 with macros from libtool 2.4.2 and run autoconf again. It seems it tries to use your own libtool instead of the one we provide. We'll see after you respond to the above questions. Based on the guide that we are using we need to perform ./configure, make and make install for the tomcat connector. If you have all the needed auto tools installed you could run ./buildconf.sh before running configure. This will recreate configure from your own auto tools including libtool. But this is not recommended. configure should work without running buildconf and no installed libtool needed. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom Header Fields are Missing after SiteMinder Redirect (UNCLASSIFIED)
Hi John, On 28.08.2012 01:25, Lowman, John Mr CTR USA AMC wrote: I hope someone out there has some insight regarding the problem that I'm about to describe. All custom request header fields that are added via the SiteMinder policy server are being stripped (intentionally or accidentally) from the request header after passing through the Apache Tomcat isapi_redirect.dll ISAPI filter. Can you give an example of such a header, i.e. its name and a typical value? You might want to check https://issues.apache.org/bugzilla/show_bug.cgi?id=47679 though it should be fixed in 1.2.32. If you increase the redirector log level to debug, you will get additional output of the form: Forwarding request header HEADER_NAME : HEADER_VALUE for each header. We have a website running on IIS and ColdFusion 10 that is protected using SiteMinder. When a web request comes in, SiteMinder intercepts the request and performs a HTTP 302 redirect to the policy servers for authentication. After successful authentication, the policy server adds some custom fields, such as userid and mail, to the request header and fires it back to our web server. When using an ASP script below, I can see that these custom header fields appear in IIS, so I have proof that they are arriving intact in the header. However, the problem is that the custom request header fields get stripped out when viewing a ColdFusion page, which goes through the Apache Tomcat ISAPI filter. As Chris already asked: we need to understand the communication between Client/Browser, SiteMinder and your IIS/Redirector Client - IIS (HTTP Request) Now ?? SiteMinder ??? (what does intercept mean)? Then ?? Fire Back ?? I suggest a quick check against the debug log first. Here is the showheaders.asp page that I used to view the custom header fields: --- BEGIN showheaders.asp --- ... % ' Iterate through the server variables collection and display each header along with its value for each header in Request.ServerVariables response.write header = Request.ServerVariables(header) brbr next % ... --- END showheaders.asp --- Here is the showheaders.cfm page that I used to view the custom header fields: --- BEGIN showheaders.cfm --- ... cfoutputALL_HTTP = #cgi.ALL_HTTP#/cfoutput See below cfdump var=#cgi# label=cgi expand=yes / cfdump var=#getHTTPRequestData()# / ... --- END showheaders.cfm --- The missing headers problem started after upgrading our server from ColdFusion MX 7 to ColdFusion 10. ColdFusion MX 7 ran on JRun; ColdFusion 10 runs on a modified version of Apache Tomcat. I suspect that the header fields are being stripped out by the ISAPI filter, because the custom fields are missing whether I use ColdFusion's built-in getHTTPRequestData() function, or from a Java equivalent on the ColdFusion page. --- BEGIN GetCredentialsFromHeader() --- ... cfset pageRequest = getPageContext().getRequest() / cfset pageRequestHeaderNames = pageRequest.getHeaderNames() / cfloop condition=#pageRequestHeaderNames.hasMoreElements()# cfset thisName = pageRequestHeaderNames.nextElement() / cfoutput #thisName#='#pageRequest.getHeader(thisName)#'br / /cfoutput /cfloop cfdump var=#pageRequest# label=Java Page Request / !--- This is the ColdFusion way of getting request headers. --- cfdump var=#GetHTTPRequestData()# label=HTTP Request Headers / cfabort / /cffunction --- END GetCredentialsFromHeader() --- Another quirk that I noticed is that the ALL_HTTP CGI field exists after passing through the ISAPI filter, but it's blank. In contrast, the ALL_HTTP field is populated when viewing in IIS via the ASP script. Since CGI does more unwanted things to the HTTP headers (replacing underscores with dashes, lowercasing names etc.) the ISAPI redirector uses ALL_RAW. Now the specs: ColdFusion: version 10,282462 CF-Tomcat: N/A (It's integrated into ColdFusion 10) isapi_direct.dll: version 1.2.32.0 OS: Windows 2003 Java: JDK 1.6.0_33 VM Version: 20.8-b03 IIS:6 I can't think of anything else at the moment. If anyone knows what's causing this, please help me. I'd be very grateful. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Too many connections in keepalive state in jk threadpool
On 23.08.2012 09:50, marcobuc wrote: Hi, we are experiencing a very similar problem with the difference that we are using mod_proxy_ajp instead of mod_jk to connect Apache with tomcat. As for mod_jk, the connection is done to the 8009-jk port opened by a connector configured in tomcat server.xml file. Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / We tried configuring the timeout parameters for mod_proxy_ajp to tell Apache to drop connection older than 2 minutes, but we see in tomcat manager application that the jk-8009 connector retains Keepalive connections open for millions of milliseconds: K 1783874292 ms ? ? 84.18.132.114 ? ? Can you see the connections in the output of netstat -an? What is there state there? I would like to try configuring the ping_mode parameter but I do not know if this is possible, i.e. if this parameter exists only for mod_jk. Here an example of configuration we added in httpd.conf file for the mod_proxy_ajp configuration. ProxyPass /manager ajp://localhost:8009/manager max=10 retry=10 timeout=30 ttl=120 ProxyPassReverse /manager ajp://localhost:8009/manager Look for ping and ttl on http://httpd.apache.org/docs/2.2/mod/mod_proxy.html if using 2.2 or http://httpd.apache.org/docs/2.4/mod/mod_proxy.html if using httpd 2.4. Note that for 2.4 there was a connection closing bug which was fixed very recently in 2.4.3. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: %{xxx}t not working
On 20.08.2012 21:46, John Byrne wrote: I've tried both 7.0.29 and 7.0.8. The feature wans introduced in 7.0.17. I tried your format string with current 7.0 head which should be identical to 7.0.29 w.r.t. access log and it did work for me. There were no changes in the (self-contained) access log valve code since March. Make sure the versions didn't get mixed up. Check the version given in the log file during startup: Starting Servlet Engine: 2012/8/20 John Byrne john_by...@apple.com: I was wondering if you could help me with a server.xml log question. I'm trying to format the times that go into the logs but not having any success. The output always ends up as : ???. I've read that any time format accepted by Java's SimpleDateFormat will work but this one doesn't seem to be working. The time/date format is: %{-MM-dd'T'HH:mm:ss,SSSZ}t The whole log format line is: Valve className=org.apache.catalina.valves.AccessLogValve directory=${splunk.accesslogs} prefix=${serviceName}_${port.http.nonssl}_access_ suffix=.log pattern=%{-MM-dd'T'HH:mm:ss,SSSZ}t thread=%I client=%a url=quot;%rquot; query=%q status=%s time=%D size=%B agent=quot;%{User-Agent}iquot; resolveHosts=false / Everything works except the %{xxx}t variable. i.e. the output log line is: ??? thread=http-bio-26258-exec-10 client=17.169.48.254 url=GET /iTranslate/index HTTP/1.1 query= status=200 time=449 size=8205 agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.25 (KHTML, like Gecko) Version/6.0 Safari/536.25 (notice the ??? -- that's where the time/date formatted output should go. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problems with mod_jk 1.2.32 and Jetty 6.1.26
On 21.08.2012 10:34, Veit Guna wrote: Hi. I'm using Atlassian Fisheye 2.7.15 (uses Jetty 6.1.26) under Ubuntu 12.04 with mod_jk 1:1.2.32-1 and Apache 2.2.22-1ubuntu1. After I upgraded mod_jk from 1.2.31 to 1.2.32 Jetty isn't working anymore throwing the exception below. Any ideas why that is happening? What changed through that version? Atlassian recommends to downgrade to 1.2.31 (of course). But that's not an option because of missing security updates through Ubuntu. The Jetty guys say, Atlassian should upgrade to a more recent Jetty version - in the hope that it is fixed there :). Now I would like to hear your opinion/options to solve my problem :). 2012-08-02 18:03:37,644 ERROR - handle failed java.lang.NullPointerException at org.mortbay.jetty.ajp.Ajp13Connection$RequestHandler.parsedRequestAttribute(Ajp13Connection.java:216) at org.mortbay.jetty.ajp.Ajp13Parser.parseNext(Ajp13Parser.java:410) at org.mortbay.jetty.ajp.Ajp13Parser.parseAvailable(Ajp13Parser.java:151) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451) I think it is this Jetty-Bugfix which is missing: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/commit/jetty-ajp/src/main/java/org/eclipse/jetty/ajp/Ajp13Connection.java?id=9fb6e9b43a4803fff58f3d5d65a526b9c6078be8 i.e. you ran into this problem: https://bugs.eclipse.org/bugs/show_bug.cgi?id=363943 It seems there's no Jetty 6 release with this patch (the patch is not even in the Jetty 6 head sources), you would need to use at least Jetty 7.6.0 or above. There's no known vulnerability in mod_jk 1.2.31 but being restricted to it without being able to do a quick update if needed doesn't sound like a good idea. In case you do the update think about switching directly to 1.2.37. Possible workaround (untested): If you haven't already done so, configure an additional load balancing worker above your ajp13 worker, even if you do not really do load balancing because only one Tomcat is involved. It might fix the problem by setting the attribute that triggers the NPE to some non empty value. If it works, please report back. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AjpNio Invalid message received on header
On 06.08.2012 23:39, Yasser wrote: I am using Tomcat 7.0.29 fronted with Apache 2.2.22 modproxy. Configured Ajp as the protocol in httpd.conf and AjpNioProtocol in server.xml. After the server starts, the logs are filled with the following message: *Severe: Invalid message received with signature 20599 com.apache.coyote.ajp.AjpMessage processHeader* It could be anything trying to talk to your AJP port. 20599 should mean, that the first two bytes of the package are P (=80) and w (=119), because 80*256 + 119 = 20599. It seem syou need to sniff your AJP port and see, from which system the packets come. You could also check netstat -an for connections to your AJP port and check whether there are connections coming from some unexpected system. Sniffing would be more reliable though. There are no requests sent to the web or tomcat server and it still throws that error at an interval of 20 seconds. Access logs in tomcat and apache show that no request is coming in. What is causing the invalid message error ? If even the first packet doesn't make sense, then there will be no access log entry. Here is the configuration : httpd.conf ProxyPass /wl http:// ip : port /wl ProxyPassReverse /wl http:// ip : port /wl server.xml Connector port=port protocol=org.apache.coyote.ajp.AjpNioProtocol connectionTimeout=2 acceptorThreadCount=2 maxThreads=600 redirectPort=8443 / Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Large webapps in 7.0.29 and Annotation Scanning not respecting metadata-complete
On 01.08.2012 09:51, Mark Thomas wrote: On 01/08/2012 02:53, andreas palsson wrote: Good morning. After upgrading to 7.0.29, one of my larger webapps could no longer be deployed due to OutOfMemoryError. As far as I know, this is related to the new feature of annotation scanning which was enabled in v7.0.29 (see the stack trace below). Have anyone else experienced the same issue? There are multiple issues going on here. There have been reported previously and are understood. I'll try and explain the full story. The servlet spec requires (and the expert group (EG) confirmed) that Tomcat always scans for ServletContainerInitializers (SCIs), even if metadata-complete is true. Tomcat was changed to do this in 7.0.29. SCIs can have @HandlesTypes annotations. If one is present, Tomcat must scan every class and its hierarchy looking for matches to the HandlesTypes. Tomcat caches the results of this scan to speed up processing so it doesn't repeatedly scan the same classes. If A B both inherit from C, when Tomcat scans A it also scans C and caches the result so it doesn't have to scan C again when checking B. Tomcat was caching more than it needed to making the cache excessively large. This is bug 53535 which has already been fixed and will be in 7.0.30 onwards. This then raises the question of how to turn of scanning for classes that match HandlesTypes. While the spec says that JARs excluded using an absolute-ordering are not scanned for matches to HandlesTypes it was unclear what is meant to happen when metadata-complete is true since ordering is ignored in that case. The EG has recently clarified this and stated that JARs excluded using an absolute-ordering are not scanned for matches to HandlesTypes regardless of the setting of metadata-complete. The discussion is not yet complete and we are waiting for it to conclude and before implementing the results of that discussion in 7.0.30. Would *.jar in jarsToSkip (catalina.properties) be a workaround, or is that skip list also ignored for SCI / @HandlesTypes processing? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Large webapps in 7.0.29 and Annotation Scanning not respecting metadata-complete
On 01.08.2012 18:10, Andreas Pålsson wrote: I have been thinking about this issue all day, and I think the specification needs more work on this area. There is certainly no need for a container to wade through hundreds maybe even thousands of classes in search of something that does not exist. It is an unnecessary task which consumes both time and resources. I am all for making it easier for a developer, and make the container scan everything by default. But there is also an obvious need for a solution to specifically define where a container should look for annotations when we have web applications with very large amount of classes. Even if it has to be an XML-file, such as in Spring where you can instruct the framework where to look for beans, entities, controllers and such. Mark, is there a way we can influence the EG to change this? I'm not Mark and don't want to preempt any answer from him, but there is the following public discussion available: http://java.net/jira/browse/SERVLET_SPEC-36 and http://java.net/jira/browse/SERVLET_SPEC-36 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Large webapps in 7.0.29 and Annotation Scanning not respecting metadata-complete
