Re: Tomcat Https loadbalancing??
Chris, You're right - nice one. I'd always put in the extra properties into my connector config the proxyport , redirect port whether it was secure or not. but it works as you described if you don't tell it all the extra settings. Nice thanks D On 02/12/09 21:29, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 11/25/2009 6:06 AM, David Cassidy wrote: If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request I call BS on this one: the AJP protocol can indicate whether a particular request is secure or not: the use of two AJP connectors is certainly not required. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+ =kMRn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
It would be interesting if you are running on non-standard ports (ie not 80 and 443 ) to see what happens D On 03/12/09 13:40, David Cassidy wrote: Chris, You're right - nice one. I'd always put in the extra properties into my connector config the proxyport , redirect port whether it was secure or not. but it works as you described if you don't tell it all the extra settings. Nice thanks D On 02/12/09 21:29, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 11/25/2009 6:06 AM, David Cassidy wrote: If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request I call BS on this one: the AJP protocol can indicate whether a particular request is secure or not: the use of two AJP connectors is certainly not required. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+ =kMRn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Hope this helps D On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv
Re: Tomcat Https loadbalancing??
Pid, there is no need to have