On 01.08.2012 18:52, Rainer Jung wrote: Mark, is there a way we can influence the EG to change this? I'm not Mark and don't want to preempt any answer from him, but there is the following public discussion available: http://java.net/jira/browse/SERVLET_SPEC-36 and http://java.net/jira/browse/SERVLET_SPEC-36 Grrr, the second link should have been: http://java.net/projects/servlet-spec/lists/jsr340-experts/archive/2012-07/message/28 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PDF Download problem tomcat = 7.0.27
On 01.08.2012 09:54, André Warnier wrote: Konstantin Kolinko wrote: 2012/8/1 Jose María Zaragoza demablo...@gmail.com: The Content-Length header in the above 206 response is not from Tomcat. Tomcat's DefaultServlet does not calculate the whole size of the parts and does not set content-length, and the file size is much more than fits into the buffer. So it would use Transfer-Encoding: chunked in its response and not the one that you cited. There must be some proxy in the way that buffers the data and sends them as one response instead of chunks. HTTPD? Was there some option in it that disables chunked encoding when interacting with IE? Well, i don't know so much, but that doesn't have to do with chunked encoding, but Partial Content support, right ? And partial content is requested by client (IE) if Content-length is very big ( I guess ... ) Maybe, IE requests a PDF file (GET) and if it sees a Content-length very big , cuts downloading and re-send a GET request with a range of bytes. Chrome looks to perform something like that behaviour 1. I suspect that the content is requested not by IE, but by the Adobe Acrobat plugin. The User-Agent header says that it was IE6, but it is hard to imagine why the browser by itself would request that strange bytes range, asking for the tail of the file first. So there is something else that uses the browser to perform the request. +1 Talking about PDF files, there is a possible good reason for such a behaviour. A PDF file is not just a sequential text-like file. It is more like an indexed file containing tables of pointers which points to more or less randomly organised chunks of data inside the file. And, as per Adobe PDF 1.7 reference : 3.4.4 File Trailer The trailer of a PDF file enables an application reading the file to quickly find the cross-reference table and certain special objects. Applications should read a PDF file from its end. The last line of the file contains only the end-of-file marker, %%EOF. (See implementation note 18 in Appendix H.) The two preceding lines contain the keyword startxref and the byte offset from the beginning of the file to the beginning of the xref keyword in the last cross-reference section. etc.. ... And Note 18 in Appendix H essentially says that Acrobat reader is tolerant with respect to the above, and accepts a PDF if the %%EOF marker is located within the last 1024 bytes of the file. So, it is not beyond belief to imagine that a smart browser PDF plugin would first request the last chunk of the file, in order to retrieve pointers to the contents of the first page of the PDF, so that it could quickly retrieve the range of bytes corresponding to this first page, so that it could quickly display this first page into the browser window, while later retrieving the rest on-demand (as the user scrolls). (*) And if this is not the real explanation for the behaviour we are seeing, at least it is a clever one. Now how this all works in conjunction with the behaviour of HTTP proxies/gateways with respect to Range requests and buffering, is left as an exercise for the reader. (Who can start by trying to understand http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35) But that there would exist a couple of obscure bugs somewhere in there, which show up only in very specific circumstances, is not beyond belief either. (*) The attentive reader will have noticed that there is a possible flaw in this explanation : in the case at hand, the browser/plugin requests 2 chunks of bytes in the Range request : the end-of-file chunk, but also a chunk in the middle. How does it already know which second Range to request ? Adobe calls the range requests in the context of acrobat fast web view. When you generate a PDF you can choose whether you want to support it or not. I guess that at least there will be a byte range index giving the byte ranges for each page at the beginning of the document. Usually Acrobat then just gets the first page plus the index. If you switch to a different page, then it only loads the byte range needed for that page. How does it know the second Range? Perhaps it already did another request in front to collect all needed index data. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Happy Birthday, Chuck!
On 26.07.2012 15:46, Gregor S. wrote: Hi Chuck, thanks again for your valuable comments on this list, and keep it up! Cheers! +2 ! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with tomcat and jk module
On 24.07.2012 12:37, Piotr Wąchała wrote: Hi, Maybe someone can help me with my tomcat problem. Hope that wont be a big problem for you. Im observing that our client are disconnected from server, that is very bad situation. In jklogfile.log [Tue Jul 24 08:43:22 2012] [17466:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=loadbalancer [Tue Jul 24 08:43:22 2012] [17023:47245693265248] [info] ajp_process_callback::jk_ajp_common.c (1885): Writing to client aborted or client network problems [Tue Jul 24 08:43:22 2012] [17023:47245693265248] [info] ajp_service::jk_ajp_common.c (2543): (worker1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Tue Jul 24 08:43:22 2012] [17023:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=worker1 [Tue Jul 24 08:43:33 2012] [18684:47245693265248] [info] ajp_process_callback::jk_ajp_common.c (1885): Writing to client aborted or client network problems [Tue Jul 24 08:43:33 2012] [18684:47245693265248] [info] ajp_service::jk_ajp_common.c (2543): (worker1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Tue Jul 24 08:43:33 2012] [18684:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=worker1 How often does the above happen? As Andre wrote, at least the client part of the messages is usual to happen every now and then, especially if your responses are sometimes a bit slow. Nevertheless I strongly recommnd to remove the worker.template.socket_timeout=60 Have a look at http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html You might also want to check out the example configuration provided with each mod_jk source download. [Tue Jul 24 08:43:40 2012] [17349:47245693265248] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1283): wrong message size 19 16 from 172.18.13.1:8009 [Tue Jul 24 08:43:40 2012] [17349:47245693265248] [info] ajp_handle_cping_cpong::jk_ajp_common.c (889): awaited reply cpong, not received [Tue Jul 24 08:43:40 2012] [17349:47245693265248] [info] ajp_maintain::jk_ajp_common.c (3225): (worker2) failed sending request, socket -1 keepalive cping/cpong failure (errno=0) [Tue Jul 24 08:43:52 2012] [16605:47245693265248] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1283): wrong message size 19 16 from 172.18.13.1:8009 [Tue Jul 24 08:43:52 2012] [16605:47245693265248] [info] ajp_handle_cping_cpong::jk_ajp_common.c (889): awaited reply cpong, not received [Tue Jul 24 08:43:52 2012] [16605:47245693265248] [info] ajp_send_request::jk_ajp_common.c (1511): (worker2) failed sending request, socket -1 prepost cping/cpong failure (errno=0) These messages are very strange. They should not happen. Try again without socket_timeout. Which versions of Apache, Tomcat and mod_jk are you using? [Tue Jul 24 08:43:52 2012] [16605:47245693265248] [info] ajp_send_request::jk_ajp_common.c (1567): (worker2) all endpoints are disconnected, detected by connect check (0), cping (1), send (0) [Tue Jul 24 08:44:03 2012] [18149:47245693265248] [info] ajp_process_callback::jk_ajp_common.c (1885): Writing to client aborted or client network problems This one is OK. Regards, Rainer [Tue Jul 24 08:44:03 2012] [18149:47245693265248] [info] ajp_service::jk_ajp_common.c (2543): (worker1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Tue Jul 24 08:44:03 2012] [18149:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=worker1 [Tue Jul 24 08:44:50 2012] [17831:47245693265248] [info] ajp_process_callback::jk_ajp_common.c (1885): Writing to client aborted or client network problems [Tue Jul 24 08:44:50 2012] [17831:47245693265248] [info] ajp_service::jk_ajp_common.c (2543): (worker1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Tue Jul 24 08:44:50 2012] [17831:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=worker1 [Tue Jul 24 08:46:20 2012] [17857:47245693265248] [info] ajp_process_callback::jk_ajp_common.c (1885): Writing to client aborted or client network problems [Tue Jul 24 08:46:20 2012] [17857:47245693265248] [info] ajp_service::jk_ajp_common.c (2543): (worker1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Tue Jul 24 08:46:20 2012] [17857:47245693265248] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=worker1 [Tue Jul 24 08:48:16 2012] [16987:47245693265248] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1283): wrong message size 19 16 from 172.18.13.2:8009 [Tue Jul 24 08:48:16 2012] [16987:47245693265248] [info] ajp_handle_cping_cpong::jk_ajp_common.c (889): awaited reply cpong, not received [Tue Jul 24 08:48:16 2012] [16987:47245693265248] [info] ajp_maintain::jk_ajp_common.c
Re: issue with iis 7.5 ajpconnector
On 25.07.2012 13:23, Alex Samad - Yieldbroker wrote: Hi Andre Apologies for the sparseness. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, 24 July 2012 5:14 PM To: Tomcat Users List Subject: Re: issue with iis 7.5 ajpconnector [snip] Just to avoid any future misunderstandings and (additional) loss of time : When you write II 7.5, you mean the IIS webserver version 7.5, under Windows, right ? Dropped the s in the message. But yes this is Windows 2008 R2 with NLB (network load balancer installed), IIS 7.5 and ajpconnector 1.2.34_8 I initially raised a bug about the locking and shared memory. This was the first working version after that bug. I haven't as yet had a chance to check the newer version. But I haven't seen any bugs that might have caused my problems. And exactly which AJP connector are you using, downloaded from where, and which precise From the tomcat web site, I believe actually from here http://people.apache.org/~mturk/tomcat-connectors/jk-1.2.34/) Version 1.2.34 was never released. Choose an official version from http://tomcat.apache.org/download-connectors.cgi probably 1.2.37. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: issue with iis 7.5 ajpconnector
On 25.07.2012 22:40, Alex Samad - Yieldbroker wrote: Oh so your saying there was an issue that has been fixed since then .. Okay I get the drill. I had just presumed that there had been no changes since then on the mutex code that ... Any way ... Back once I run up a test box... with the latest release version I'm not pretending that your problems will be fixed by a newer version but analyzing a problem on the basis of a non-released (broken) version seems inefficient. Thanks for updating. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, 26 July 2012 12:38 AM To: users@tomcat.apache.org Subject: Re: issue with iis 7.5 ajpconnector On 25.07.2012 13:23, Alex Samad - Yieldbroker wrote: Hi Andre Apologies for the sparseness. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, 24 July 2012 5:14 PM To: Tomcat Users List Subject: Re: issue with iis 7.5 ajpconnector [snip] Just to avoid any future misunderstandings and (additional) loss of time : When you write II 7.5, you mean the IIS webserver version 7.5, under Windows, right ? Dropped the s in the message. But yes this is Windows 2008 R2 with NLB (network load balancer installed), IIS 7.5 and ajpconnector 1.2.34_8 I initially raised a bug about the locking and shared memory. This was the first working version after that bug. I haven't as yet had a chance to check the newer version. But I haven't seen any bugs that might have caused my problems. And exactly which AJP connector are you using, downloaded from where, and which precise From the tomcat web site, I believe actually from here http://people.apache.org/~mturk/tomcat-connectors/jk-1.2.34/) Version 1.2.34 was never released. Choose an official version from http://tomcat.apache.org/download-connectors.cgi probably 1.2.37. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
On 23.07.2012 12:00, Nikhil Dhankani wrote: Hi, I am trying to configure CSRFPreventionFilter with the below code in my web.xml. filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class /filter filter-mapping filter-nameCSRF/filter-name url-pattern/*/url-pattern /filter-mapping But tomcat fails to start with below error, Jul 22, 2012 11:57:17 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet CXFServlet threw exception java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute org.apache.catalina.filters.CSRF_NONCE at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1351) at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:647) at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:631) at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675) at java.lang.Thread.run(Unknown Source) Can anybody please help as to what am I missing or what am I doing wrong? It seems you are doing clustering? The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) - disable replication for that special attribute. This might limit your ability to actual fail over in the cluster, but maybe you would need to attribute in the session only for special use cases. To disable replication of the attribute org.apache.catalina.filters.CSRF_NONCE: Since 7.0.22 and 6.0.34 you can configure, which session attributes you want to distribute via a regular expression matched against the attribute names. By default all attributes are replicated (and thus must be serializable). See sessionAttributeFilter in http://tomcat.apache.org/tomcat-7.0-doc/config/cluster-manager.html#Common_Attributes Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
On 23.07.2012 13:38, Mark Thomas wrote: On 23/07/2012 11:10, Rainer Jung wrote: The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) This is already fixed in 7.0.x and trunk. I have proposed the same fix for 6.0.x. Tnanks and sorry Mark, hadn't looked that up and somehow forgot about it. Thought it would be a good opportunity for propaganda for the session attribute replication filter ;) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
On 20.07.2012 00:10, James Lampert wrote: Theoretically, I've ironed out the bugs concerning which JVMs Tomcat will run under, but it still isn't coming up. The STDOUT from attempting to start Tomcat is as follows: /wintouch/tomcat/bin/catalina.sh: 001-0019 Error found searching for command tty. No such path or directory. Using CATALINA_BASE: /wintouch/tomcat Using CATALINA_HOME: /wintouch/tomcat Using CATALINA_TMPDIR: /wintouch/tomcat/temp Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit Using CLASSPATH: /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bin/tomcat-juli.jar Which is to say, /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre is a JVM that, so far as I'm aware, doesn't have any problems with Tomcat. Everything above is exactly the same as in a successful launch on our V6R1 box. And Catalina.out is mercifully short this time: java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader.findClass(URLClassLoader.java:432) at java.lang.ClassLoader.loadClass(ClassLoader.java:642) at java.lang.ClassLoader.loadClass(ClassLoader.java:608) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) It's obviously trying to tell me SOMETHING, but I can't determine WHAT it's trying to tell me. Any ideas? I don't see the class it's complaining about in either of the two JARs listed on the classpath dumped to STDOUT, but if that were the problem, it wouldn't work here, either. The Catalina class is loaded in Bootstrap using the server classloader: Class? startupClass = catalinaLoader.loadClass (org.apache.catalina.startup.Catalina); This Tomcat class loaders use a configuration file, which by default is (using your path) /wintouch/tomcat/conf/catalina.properties. By Default the search oath for the server loader is empty (entry server.loader in the file). But the server loader delegates to the so-called common loader. That one looks for the entry common.loader in catalina.properties which by default is ${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar Here catalina.base and catalina.out are set by the startup script as system properties on the commandloine and in your case should both point to /wintouch/tomcat/. The common loader will then find the class Catalina in /wintouch/tomcat/lib/catalina.jar. All this works by default in an untampered Tomcat installation. It can break: - if catalina.jar is not in /wintouch/tomcat/lib or it is not readable - if catalina.properties is not in /wintouch/tomcat/conf, or it is not readable, or the entries for the server.loader or common.loader are broken - the start scripts do not set -Dcatalina.base=/wintouch/tomcat/ and -Dcatalina.home=/wintouch/tomcat/ when starting the JVM - you are changing the place of the used properties file by giving a non-default value in the system property -Dcatalina.config during startup. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: service() failed with http error 413 - error log message from isapi_redirect.log file
On 17.07.2012 06:15, ann ramos wrote: Thanks Tim for your quick reply. I have already increased the max_packet_size to the maximum allowable value way way before and it still comes up: worker.wlb.max_packet_size=65536 You need to increase the size on the Tomcat side to. Just the Request Entity Too Large error is the one that I want to concentrate on at the moment. Can you try using http instead of https? This way we could decide whether it is more likely a problem of forwarding SSL info in the AJP header packet (the 8K resp. 64K thing) or whether some huge header or similar is actually coming from your client. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OOME while expanding a war with tomcat 7.0.29 but not with tomcat 7.0.28
On 16.07.2012 19:35, Mark Thomas wrote: CRANFORD, CHRIS chris.cranf...@setech.com wrote: The OOME I am getting is coming from Heap, and that's even giving Tomcat 1GB of maximum heap. The instance seems to start successfully outside of the MyEclipse environment; however inside MyEclipse it fails miserably. The surprising part of this is that the instance has ran with half that amount of maximum Heap Memory prior to 7.0.29 without any problems or issues with memory errors. As far as number of jars in the LIB folder, we only have just over 100 jars totaling a max of 50mb. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Saturday, July 14, 2012 12:13 PM To: Tomcat Users List Subject: Re: OOME while expanding a war with tomcat 7.0.29 but not with tomcat 7.0.28 Alberto, On Jul 14, 2012, at 8:42, Alberto Aresca alberto.are...@gmail.com wrote: I've just upgraded my tomcat from version 7.0.28 to the newly released 7.0.29 but while before my webapp was being expanded without any problem, now it is causing an OOME. Of course this can be easily fixed by increasing the heap size but before going forward in the upgrade i'd like to know if anyone else have been experiencing something similar or if something in the expansion implementation changed recently (i couldn't find anything in the release note) Can you provide any other information? Stack trace or heap dump? Is this regular heap or permgen? What are your heap settings? Is there anything else we should know about your web app? Do you have 500 jar files in your lib directory? Do you cache a large dataset on startup? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Most likely the Jar scanning (which caches a lot of data during startup) is the cause. There is a patch to reduce the volume of cached data significantly in bugzilla at the moment. In the meantime, setting metadata-complete may help. Bugzilla link: https://issues.apache.org/bugzilla/show_bug.cgi?id=53535 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about Tomcat6 IIS in windows.
On 21.06.2012 18:31, Chris Limina wrote: I'm in a position where I'm trying to upgrade legacy websites to the latest version of tomcat/windows/iis to help improve performance. Old environment: 2003 server, IIS 7 Current environment: Windows Web Server 2008 R2 64bit IIS 7.5 Apache Tomcat 6.0.35 JVM Version: Java 64 Bit Server VM ver. 20.8.0.3 (june 2012) Our previous environment was using Jakarta isapi_rewrite.dll to connect IIS with Tomcat. I could not get the isapi_rewrite.dll to function in this environment after reading several How-To's and FAQs. I tried the 64 bit and 32 bit versions of these dlls to no avail. http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/ http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/ Then I realized that this project was retired in 2011. It is not retired. Did you try this one: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/tomcat-connectors-1.2.37-windows-x86_64-iis.zip Documentation is available at http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html and http://tomcat.apache.org/connectors-doc/reference/iis.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: poller error: tomcat 7.0.28, native 1.1.24, apr 1.3.3
On 22.06.2012 06:51, Jesse Farinacci wrote: Greetings, I'm encountering a problem migrating to apache tomcat 7.0.28 with IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux s390x-64 jvmxz6460sr10fp1-20120202_101568 (JIT enabled, AOT enabled). Here is the relevant log information: 22-Jun-2012 00:41:05.701 INFO [AsyncFileHandlerWriter-1149650054] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.24 using APR version 1.3.3. 22-Jun-2012 00:41:05.705 INFO [AsyncFileHandlerWriter-1149650054] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. [...snip...] [..client makes a request..] 22-Jun-2012 00:42:06.847 SEVERE [AsyncFileHandlerWriter-1149650054] org.apache.tomcat.util.net.AprEndpoint$Poller.run Unexpected poller error java.lang.NoSuchMethodError: org/apache/tomcat/jni/Poll.addWithTimeout(JJIJ)I at org.apache.tomcat.util.net.AprEndpoint$Poller.run(AprEndpoint.java:1236) I am pretty sure this is user error, but.. anyone know what I did wrong? I have tomcat native 1.1.22 and it working just fine with apache tomcat 7.0.27. This symbol is new in native 1.1.24 and needed by TC 7.0.28. What is strange is, that startup says you *did* successfully load version 1.1.24, so the symbol should be there. Can you check your tcnative.so file, whether the symbol Java_org_apache_tomcat_jni_Poll_addWithTimeout is defined in it (using nm or whatever alternative there is on S390). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Creating separate log for each request
On 20.06.2012 23:35, Lahiru Gunathilake wrote: Hi Jeff, Thanks for the response, actually my requirement is to make the life easier for the admin, and if something goes wrong he has an ID of the request which failed (This is not a system which is getting millions of http requests) and then he should be able to figure out the logs for that request based on the ID he has. If you have a solution for that, kindly let me know, I am happy to use it.. Many log frameworks support setting a thread local and adding it to every log message as part of the log format configuration. For SLF4J look for Mapped Diagnostic Context in http://www.slf4j.org/manual.html Assuming your batch type request handling is using only a single thread for each request, you can put the request ID into the MDC and add the MDC automatically to every log message you produce during the run of this request (by simply adding it to the log format configuration instead of adding it to each log statement). Then your admins can simply grep/search for the request ID in the log file. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Failed allocating AJP message buffer
On 21.06.2012 00:26, Pierre Ayotte wrote: Hello everyone, We are experimenting HTTD.EXE crash on Windows 2008 R2 x64 and each time we see a bunch of error Failed allocating AJP message buffer and then one message All tomcat instances failed, no more workers left (see below). The HTTPD.EXE recylcle itself, users are disconnect and then the service come back online. I did lot of search on those message but i cannot find any solution. Some help would really be appreciated! It seems you are out of memory. Either - there's some leak in your Apache, most probably in some non standard module - or your server is very tight on memory - or your application inside Tomcat is getting slow, so there are more and more requests getting stuck inside Apache waiting for a response from the web app and those requests consume to much memory. There are MPM settings for Apache on Windows that limit the number of threads (=connections =~ concurrent requests) Apache will allow. Monitor your server memory usage. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jakarta ISAP Redirector
On 14.06.2012 03:03, DeMarco, Alex wrote: I have 4 servers all configured the same way.. Locally the call works fine yet remotely I get an iis 404 Maybe you get a redirect that isn't working remotely? Use a browser that allows to track traffic, like Firefox with the FireBug plugin and check the full conversation. Regards, Rainer -Original Message- From: DeMarco, Alex [mailto:alex.dema...@suny.edu] Sent: Wednesday, June 13, 2012 8:45 PM To: Tomcat Users List Subject: RE: Jakarta ISAP Redirector Yes I have looked in the log file and set it debug. There are no errors logged. My uriworkermap has this: /myapp=DTS_Submission /myapp/*=DTS_Submission My Workers file has: worker.list=DTS_Submission worker.DTS_Submission.type=ajp13 worker.DTS_Submission.host=xxx.xxx.xxx.xxx worker.DTS_Submission.port=3305 If I am locally on the box (with a local host entry that maps to the same IIS site on that box) it works fine. However, from my desktop I get a page could not be found... However, it says it can't find http://myurl:80/jakarta/isapi_redirect.dll I have double and triple checked my config. From my desktop this works: http://myurl/myapp/services/mywebservice?wsdl but this fails http:// myurl/myapp/services?wsdl but when on the local sever everything works. I see no errors in the log. It's like IIS is stopping the request?? - Alex -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, June 13, 2012 2:18 PM To: Tomcat Users List Subject: Re: Jakarta ISAP Redirector DeMarco, Alex wrote: I hope this is the right place to post this question. It is the right place. We have the latest Jakarta Plugin installed with IIS 7.5. Do you know, does the plugin specifically block /services requests on wsdl's Short answer : no, it does not specifically block any request. In fact, it is the opposite : it only forwards requests to Tomcat, if the request URL matches some pre-defined values. See : http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html the section How does it work ?. (and for the word worker, understand a back-end tomcat). One more thing : the isapi_redirector can write a logfile. See item (3) in the section Configuring the ISAPI Redirector for details. The logfile will tell you when and why it is forwarding a request to Tomcat and when/why not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- kippdata informationstechnologie GmbH Tel: 0228 98549 -0 Bornheimer Str. 33aFax: 0228 98549 -50 53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connectors: Using JK_ROUTE env var with disabled worker in load balancer
On 09.06.2012 09:24, Ruslan Gainutdinov wrote: Hello! I am trying to use JK_ROUTE to forward all traffic to some worker which are disabled. Disabled workers does not allow new sessions, but I think if I set it explicitly, it should be used? SetEnvIf Remote_Addr 10\.0\.0\.1 JK_ROUTE=SERVER-5 However, then 10.0.0.1 accesses LB applcation, it changes worker name in JSESSIONID cookie, but not to SERVER-5 but to some random one (1-4). Is this behaviour expected? How can I isolate one worker to serve requests only from one user, but not used to serve requests from others? - which version of mod_jk are you using? - are the workers named SERVER-(1-5) members of a load balancer worker? - What is your test URL? - is this URL mapped to the load balancer worker via JkMount or similar? - is the worker SERVER-5 not in error state (check mod_jk logs and jk-status)? - did you make sure, that the request does not contain a JSESSIONID (cookie or URL encoded) which conflicts with the JK_ROUTE? - Add %{Cookies}i, %{Set-Cookie}o and %{JK_ROUTE}e to your Apache LogFormat and check whether the values are as expected. Finally: it would be easier to simply request /my/test/url;jsessionid=.SERVER-5 which should do the same trick. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat full GC every 2 minutes for first 6 hours after war reload
On 29.05.2012 17:03, Kevin wrote: Hi We have a cluster of tomcat servers being used on a very high volume website. We've noticed that for the first 5-6 hours after an application re-load that Full GC will run every 2 minutes pausing the application for anywhere between 5 and 20 seconds. After 5-6 hours the full GC will no longer run until tomcat is reloaded. This behavior is repeatable. We discounted our EhCache settings as potential issue because tomcat can be killed without this issue showing up. It's not until we actually reload the WAR with changes (clearing the work directory) and restart tomcat that this issue shows up. Traffic level isn't a factor we'll go through our peak hours with no problem. The servers are all dual quad core with 32GB of RAM running Centos 5 and tomcat 6.0.18. We've attempted every suggested GC setting change suggested on the net and by developers and system administrators. Our java opts are being played with on a daily basis however here are the settings that correspond to the sample GC log below: -server -Xmx27g -Xms27g -XX:+DisableExplicitGC -XX:+UseConcMarkSweepGC -XX:+PrintTenuringDistribution -Dsun.rmi.dgc.client.gcInterval=90 -Dsun.rmi.dgc.server.gcInterval=90 -XX:NewSize=8g -XX:SurvivorRatio=16 -verbose:gc -XX:+PrintGCTimeStamps -XX:+PrintGCDetails 343.376: [Full GC 343.378: [CMS: 1158107K-1312570K(19922944K), 3.4129290 secs] 2884580K-1312570K(27845568K), [CMS Perm : 83964K-47203K(83968K)], 3.4168600 secs] [Times: user=3.87 sys=0.02, real=3.41 secs] 20526.469: [Full GC 20526.475: [CMS: 9175755K-9210800K(19922944K), 33.1161300 secs] 13632232K-9210800K(27845568K), [CMS Perm : 83967K-53332K(83968K)], 33.1254170 secs] [Times: user=33.12 sys=0.02, real=33.12 secs] Looks to me as the oerm gen fills up and triggers the Full GC. Then perm gen is back to only be used by about 60% but rapidly fills up again. So it seems your are using a lot of classes that are only used for a short period of time. Add -XX:+TraceClassUnloading which adds the names of the classes which are unloaded to the GC output. Then check, whether the names of the classes give you an idea, why you load and unload that many classes for a long time (and why it finally gets stable). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk recovery when tomcat killed
On 10.05.2012 11:24, Agnieszka Allstar wrote: Obviously this has sth to do with the fact that in A case the mod_jk.log says the request is recoverable, whereas in B case it's unrecoverable but I can't really tell what's the cause after looking at mod_jk src. Just in case you are still following the list: in general a request is recoverable, if mod_jk wasn't able to send a request packet to Tomcat. If it has already sent the request there and the communication fails later, failing over to another Tomcat would possibly mean the same request were handled twice. Not the right decision in general, e.g. if the request triggers a shop order. The workers.properties attribute reciovery_options influences this in detail, e.g. you can decide that GET and HEAD requests should always be recoverable, even if they had already been sent. For your two examples it would indicate, that they failed at different points of the communication, e.g. in one case mod_jk could not connect to Tomcat (recoverable), in the other case Tomcat already received the request but did not response (in general unrecoverable). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple mod_jk server mappings and JSESSIONID
On 28.04.2012 16:52, Mike Wilson wrote: I need to set up a configuration where a site's path space gets distributed over two servers and I'm looking at using mod_jk like this: Apache httpd mod_jk workers.properties workerA - serverA workerB - serverB uriworkermap.properties /* = serverA /path2/* = serverB /path3/* = serverB /path3/xyz/* = serverA F ex / and /path1/ would be directed to serverA and /path2/ would be directed to serverB. This is all fine. But how do I best solve the issue with each server setting its own JSESSIONID? The browser client will see one site with one domain and one JSESSIONID cookie, so this will cause interference between the two servers when switching between pages. Does mod_jk offer any feature to solve this, or is my best bet to change the name of the JSESSIONID cookie on one of the servers? No, there's no builtin feature for that in mod_jk. You could try to fiddle around with the Set-Cookie and Cookie headers using mod_headers. I suggest using a backend feature to switch cookie name there. Note that the client should also respect the path when choosing the correct cookie in case multiple cookies match the server. I'd hope the longest path wins in case there are multuple matching paths. Did you test, whether there's actually a problem with those cookies? Just in case: you can log the cookies in the server access log for debugging purposes by adding %{Set-Cookie}o and %{Cookie}i to your LogFormat in Apache. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
On 25.03.2012 23:55, Alex Samad - Yieldbroker wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, 26 March 2012 8:47 AM To: Tomcat Users List Subject: Re: chunked encoding On 25/03/2012 08:54, Alex Samad - Yieldbroker wrote: [snip] 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding 2. RFC 2616 (the specification of HTTP/1.1 protocol) Thanks, I had also hoped to get a bit of debate on the !experimental! nature of it in the connector What makes you think it's experimental? The documentation enable_chunked_encoding A string value representing a boolean. If it is set to true, chunked encoding is supported by the server. A true value can be represented by the string 1 or any string starting with the letters T or t. A false value will be assumed for 0 or any string starting with F or f. The default value is false. This option is considered experimental and its support must be compile time enabled. Use isapi_redirect.dll with chunked support enabled. This directive has been added in version 1.2.27 The feature was contributed by Tim and does no longer need a specially compiled binary since the change r910424 done by Mladen (released in version 1.2.30). Some minor bugs concerning chunking have been fixed since then. I'd say we no longer consider this experimental, the docs just haven't been updated correctly. Will do right now (but this will usualy not become publically visible before the next release). Thanks for the question / hint. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Want to confirm fix of a security vulnerability
On 09.03.2012 23:19, Jayant Sane wrote: Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following. Has the Tomcat WAR deployment directory traversal... issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? As I mentioned, the Apache security team wont comment on known security issues. It was fixed by http://svn.apache.org/viewvc?view=revisionrevision=892795 before the first release of TC 7. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Non page pool issue will not go away, please help.
On 09.03.2012 18:19, Doron Tsur wrote: Hi Guys, A while back I've addressed you guys with the non paged pool issue. Most people advised upgrading the java/tomcat. We did just that and the issue is still happening. We are investigating a lot of directions of memory leaks in the environment with Microsoft. I wanted to address you guys, to see if you can give me a second feedback. The server isn't using direct memory or JNI for tomcat. I've been perusing a lot of directions here, yet still at a lost on why this is happening. Here is a recap of the information with the updates: I've been having an issue in one of our production servers. The Non Paged Pool creeps up slowly until the system hangs and than crash. Tomcat: 7 latest Java: 1.6.25 OS: Windows Server 2003 R2 SP2 This is a production server that uses high bandwidth. Poking around Poolmon.exe I was able to find that 1. the AfdP tag is consuming a lot of NP (Non Paged) pool. 2. This is a tag concerning the windows socket driver (afd.sys). We have many production servers running our tomcat. We have only encountered this issue in two of them, those servers have the same OS/Java/Tomcat installed. One server uses high bandwidth and the other uses much less. I say tomcat because this is the process that consumes all NP pool (about 170MB). 1. Have you ever encountered this issue? 2. Do you know of any application level/Tomcat configuration work around to solve this issue? 3. Do you think that there is something wrong in the way Tomcat interfaces with winsock? 4. Do you believe that Tomcat APR might resolve this issue? 5. I can't seem to download this hotfix to further investigate these files, they might contain a suitable version. Do you know how can I get them? When Tomcat is killed the Non Paged Pool doesn't return to the OS. Please share your wisdom and Tomcat greatness, Anything strange in the output of netstat -an? To many connections of some kind? Unusual TCP connection states? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RE : Tomcat7 OutOFMemoryError
On 06.03.2012 18:21, Pid * wrote: On 6 Mar 2012, at 08:16, André Warniera...@ice-sa.com wrote: Pid wrote: On 06/03/2012 07:12, Rainer Frey wrote: On 05.03.2012, at 14:14, Philippe ROUXEL wrote: When I set JAVA_OPTS= -Xmx1024m -Xss75m That means: each thread get a stack of 75MB. One of the following applies: * the operating system has a limit on thread stack size * the per process memory limit is reached before all initial tomcat threads are started * the system runs out of total memory before all initial tomcat threads are started 75MB thread stack size seems quite insane, the default is around 1-2MB. Perhaps you meant to set -Xms (which sets the initial Java heap size)? 75MB of stack is needed by hibenate to save the data aka a graph. I haven't used hibernate personally, but I never heard anything like that. So please elaborate. Where did you get that information? Also what do you mean with graph? The graph of associated objects that are updated by one hibernate call, or is your data actually graph data? If so, how is that mapped? do you have any self-referential associations? Is it really stack that you are talking about? I'm also interested in the answers to these questions. Ok, to get back to the OP's original question/assumption : Assuming that -Xss75M tells the JVM to allocate 75 MB of memory for the stack of each new thread created by the JVM, and noting that for a typical Tomcat instance, a minimum of about 10 threads seem to be created (with an additional one for each request being processed), this setting of -Xss75M would mean that a minimum of 750 MB is being allocated for the threads' stack. Assuming on the other hand that this is a 32-bit system and JVM (the OP didn't really say, but was mentioning Windows XP), where the maximum addressable memory for a process is 4 GB (of which 1 GB more or less are used by the OS itself); and considering the setting of -Xmx1024M for the Heap; and considering that the rest of the JVM and Tomcat may use some 1024 MB by themselves (for other things than the Heap and thread stacks); Considering all this thus, it is not really so surprising that the OP would get an OOM error at some point. Noting on the other hand that the JVM stack should be mainly used to push and pop subroutine/function parameters as they are being called, and that a reasonable stack size seems to be around 512KB at most, this explains several comments here which seem to put in doubt the wisdom of allocation 75 MB for the stack of each Java thread. 75Mb is far too much for the thread stack size in a normal application. I am not certain that it is necessarily fully allocated, just to confuse matters further. I vaguely remember another discussion about this, but can't find it in the archives. By the way some slightly related anecdote: I once had to diagnose a strange situation which at the end was explained by a user setting ThreadStackSize to 2M. Note that the docs say ThreadStackSize is in K (Kilo Bytes) and the code in fact does multiply the given value with 1000 (or 1024). So if you set ThreadStackSize to 2M verbatim you end up configuring a stack size of 2GB :) I forgot whether Xss also is in K or is in Bytes. Interpreting ThreadStack Size in K and multiplying up all other units given in the value IMHO is one of the most strange decisions done when designing JVM flags. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Too many connections in keepalive state in jk threadpool
Hallo Herr Beier, On 02.03.2012 11:19, Beier Michael wrote: Hi all, we're running tomcat 7.0.23 on sun jdk 1.6.0_29, connected via ajp to httpd 2.2.21 using mod_jk 1.2.32. I observed the behavior, that tomcat keeps threads in its ajp pool in keepalive state, regardless of which timeouts (connectionTimeout and keepAliveTimeout) are configured in tomcat. I tested three connector configurations and with all I see connections in tomcat server status where the Time value amounts up to several million milliseconds, which is more than configured in connectionTimeout/keepAliveTimeout. This results in having 60-80 percent of the thread pool being in state keepAlive. 1) Connector port=8309 protocol=AJP/1.3 maxThreads=200 redirectPort=8343 tomcatAuthentication=false keepAliveTimeout=30 connectionTimeout=30 / 2) Connector port=8309 protocol=AJP/1.3 maxThreads=200 redirectPort=8343 tomcatAuthentication=false keepAliveTimeout=30 / 3) Connector port=8309 protocol=AJP/1.3 maxThreads=200 redirectPort=8343 tomcatAuthentication=false / In mod_jk the connection_pool_timeout is set to the same value as connectionTimeout (only in seconds, not milliseconds). I verified that the values are set correctly querying the parameters via JMX. How can I avoid having so many threads in keepalive state - I don't have any idea at the moment and can't see that there is an error in my configuration. Educated guess: you have an interval based cping/cpong connection check configured for mod_jk. Any cping will wake up the thread waiting for data on the connection and will reset the timeouts. But a cping will be ommediately answered by a cpong and not update the last request time. So that would explain, why your connections never timeout though the Manager shows constantly increasing times for the last request seen. Usually that feature would be activated for mo_jk using the JkWatchdogInterval in combination with ping_mode I or A. In case you are unsure about the effects of the various jk configuration options, you might post them here (remove sensitive data before posting). I'd say the current behaviour is a bit problematic, but I don't see an easy improvement. So if your focus is on keeping the number of idle connections low you would need to switch off interval cpings. Cping before rquests and after opening connections are fine (improves stability and reduces the likeliness of race conditions). HTH Rainer Jung - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat suddenly dies
On 28.02.2012 19:47, Carl Kabbe wrote: Chuck and Chris, Thanks for your replies. Below is some information to your questions/suggestions: Check the kernel logs (e.g., /var/log/messages, /var/log/warn), not just the Tomcat ones. Also, look for a JVM dump file (hs_err_pid*.log) I have and there is nothing in the messages file except accesses granted to specific workstations coming in on ssh and sync'ing to a time server. Neither of these have times that correspond to the crashes. There are no hs_err_* files anywhere on the servers. Smells a lot like OOM killer. Carl, you say you have a 2GiB heap. Are you using 32-bit or 64-bit JVM? What about other large-memory processes on the same boxes? Do you have other JVMs running or a database, etc.? Does the JVM die on any kind of schedule? We are running 64 bit OS's (Slackware 13.x, the latest version.) There are two other applications running on each of the boxes: 1) the Apache James email server (localhost SMTP only) and 2) a small application that serves reports. They are both very small (the current server shows 11GB+ free memory) and always survive theTomcat crashes. These servers are only used for Tomcat (and the related James and report serving app.) Not on a timed schedule but usually during high traffic periods (usually, but not always, as with last Friday.) Are there normal shutdown messages in the Tomcat logs? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR based Apache Tomcat Native 1.1.20 or 1.1.22
On 21.02.2012 21:41, Mark Anthony wrote: Referring to http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279view=log there something thats broke that does not support TLSv1+SSLv3. No it didn't break it. Tomcat Version 6.0.35 APR Details : INFO: Loaded APR based Apache Tomcat Native library 1.1.22. Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Tomcat Server.xml Connector port=30002 SSLCipherSuite=HIGH:!ADH:!MD5 SSLCertificateFile=/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.crt SSLCertificateKeyFile=/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.key SSLPassword=xxx SSLProtocol=TLSv1+SSLv3 address=0.0.0.0 SSLEnabled=true TLSv1+SSLv3 is not allowed for Tomcat 6. It might be possible in the forthcoming version 6.0.36. It does work for Tomcat 7. maxThreads=150 scheme=https secure=true/ Error noticed in logs: -- Feb 19, 2012 10:22:57 PM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:1049) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Feb 19, 2012 10:22:57 PM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30002]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute at org.apache.catalina.connector.Connector.initialize(Connector.java:1051) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Feb 19, 2012 10:22:57 PM org.apache.coyote.ajp.AjpAprProtocol init Is there a work around to this issue. Tomcat 6 does not allow that combination. If you didn't get an error message with older releases this does not mean that it has actuzally worked. Tomcat 6.0.35 does not work with older 1.1.20 of the APR Why do you think so? Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: An older version 1.1.20 of the APR based Apache Tomcat Native library is installed, while Tomcat recommends version greater than 1.1.22 This is an info message containing a recommendation. Not an error. Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.20. Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-0.0.0.0-30221 Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute True, this value is not allowed, neither for Tomcat 6, nor for TC native 1.1.20. Either switch to TC 7 or use some other protocol setting, like ALL. With a little luck, the next Tomcat 6 release will have that feature backported from TC 7. You can also apply the patch from http://people.apache.org/~rjung/patches/tc6-apr-all-sslprotocol-r1145209.patch and rebuild Tomcat 6. Regards, Rainer - To unsubscribe, e-mail:
Re: ISAPI errors 87 when disabling IIS 7.0's response buffering
On 20.02.2012 18:45, Konstantin Preißer wrote: Hi all, I'm using Tomcat 7.0.25 (running on a Oracle JDK 1.7.0_03) on a Windows Server 2008 (32-Bit), with IIS 7.0 and the ISAPI 1.2.32 connector (with chunked encoding enabled) to pass HTTP requests to Tomcat. Since IIS 7.0, there is a response buffering that also applies to responses from the ISAPI redirector. This means that even when I call flush() on the Servlet's OutputStream, the previous content is not sent to the user, until IIS's response buffer is full. However, as I don't want this behavior (when I call flush(), I'd like the response to be immediately sent to the client), I found a way to disable the response buffer, by running the command: appcmd set config myhostname.com /section:handlers -[name='ISAPI-dll'].ResponseBufferLimit:1 This will set the response buffer size to 1 byte for the virtual host myhostname.com. I can't use 0, as this causes problems with 4xx/5xx status codes (where IIS uses its own error pages), so I'm using 1 here. Now when I send some bytes to the response and then flush(), the bytes will immediately be sent to the client (as it was in IIS 6). However, now I also get errors in the ISAPI log, like these: [Sun Feb 19 22:31:05.885 2012] [11976:8708] [error] isapi_write_client::jk_isapi_plugin.c (1250): WriteClient failed with 87 (0x0057) [Sun Feb 19 23:57:24.820 2012] [11976:3004] [error] iis_write::jk_isapi_plugin.c (1337): Vector write of chunk encoded response failed with 87 (0x0057) [Mon Feb 20 00:13:10.128 2012] [11976:10244] [error] iis_write::jk_isapi_plugin.c (1337): Vector write of chunk encoded response failed with 1229 (0x04cd) I suppose this is because some clients abort the connection, before the response could be fully sent. When IIS response buffering was enabled, probably the ISAPI connector didn't see the errors as IIS mostly consumed the whole output before sending anything to the client (as with IIS 6.0, I also regularly got such errors, but with error number 10053). However, I'm a bit worried about the error number 87, as some sites say about Winsock error 87: Winsock error 87. WSA_INVALID_PARAMETER - One or more parameters are invalid. (when it says, some parameters are invalid, it sounds like there is an unexpected error here). Normally, when a client aborted the TCP connection, I would get a 10053 or 995 error. Are the errors 87 and 1229 expected in such cases? I don't really know, but 1220 is ERROR_CONNECTION_INVALID, which is closer to what you expected. One of the parameters passed to WriteClient and also in the vector write case is actually the connection ID so it could be that a unusable client connection could also return 87. Unfortunately MSDN doesn't have any useful information. Maybe Mladen or Tim know more about it. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 17.02.2012 09:41, Purvis Robert (NHS CONNECTING FOR HEALTH) wrote: I have found that some versions of mod_jk 1.2 don’t work. I use 1.2.14.1 with Apache 2.0.52, and Tomcat 5.5.23. When I tried going up to a higher version of mod_jk then the connection to Tomcat was ignore, as if there was nothing there at all. If you can, get hold of 1.2.14.1 and see if that works. I can email you the tar.gz file if you want me to. That's not true. Version 1.2.32 is far better than 1.2.14. You likely never found the JkMountCopy switch. Before posting to a thread, try to read what's already been discussed. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 17.02.2012 16:15, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- On 2/17/12 3:41 AM, Purvis Robert (NHS CONNECTING FOR HEALTH) wrote: 1.2.14.1 is not a valid version number for Apache mod_jk. All historic versions of mod_jk can be downloaded directly from the Apache web site: there's no reason to pass-around code. Sorry to correct you: 1.2.14.1 was an ASF version. Finally, Robert, you should read this page which is full of security vulnerabilities, all of which have been fixed since 1.2.14: http://tomcat.apache.org/security-jk.html I cmpletely agree, don't use those old versions and don't recommend them to anyone. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 17.02.2012 16:19, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 2/16/12 3:24 PM, André Warnier wrote: A correct request should have at least 2 lines such as line 1 : GET /mywebapp/... HTTP/1.1(could also be POST instead of GET) then: .. (any number of header lines, 0-n) then: Host: the.correct.hostname .. (any number of header lines, 0-n) ..an empty line (CR/LF) This is making me think. I wonder if Flexbuilder uses HTTP/1.0 and does not provide a Host header. That way, you'll get the default VirtualHost which might not have the proper mappings. The OP can easily find out: he just needs to add %{Host}i to his LogFormat. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 17.02.2012 16:26, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 2/16/12 1:29 PM, modjkl...@comcast.net wrote: I took all JkMounts inside the VirtualHost tags and placed them outside these tags, and above them added JkMountCopy All, restarted Apache, and now Adobe successfully can access mydomain.com/mywebapp. Thanks so much!!! I also tried modifying the above httpd.conf configuration by removing the global JkMountCopy All line of code, and adding a JkMountCopy On line of code inside the original VirtualHost tags, but this also failed as before. Any idea why? Andre, I did worry about the host3 designation initially, so I previously added it to the VirtualHost tag here under ServerAlias: ServerAlias www.mydomain.com host3.mydomain.com So I assumed that should permit Adobe trying to access host3.mydomain.com I'm still curious as to why Adobe sees a different experience than you do with your web browser. Me too in fact. I didn't quite get Rainer's explanation, and still do not understand why an Adobe request results in this URI being logged by mod_jk : [Thu Feb 16 06:47:35 2012] [13723:140020322740160] [debug] jk_map_to_storage::mod_jk.c (3647): missing uri map for host3.mydomain.com:/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm while when doing it by hand, the URI shown in the log is quite different : [Thu Feb 16 06:55:21 2012] [13725:140020322740160] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1036): Attempting to map URI '/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm' from 6 maps Is it just a variation due to how the mod_jk logging works, or is it really that the request URI is arriving differently to Apache in one case or the other ? It s to totally different log messages. The first one tells us, that the VirtualHost handling the request didn't have any JkMount, the second one explains that it has 6 mount definitions to choose from. So first: the two VirtualHosts handling the two requests are different from each other. Second: the missing space in the first message ...host3.mydomain.com:/mywebapp... is a typo in the mod_jk source, so please read it as ...host3.mydomain.com: /mywebapp Like : - from a browser : GET /mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm HTTP/1.1 Host: host3.mydomain.com ... - from Adobe : GET host3.mydomain.com:/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm HTTP/1.1 No see above. When I first wrote how to read the log line I had altready looked up the source code. Believe me ;) Host: ... ??? Regards, Rainer P.S.: The OP can simply log the Host header with %{Host}i - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 17.02.2012 17:43, David N. Smith wrote: On Feb 17, 2012, at 10:27 AM, André Warniera...@ice-sa.com wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 2/16/12 1:29 PM, modjkl...@comcast.net wrote: I took all JkMounts inside the VirtualHost tags and placed them outside these tags, and above them added JkMountCopy All, restarted Apache, and now Adobe successfully can access mydomain.com/mywebapp. Thanks so much!!! I also tried modifying the above httpd.conf configuration by removing the global JkMountCopy All line of code, and adding a JkMountCopy On line of code inside the original VirtualHost tags, but this also failed as before. Any idea why? Andre, I did worry about the host3 designation initially, so I previously added it to the VirtualHost tag here under ServerAlias: ServerAlias www.mydomain.com host3.mydomain.com So I assumed that should permit Adobe trying to access host3.mydomain.com I'm still curious as to why Adobe sees a different experience than you do with your web browser. Me too in fact. I didn't quite get Rainer's explanation, and still do not understand why an Adobe request results in this URI being logged by mod_jk : [Thu Feb 16 06:47:35 2012] [13723:140020322740160] [debug] jk_map_to_storage::mod_jk.c (3647): missing uri map for host3.mydomain.com:/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm while when doing it by hand, the URI shown in the log is quite different : [Thu Feb 16 06:55:21 2012] [13725:140020322740160] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1036): Attempting to map URI '/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm' from 6 maps Is it just a variation due to how the mod_jk logging works, or is it really that the request URI is arriving differently to Apache in one case or the other ? Like : - from a browser : GET /mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm HTTP/1.1 Host: host3.mydomain.com ... - from Adobe : GET host3.mydomain.com:/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm HTTP/1.1 Host: ... ??? Partially to add to the chorus ... It *looks like* to my eye that Adobe is trying something strange like: http://host3.mydomain.com/host3.mydomain.com:/mywebapp/flex (the rest of the URL). No no no: as I said multiple times now, the string ...host3.mydomain.com:/mywebapp/flex_wizard_project... in the missing uri map mod_jk log message means: the VirtualHost that handles host3.mydomain.com has not JkMount defined, so it can't map the URI /mywebapp/flex_wizard_project. The space after the colun is just missing in the log message. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 16.02.2012 17:55, modjkl...@comcast.net wrote: original message is below--- Hello. I'm trying to setup Adobe's Flexbuilder 4.6 software to access mydomain.com/mywebapp using port 80 on Apache Webserver 2.2.21 and connect using mod_jk 1.2.32 on a remote Linux CentOS 6.2 server. I'm puzzled by the mod_jk.log file, which I've included a snippet below and attached as a text file. I also attached an image of Adobe Flexbuilder's wizard. As you can see from the image, this wizard has a button called Validate Configuration that attempts to connect to the remote server provided in the input field labeled Root URL. If I enter the following into this Root URL field http://mydomain.com:8080/mywebapp the Adobe Flashbuilder software states that a connection was successfully made to the server. However, if I enter the following instead: http://mydomain.com/mywebapp the Adobe Flashbuilder software states that it cannot connect to the server. When I review the mod_jk.log file (attached as a file and also shown below), I see Adobe's request in the 2nd line, where the mod_jk.log entry reports a missing uri map for host3.mydomain.com:/jitterapp/flex_wizard_... Here's that line: That means it is using a VHost in Apache which does not have JkMount or uriworkermap.properties inside. [Thu Feb 16 06:47:35 2012] [13723:140020322740160] [debug] jk_translate::mod_jk.c (3488): missing uri map forhost3.mydomain.com:/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm And the colon Chris and you were speculating about is indeed an accident in trying to separate host and URI, so read it as: missing uri map for host3.mydomain.com: /jitterapp/flex_wizard_... So your request is served by whatever VHost is configured to handle requests for host3.mydomain.com Later in this log snippet , you'll see an entry for attempting to map URI ' /jitterapp/flex_wizard_... Here's that line: [Thu Feb 16 06:55:21 2012] [13725:140020322740160] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1036): Attempting to map URI '/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm' from 6 maps This entry was created when I opened a web browser and pointed it to the address Adobe was trying to access, which I obtained from the log file, that is, http://mydomain.com/mywebapp/flex_wizard_project_test_script_server_550713325917236076.htm. In this case, a match was found with JkMount and a worker assigned, and so mod_jk seems to be working. Here's the relevant line: Yep, the VHost handling mydomain.com (which must be some other VHost than the previous one for host3.mydomain.com) has rules and those did match. [Thu Feb 16 06:55:21 2012] [13725:140020322740160] [debug] find_match::jk_uri_worker_map.c (863): Found a wildchar match '/mywebapp/*=worker1' My question is, why does mod_jk work when I manually enter the web address Adobe is trying to access but not work when Adobe accesses it? Can you see anything in the log file that would indicate the address I entered is different than the address Adobe is using, that could explain this? I really need this working, so any help MUCH appreciated. Thanks in advance. Because you are being handled by different VHosts and the mounting rules are not defined in all of them. If you want to double check my VHos theory: add a special accesslog using CustomLog with a new log file name to the VHost you added your Jkmount. I would expect the request that found a mount to show up in that accesslog, and the other one to not show up in this additional access log because it was handled by some other vhost. Easiest solution could be moving all Jkmount directives to the global server and setting JkMountCopy all in the global server. httpd.conf file snippet- For reference, the httpd.conf file includes the following (the ... indicates non-relevant code I removed for simplicity): LoadModule jk_module modules/mod_jk.so JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug Remove the next two directives , get a mod_jk 1.2.32 source download and have a look at the httpd-jk.conf and workers.properties file contained in it. JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat %w %V %T ... Listen 0.0.0.0:80 User nobody Group nobody ExtendedStatus On ServerAdmin webmas...@webxyz.net ServerName host3.mydomain.com LogLevel warn Timeout 300 ServerSignature On ... UserDir public_html ... Location /whm-server-status SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 /Location Location /server-status SetHandler server-status Order deny,allow Deny from all Allow from xx.xx.xxx.0/24 /Location Location /server-info SetHandler server-info Order deny,allow Deny from all Allow from xx.xx.xxx.0/24 /Location ... NameVirtualHost
Re: mod_jk doesn't map to software-generated web address, but maps to this address when I enter it into browser
On 16.02.2012 21:24, André Warnier wrote: modjkl...@comcast.net wrote: Thanks Andre, I'd still be interested is there's a way to have mod_jk only check for traffic coming into mydomain.com for folder /mywebapp. I think the current solution checks all domains, such as mydomain2.com and mydomain3.com, etc., for a map to mydomain.com/mywebapp. Couldn't I just have all those JkMounts defined globally, then within the VirtualHost tags for mydomain.com, include a JkMountCopy On? But that didn't work for me so I must be approaching this wrong. Yes, you should be able to do that. But it then again depends on whether the Adobe thing is really sending the request in the proper way. Which right now we don't know, but which you may be able to verify using your packet dump. If it does not send the requests properly, then you will end up with the same problem as before : requests not ending up in the VirtualHost which you expect, and this unexpected VirtualHost knowing nothing about a mapping for /mywebapp. A correct request should have at least 2 lines such as line 1 : GET /mywebapp/... HTTP/1.1 (could also be POST instead of GET) then: .. (any number of header lines, 0-n) then: Host: the.correct.hostname .. (any number of header lines, 0-n) ..an empty line (CR/LF) In the first GET or POST line, after the GET or POST it should start with /mywebapp, without any other prefix. In the Host: line, there should be the hostname which you expect. If this is not the case, then something is wrong in the Adobe client. If the Adobe client sends proper requests, then you can try : - remove the JkMountCopy All from you main configuration - move each JkMount line inside the VirtualHost where it should take effect (copying them to several VirtualHost's if that is what you want) - define your VirtualHost's as follows : In the main configuration part : Listen 80 ... NameVirtualHost *:80 # (1) ... VirtualHost *:80 # (must match (1) exactly) Servername localhost D0ocumentRoot /something/harmless /VirtualHost VirtualHost *:80 # (must match (1) exactly) Servername host.mydomain.com .. JkMount's for this VirtualHost /VirtualHost etc.. This way : - there are only name-based VirtualHost's - the first one is the default host, used when a request comes in which does not match any ServerName (for example requests sent by devious robots looking for /phpmyadmin and the like) - the others will be used each by requests whose Host: header exactly match their ServerName or ServerAlias But again, check the Adobe requests first, otherwise you could get in trouble again. Variation : If it turns out that most of your JkMount's do need to be copied into most of your VirtualHosts, then - still remove the JkMountCopy All - leave the common JkMount's in the main config part - put a JkMountCopy On in each VirtualHost that should get a copy of these common ones - add the specific JkMount's to each VirtualHost IMHO the main problem is, that the OP hasn't yet seen all VHosts defined in the Apache configuration. I'm pretty sure, that there is more than one VHost, maybe via included config files. The request that originally didn't work went to some other VirtualHost element, the one that worked went to the expected VirtualHost. If the OP wants to clean it up, he needs to carefully check the complete configuration for additional/unwanted VirtualHosts. If he wants to find out, which VirtualHost actually handles a request, the one Customlog per VirtualHost trick is an easy way to check. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: desperate for help to set up straightforward mod_jk connection between Apache2 webserver and web container
On 12.02.2012 01:44, modjkl...@comcast.net wrote: For example, if a socket connection is established and AJP transmission occurs, even though it's only one way, would GlassFish have to be listening for this to happen? Would GlassFish have to reply via AJP to establish a socket? That sort of thing. What does the log file tell us about the communication between Apache and GlassFish, and what does it not tell that we would need to know to pinpoint the problem, etc.? Yes, without Glassfish at least listening to 8009 you would have seen something different in the mod_jk logs, namely an error during connect and not a message that says it is sending a request there. Since you built mod_jk from source: the source distribution contains a nice httpd-jk.conf and workers.properties file which is a good starting point for configuration. I'm not saying it will fix your problem, because it really looks it is on the Glassfish side, but e.g. that configuration contains a cping/cpong test for every new configuration. If cping/cpong already fails, it would be likely that Glassfish is listening on the port but doesn't expect AJP13 as the protocol etc. The log message from Glassfish you posted indicates, that Glassfish thinks it never received a valid request and thus closed the idle connection after 30 seconds. So either something eats the packet in between Apache and Glassfish (not very likely on localhost, since you could establish the connection), or the request is buggy, e.g. contains invalid headers like a wrong content-length making Glassfish to wait for more data. Unfortunately you dropped that part of mod_jk debug output as hex data :( When increasing JkLogLevel to trace mod_jk will do a full dump of the request. Using debug will only dome the first one or two KB of each packet. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jkstatus page
On 13.02.2012 00:47, Alex Samad - Yieldbroker wrote: Hi I was wondering if somebody could explain NameAct State D F M V Acc Err CE RE Wr Rd BusyMax Con Route RR Cd Rs LR LE [S] worker1 ACT OK 0 1 1 967 97659 (2/sec) 0 0 0 286M (6.9K/sec) 218M (5.3K/sec) 71 72 -218 node1 0/0 42313 [S] worker2 ACT OK 0 1 1 914 96462 (2/sec) 0 0 0 280M (6.8K/sec) 232M (5.6K/sec) 70 71 -211 node2 0/0 42313 Why is it my con colum is in the negative ? It's a bug in mod_jk. We hope it will be fixed in the next release. That counter was only added recently and the first attempt didn't really work. Regards, Rainer So for worker 1 busy is always= max but conn is -218 ??? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enabling JMX Remote Ports to connect Tomcat server remotelly with jconsole tool
On 09.02.2012 13:51, Andres Aguado wrote: Hi Guys! First of all, I want to be grateful for help. I'm (very) newbie with apache-tomcat world, level 1 (I've installed Tomcat sucessfully once ;-) ) Well, I've a Tomcat 5.5.27 version with an application in production environment and i've installed the same version for windows on a VM-WiXP to test configuration before applying changes to production server And I want to monitorize the application remotelly through jconsole. So, I've added this lines to catalina startup script: set CATALINA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8999 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false (When all works I'll add authentication, but now i need to run jconsole.) Now I'm accesible to 8999 port (RMI Registry?) telneting, but jconsole outputs a connection error. I've executed netstat -an command and I've seen that 8999 port connextion is STABLISHED, but there is another port (48657) to the tomcat ip in SYN_WAIT. Well, I've been reading documentation and it seems that i must configure manually an additional port to connect through jconsole because this port is a random port (RMIServer and RMIConnection?) and it's a problem to gain access through firewalls I've been reading more information and I've arrived to this document http://tomcat.apache.org/tomcat-5.5-doc/monitoring.html#Enabling_JMX_Remote Then, I've addedListener className=org.apache.catalina.mbeans.JMXAdaptorLifecycleListener namingPort=8999 port=48657 host=tomcatservername / This is the point i'm blocked. Tomcat doesn't start, and catalina.out file shows this error: SEVERE: Begin event threw exception java.lang.ClassNotFoundException: org.apache.catalina.mbeans.JMXAdaptorLifecycleListener I've been looking for JMXAdaptorLifecycleListener, but i don't know how to make it works. Could anyone help me? I think for TC 5.5 the class is not included in the binary downloads. You need to grab a source download and build it using Java 5. When building using Java 1.4.2 which IMHO is the default for a release, the class can't be build. Check your jar files, the class should be in catalina-optional.jar. Starting with Tomcat 6 this functionality is available as a separate Jar, which is part of the so-called extra downloads (in the extra folder underneath the bin folder. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk and URL rewriting/proxying?
On 09.02.2012 19:07, Casper Wandahl Schmidt wrote: Hi List I have a quick question (I hope). I'm using mod_jk to forward from Apache httpd 2.2.8 to tomcat 7.0.20 (Ubuntu 8.04). I think I saw something on this list some time ago but can't remember what it was really about (the real issue was not want I want to do). So I want users to access my webapp from xxx.yyy.zz and then have apache/mod_jk to change it to xxx.yyy.zz/myapp According to http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html I have to manipulate headers but as far as I remember there was something about ProxyPass and ProxyPassReverse. Are they only available to mod_proxy or mod_ajp? Yes, those can currently not be combined with mod_jk. Sorry. I don't want the app to become ROOT since I have another app that should be running as ROOT. I thought about making seperat host's in server.xml but I dont like the fact that I need to restart tomcat each time I need to add a new host so I thought I might achieve want I want by letting apache httpd take care of that part. You might want to look at the host-manager webapp. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problems with performance with IIS 7.5 and Tomcat Connector
On 02.02.2012 10:04, Alex Samad - Yieldbroker wrote: I have 2 x W2k8r2 + NLB (Network load balancing) + IIS 7.5 + Tomcat Plugin = 2 x RHEL 6.1 + Jboss 7 (I think). (not setup in JBoss cluster mode) We have a .net client that talks to the IIS and then onto Jboss. We have been running some tests on our new setup. When we run client to Jboss node (just 1), we can create 1000 connections very fast, as in the client application open 1000 connections as fast as it cans and then starts to communicate from there. When we point out client at IIS (we started with 200 connection) we are seeing problems. 1) IIS reports 200 connection starting up just about instantly IIS reports or the redirector reports? Connections from client to IIS or from IIS to JBoss? 2) we have setup the virtual web site with 4 worker processes (as it's a 4 cpu machine), we see 4 process and lots of threads start up 3) I can see in the ajp logs that the connector is starting up But on the jboss node, counting the 8009 connections it takes a very long time for the connections to start up 2-3 every 3-4 seconds. Even the first ones, or in addition to the fast 200 ones? Note that the ISAPI redirector only starts a new backend connection if it needs one. There is no 1:1 relation between frontend and backend connections. Whenever a request arrives on a frontend connection, the redirector puts it on an available backend connection. If all of them are busy (waiting for responses), it creates a new backend connection until the pool limit is reached (which is 2000 in your case). If opening a new connection is slow I'd expect there to be a network or backend problem. You could trace using wireshark and see, what actually takes time (whether it is waiting for packets from the backend, or connections break or whatever). Now it might be that I had logging on in debug mode I did try in info mode and seemed to be just as bad. Debug log is only useful to debug. It kills performance. This is my connector config # Global Vars worker.maintain=60 worker.list=jbclb # JBoss cluser worker.jbclb.type=lb worker.jbclb.balance_workers=worker1, worker2 worker.jbclb.sticky_session=true worker.jbclb.method=Request # Template for all worker threads worker.template.type=ajp13 worker.template.port=8009 worker.template.ping_mode=A worker.template.ping_timeout=3 worker.template.connection_pool_size=2000 worker.template.connection_pool_minsize=100 worker.template.socket_keepalive=true worker.list=worker1 # worker 1 worker.worker1.host=10.32.25.251 worker.worker1.route=node1 worker.worker1.reference=worker.template worker.list=worker2 # worker 1 worker.worker2.route=node2 worker.worker2.host=10.32.25.252 worker.worker2.reference=worker.template ISAPA config file # Configuration file for the Jakarta ISAPI Redirector # The path to the ISAPI Redirector Extension, relative to the website # This must be in a virtual directory with execute privileges extension_uri=/jakarta/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=C:\YB\Local\dev.com\Logs\ajpconfisapi_redirect.log # Log level (debug, info, warn, error or trace) #log_level=info log_level=warn #log_level=debug log_filesize=20M #log_rotationtime=86400 # Full path to the workers.properties file worker_file=C:\YB\Shared\dev.com\ajpconfig\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=C:\YB\Shared\dev.com\ajpconfig\uriworkermap.properties # Rewrite rewrite_rule_file=C:\YB\Shared\dev.com\ajpconfig\\rewrite.properties #uri_select=proxy The performance so far of the connector seems to be rather bad, I am presuming it something I have setup, cause 200 connections shouldn't be that hard to handle. What do you mean by bad performance: - response time without load - response times under load - maximum throughput in requests per second - something else? Usually performance problems more often come from the web apps. You could take a thread dump of JBoss while inducing load, to see what's happening there. Of course if the same performance measurement shows no problem using direct access, then we are back talking about the redirector. I am going to turn logging down to warn and see what happens. ... did info logging reveal anything interesting? I have noticed during this testing that when the connector crashes and it seems to do that quite regularly I have to stop and restart all of IIS not just the virtual site I attached the connector to. OK, that's something else and it seems the redirector does not really work well with IIS 7.5. I hope Tim or Mladen can comment. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ThreadLocals, context listeners and classloader leaks
On 26.01.2012 18:00, Jess Holle wrote: On 1/26/2012 10:38 AM, Mark Thomas wrote: OK. ThreadLocals have no place in a web application. Period. If a programmer insists on using them, then it is their responsibility to clean up the mess they leave behind. Tomcat's memory leak detection and prevention code goes some way to clearing up things like this but it is never going to cover every case. Mark Or put another way, you have a choice: 1. Use ThreadLocals the way you'd have assumed you could, but don't expect to ever restart your web app without leaking tons of memory. 2. Use ThreadLocals, but be sure you religiously clean up after yourself by the time your web app is fully shut down. 3. Don't use ThreadLocals. If you use someone else's library that uses ThreadLocals then you'll probably end up in forced into A. That said, there could and arguably should be another choice: 4. Select a special mode in a servlet engine that shuts down all threads that have ever serviced requests for a given web app when it is shutdown (and code your web app to shutdown any threads it creates, obviously!), e.g. after they complete servicing any request in progress. [It could just replace all request threads with new ones after the requests currently in progress complete.] That's assuming the servlet engine is nice enough to provide such a mode. If it did, however, I believe that would resolve any ThreadLocal issues without one having to avoid using a perfect natural and useful Java language feature. I'd argue all servlet engines should really provide this feature for just this reason. That said, I can live with A. Renewing threads is what was implemented some time ago in Tomcat's ThreadLocal leak prevention: http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#ThreadLocal_Leak_Prevention_Listener_-_org.apache.catalina.core.ThreadLocalLeakPreventionListener Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Inspecting JMX
On 26.01.2012 19:32, Christopher Schultz wrote: Now I'm trying to get similar information using a command-line tool that is very simple called check_jmx -- it's a plug-in for Nagios. It appears that this tool does not support the attach API and so it looks like I'll have to enable remote JMX, so I've followed the instructions on Tomcat's monitoring page to enable remote JMX [3]: 3. Should I just give up and use the manager app's jmxproxy? I don't currently deploy the manager app, and I'd like to avoid doing that if possible. But, it may be a slightly cleaner solution. 4. Should I hack the code for check_jmx to use the Attach API and try to avoid all of this stupid port business? Getting the PID of the Tomcat process shouldn't be hard as long as I use CATALINA_PID and get the value from there. Note that the naive check_jmx attempt will not scale. Monitoring JVMs using JMX by starting a new JVM on the polling server for each poll and each monitored instance will soon killk your monitoring server. You either need to use an agent running in the target JVM and providing access via a simpler non-Java protocol, or you need a long running Java based gateway, which does the JMX communication with the target JVMs and gets itself queried with something simpler. In that sense the Tomcat Manager can act as an agent via its jmxproxy feature, making JMX data available for each HTTP client that can parse simle text output. Another a bit more sophisticated approach which can be well integrated with Nagios is Jmx4Perl as a client in combination with Jolikia as the agent (all Open Source). Of course there are many more options available. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Path of log files changed in Tomcat 7.0.25 when installing as Windows Service
On 28.01.2012 07:27, Caldarale, Charles R wrote: From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: Path of log files changed in Tomcat 7.0.25 when installing as Windows Service Haven't yet figured out why the ${catalina.base} references in logging.properties aren't getting resolved. It appears that procrun 1.0.8 is broken: ++JvmOptions is being treated like --JvmOptions, so the settings of catalina.base and catalina.home in service.bat are getting lost. Chuck opened an issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=52548 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
On 28.01.2012 00:38, Pid wrote: On 27/01/2012 23:25, Caldarale, Charles R wrote: From: David Rees [mailto:dree...@gmail.com] Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization Hmm, yes, the systems I've checked running Java 1.7.0_02 list /dev/urandom as the securerandom.source. Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent. So editing the file fixes this, or just using the system property? I expect either will help. Using /dev/random instead of the configured /dev/urandom IMHO is an implementation bug. Some more details at http://marc.info/?l=tomcat-devm=130182757504685w=2 http://search.oracle.com/search/search?search_p_main_operator=allstart=1group=bugs.sun.comq=%2Fdev%2Furandom The one bug closest to this topic is http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721 but Oracle doesn't care :(. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
On 19.01.2012 00:09, mandg wrote: I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3 connector is configured and not APR. Like a good newbie that I am with Tomcat, I followed the Tomcat instructions for configuring SSL. However, the docs seemed to step me through the steps for an APR-type connector, not AJP since I had specified a keystore and passphrase. When I reviewed the AJP connector documentation, I didn't find any attributes to specify for the keystore and passphrase. So my question is, can I use a keystore for the AJP type of connector? And if so, are there any good tutorials out there that can walk me through it. If not, can I simply edit out the AJP connector in my server.xml file and edit in the APR connector? Or will that somehow break the site/application that's running on Tomcat? Note that AJP is a protocol and APR is an implementation type. Tomcat supports HTTP, HTTPS and AJP as protocols, and BIO, NIO and APR as the implementation. Tomcat 7 supports all combinations, Tomcat 6 all combination except for AJP/NIO. AJP is an unencrypted protocol. So configuring SSL, keystore etc. for an AJP connector does not make sense. This is true for any AJP implementation, be it BIO, NIO or APR. HTH! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: static content not served for non-root apps via mod_jk
On 14.01.2012 04:17, Eric P wrote: Hi all, I'm having trouble getting Apache to serve static content (jpg, css, js, etc.) for Tomcat apps via mod_jk for any application except the ROOT Tomcat app. The ROOT app shows static content just fine. I have the following Apache settings attempting to point *all* requests to Tomcat and unsetting certain static content extensions so that Apache will serve them. ...clip... # Send everything to Tomcat JkMount /* ajp13 # And then unsend static content so that httpd will serve it JkUnMount /*.js ajp13 JkUnMount /*.css ajp13 JkUnMount /*.jpg ajp13 JkUnMount /*.png ajp13 JkUnMount /*.gif ajp13 This only works for ROOT, because you used a / in front. Using JkUnMount *.js etc. will unmount *all* js. ...clip... These settings work for the ROOT Tomcat app but not for anything else including Tomcat's manager app. FYI. when I access via Tomcat's port/web server everything works. E.g., http://localhost:8080/manager/html But not when I access via port 80. E.g., http://localhost/manager/html Im seeing a 404 Not Found for all static content via port 80/Apache (again, the only exception is any static content belonging to the ROOT Tomcat app). I'm experiencing the exact same behavior on both an Ubuntu and CentOS. I don't understand that, because of the JkUnMount does *not* work, Apache will simply forward everything to Tomcat thus your manager should be OK. Note that JkMount and JkUnMount are per virtualhost, see JkMountCopy. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk linux binaries
On 06.01.2012 11:01, Leon Kolchinsky wrote: Yes there is - http://apache.mirror.aussiehq.net.au//tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.32-src.tar.gz These are the sources. For 1.2.32 there are indeed not binaries for Linux available. Building is simple and ensures compatibility with your Apache Webserver binary. Regards, Rainer Check out this page - http://tomcat.apache.org/download-connectors.cgi Cheers, Leon Kolchinsky On Fri, Jan 6, 2012 at 20:54, Olivier MENUELomen...@vdocsoftware.comwrote: Ok Thank you very much I was hoping I could find already compiled binaries (there are the 1.2.31 in the archives, but not the 1.2.32). I'll do that. Thanks -Message d'origine- De : Leon Kolchinsky [mailto:lkolc...@gmail.com] Envoyé : vendredi 6 janvier 2012 10:45 À : Tomcat Users List Objet : Re: mod_jk linux binaries Hi, You can compile mod_jk and it's pretty straight forward (please use latest source, mine is just an example): 1. # yum install httpd httpd-devel gcc gcc-c++ 2. Go to http://tomcat.apache.org/download-connectors.cgi and download the source code: # wget http://apache.mirror.aussiehq.net.au//tomcat/tomcat-connectors/jk/source/jk-1.2.31/tomcat-connectors-1.2.31-src.tar.gz 3. # tar -xvzf tomcat-connectors-1.2.31-src.tar.gz Read docs/webserver_howto/apache.html or native/BUILDING.txt for options. # cd tomcat-connectors-1.2.31-src/native/ # which apxs # ./configure --with-apxs=/usr/sbin/apxs --enable-api-compatibility # make # make install Cheers, Leon Kolchinsky On Fri, Jan 6, 2012 at 20:35, Olivier MENUELomen...@vdocsoftware.com wrote: Hi, Where can I find binaries for mod_jk 1.2.32 for linux httpd 2.2 ? I can find only windows/netware... Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
On 31.12.2011 18:37, Caldarale, Charles R wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page If there was a way to tell TC to use / as the path, that would work in this case. Look at the sessionCookiePath attribute forContext and see if that will help: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes Yes, you can change the path of the session cookie used by Tomcat, and in case you need to change it to /, you can also change the name of the session cookie to make sure you won't run into a conflict with another Java webapp session cookie used on the same server. The alternative is rewriting the cokie at the reverse proxy (Apache Web Server), using mod_headers or to cookie rewriting feature if mod_proxy. A cookie set by the server (Tomcat) is just a Cookie response header, which you can change dynamically at the reverse proxy to account for reversing your URL rewriting for requests. Some info about that is also avilable at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting If you are using mod_proxy, please have a look at the mod_proxy docs. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: High memory consumption caused by BLOCKED Threads
Chuck, On 22.12.2011 14:07, Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: Re: High memory consumption caused by BLOCKED Threads Fix your app so that it releases the locks (probably synchronized sections) on the SimpleDateFormat objects. Read the stack trace more carefully - only Tomcat or JRE code is present. However, since this is only a partial stack trace, there might be some app code that is indirectly locking 0x7ff9996d4000 and then pausing for some reason, causing a deadlock. Hmmm, actually I had a short look at the code of sun.util.resources.TimeZoneNames.getContents(TimeZoneNames.java:185) and i don't unerstand why it is waiting for a monitor entry. The method should quickly return an array of objects which is explicitely defined in the class and that's it. No idea what's happening here. @Violeta: is anything wrong with your system, e.g. did you get an OutOfMemoryError somewhere? It looks your JVM is in a strange state. Are you doing frequent redeployments without stopping Tomcat? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stack traces in the log become one line
On 21.12.2011 08:32, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 12/20/11 4:31 PM, Rainer Jung wrote: If you really want to get the stacks in all cases, you can set the JVM start flag: -XX:-OmitStackTraceInFastThrow I'm astonished! Thanks for the tip, Rainer. Me too. Reading the original post, I was tempted to hasard a guess that the JVM was getting tired of repeating the same thing all the time.. My my, are those things getting smart or what ? When I first ran into this JVM issue I didn't believe it either! Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mysterious request edirect with value exchange
On 20.12.2011 15:07, uwe.hellm...@t-systems.com wrote: It is a webformular. The java code should this fragment. final String username = req.getParameter(username); String uParam = ; if (StringUtils.isBlank(username) == false) { uParam = u=.concat(username); } logonFilter.setLoginFailedUrl(/action?login_error=1.concat(uParam)); So what about logonFilter. Are the instances shared between requests? In addition: as Konstantin already wrote, you can activate the Tomcat access log and add %{Location}o to the pattern. This will log your redirect URLs directly in the Tomcat access log. That way you can check, whether the redirect is already wrong there and if yes ignore all components in front in the root cause analysis. If the login precedure is simple you can write a simple JMeter test script and stress the test system with concurrent requests. JMeter can also be configured to check the redirect for the correct URL. Regards, Rainer -Ursprüngliche Nachricht- Von: Chema [mailto:demablo...@gmail.com] Gesendet: Dienstag, 20. Dezember 2011 15:04 An: Tomcat Users List Betreff: Re: Mysterious request edirect with value exchange This result is as expected, but from time to time we saw the following URL string returned http://mytestsystem/login.action?login_error=1u=OtherUser although we sent the form with Tester as value away. But now in the input field it is also OtherUser set. One question How the returned URL is built ? Where is stored username ? Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
On 02.12.2011 17:49, André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Sorry, dunno. Logging is not my favorite area in Tomcat.. Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to Tomcat. I strongly suspect that the REMOTE_USER HTTP header may not be it, and that it may be via what Tomcat calls request attributes, and Apache calls environment variables (but not in the usual shell sense). But I don't know how this particular one may be named. Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP Connector code somewhere. I would start looking for request attribute rather than header. This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html seems to hint at ditto, and even mentions a request attribute named remote_user (lowercase). Maybe you could try to set this environment variable in Apache, and see where it leads you ? In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule it shows how to do that (but there it calls them server variables). The terminology is not very consistent.. Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous posts. 1) In order to let Tomcat accept the user, you need to set tomcatAuthentication to false 2) mod_jk will always forward the user as detected by the following logic: - the user as authenticated by Apache - if this doesn't exist it will forward the value of an Apache environment variable. The default name of the variable is JK_REMOTE_USER, but it can be changed using the configuration directive JkRemoteUserIndicator 3) The user ID will *not* be forwarded in the form of a request header 4) The forwarded user id is logged in the JK log file on level debug as the user field in the line: Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d auth=%s user=%s laddr=%s raddr=%s uri=%s 5) There is no need to use JkEnvVar 6) When not using a real Apache authentication, you can instead set the Apache environment variable JK_REMOTE_USER e.g. via mod_setenvif or the E=
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
On 05.12.2011 10:42, oh...@cox.net wrote: André Warniera...@ice-sa.com wrote: oh...@cox.net wrote: ... Rainer Jungrainer.j...@kippdata.de wrote: Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous posts. 1) In order to let Tomcat accept the user, you need to set tomcatAuthentication to false 2) mod_jk will always forward the user as detected by the following logic: - the user as authenticated by Apache - if this doesn't exist it will forward the value of an Apache environment variable. The default name of the variable is JK_REMOTE_USER, but it can be changed using the configuration directive JkRemoteUserIndicator 3) The user ID will *not* be forwarded in the form of a request header 4) The forwarded user id is logged in the JK log file on level debug as the user field in the line: Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d auth=%s user=%s laddr=%s raddr=%s uri=%s 5) There is no need to use JkEnvVar 6) When not using a real Apache authentication, you can instead set the Apache environment variable JK_REMOTE_USER e.g. via mod_setenvif or the E= syntax of mod_rewrite. If you change the name of the env var using JkRemoteUserIndicator use the variable name given there instead. 7) The Apache authenticated user can be logged in the Apache AccessLog using %u. Any environment variable XXX can be logged using %{XXX}e. 8) The user can be logged in the Tomcat AccessLog using %u. 9) The user is returned by request.getRemoteUser() on the Tomcat side. Regards, Rainer Hi Rainier, Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator. I'm kind of well along the way with my valve, but I still have mod_jk for one proxy section, so I'll give those a try. Hi Rainer. Thanks also for the precise information. We've missed you.. Jim, one more question : At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get the authenticated user's user-id ? and how ? Hi, On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets populated by the OAM agent, called OAM_REMOTE_USER. So if you want mod_jk to use the value of this header as the authenticated user name and forward it to Tomcat, you either: a) have to rely on the Oracle module to correctly set the Apache internal request user field b) or have to find a way to copy the value of this header into the environment variable JK_REMOTE_USER Concerning a): Usually there's %u in the default LogFormat used by AccessLog. So have a look at the access log to check, whether Apache outputs the correct user name. In that case mod_jk should automatically forward it. This in turn can be checked by the mentioned Service debug log line in the JK log. If %u in the access log is empty, and the docs of the Oracle module do not give a solution how to set the real Apache request user, we are up to b). First add %{OAM_REMOTE_USER} to the format/pattern configuration of your Apache and Tomcat access logs, so you can easily check, what both think about the value of that header. Check, that it is populated for both with the right user id. Now we try to copy the value of the header OAM_REMOTE_USER to the Apache environment variable JK_REMOTE_USER. As you can see in http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif It works like this (assuming you have enabled/loaded mod_setenvif): SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1 Unfortunately this will only work, if the Oracle module that populates the header runs before mod_setenvif. Check, whether the copying works by adding %{JK_REMOTE_USER}e to the format of your Apache AccessLog. Finally look at the Service line in the jk debug log to see, whether the right user info is now being forwarded. If so, the rest is to be done in Tomcat land. Set tomcatAuthentication to false and check via request.getRemoteUser() whether you received the right user id. I would do all this first using a basic test webapp in Tomcat, not your real app. Finally: this is probably not secure, because - everyone can send a request which already has a populated OAM_REMOTE_USER header. You would rely on the implementation detail, that the Oracle module might always overwrite that header. Not sure if it does! - everyone having access to the network port could start talking AJP13 directly to your Tomcat adding whatever remote user id she likes. The protocol is easy to fake. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Single POST request being handled twice
On 19.11.2011 06:07, Jeremy wrote: OK, we figured it out. It's a case of too many timeout settings and not having a real DevOps person on hand. There was an obvious error message in Apache's mod_jk.log that I failed to correlate with the problem because I misread the timestamp on one of the many log entries. Doh! [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1150): (node5) can't receive the response header message from tomcat, network problems or tomcat (10.xx.xx.xx:8009) is down (errno=11) [error] ajp_get_reply::jk_ajp_common.c (1962): (node5) Tomcat is down or refused connection. No response has been sent to the client (yet) [info] ajp_service::jk_ajp_common.c (2447): (node5) sending request to tomcat failed (recoverable), (attempt=1) There is, I now see, a socket_timeout and a socket_connect_timeout that do not show up in the jkmanager status page, in addition to connection_pool_timeout, connect_timeout, prepost_timeout, and reply_timeout which are listed by jkmanager. We had socket_timeout set to 10 seconds and I didn't know it. Our transactions only take longer than 10 seconds a few times a week, so that's why we weren't seeing it that often. We'll fix by setting: socket_timeout=90 socket_connection_timeout=5000 retry_options=25 unless someone has a better idea. Have a look at the example configuration conatined in the mod_jk source download tarball. It provides a pretty decent default configuration. It is recovery_options not retry_options. Furthermore I personally do not recommend the general socket_timeout, but I *do* recommend to use all other timeouts with appropriate values. There's more info on Timeouts at http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot read complete HTTP request body. It reads only 8192 characters
On 27.10.2011 06:02, Anantaneni Harish wrote: -Original Message- From: Anantaneni Harish Sent: Wednesday, October 26, 2011 3:01 PM To: Tomcat Users List Subject: RE: cannot read complete HTTP request body. It reads only 8192 characters Thanks for your response. The issue is on the following environment. OS: Red Hat Enterprise Linux Server release 5. Java: 1.6 Tomcat 5.5.28 Which web server, module talking AJP and Tomcat connector is used? If Apache plus mod_jk: can you or your customer reproduce the problem on a test environment? If so switch mod_jk to JkLogLevel trace (Caution: not meant for production load!) and post the full log output for the problematic request. Remove or overwrite any confidential info contained in the log output. Regards, Rainer -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Wednesday, October 26, 2011 2:56 PM To: Tomcat Users List Subject: Re: cannot read complete HTTP request body. It reads only 8192 characters On 26 Oct 2011, at 06:31, Anantaneni Harish anantaneni.har...@vertexsoft.com wrote: We have an environment using HTTP connector, customer environment using AJP connector. In HTTP environment this issue is not occured. but in the AJP environment cannot read complete HTTP request body. It reads only 8192 characters Can some help me, if there are any settings to be changed? Yes, there are. (Hint: give us some real info* and we'll return the favour) p * e.g. Exact OS, Java, Tomcat versions. Thanks and Regards, Harish - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Make Errors for JK-1.2.32 solaris/sparc
On 24.10.2011 19:24, Ben wrote: Beryle Simmons Beryle.Simmons at RaymondJames.com writes: Just checking to see in anyone had any thoughts on this one. -- I normally use the solaris/sparc binary for mod_jk, but I see they aren't available for download with the latest version. I'm trying to compile JK-1.2.32 with solaris 10/sparc, but I'm receiving errors, below is some information: OS: Solaris 10 Generic_144488-17 H/W: sparc SunFire V440 Apache version: 2.2.19 Tomcat version: 5.5.33 Java version: 1.5.0_30-b03 The configure script runs ok. When I ran make for the first time, I received the below error: Usr/ccs/bin/ld: illegal option -- rpath This seemed to be related to a mistake in the .../native/apache-2.0 Makefile. I removed the word path from the -r option and was able to get past that error. Now I get almost through the build and get the below: /usr/local/apache2/build/libtool -silent -mode=install cp mod_jk.la /export/home//tomcat-connectors-1.2.32-src/native/apache-2.0/ Cp: cannot access ..libs/mod_jk.lai Make[1]: *** [mod_jk.so] Error 2 Any help would be appreciated, thanks! Did you ever figure out the issue with this? I am getting the exact same message and I'm running out of ideas on how to solve it. Which compiler are you using? Sun Studio or gcc? It should work smoothly with gcc. But in fact you shoudln't change compiler between the httpd build and mod_jk build. So if your web server was build with Sun Studio, you would need to build mod_jk with it as well and vice versa. I haven't checked building with Sun Studio for a long time, so there might be problems. I can have a look, but I'd the full make output with the original Makefile containing the rpath flag. It would be even better, if you could edit the Makefiles (top level diretory and below) and remove the --silent from the LIBTOOL definition before running the make. As always first run make clean and then make. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org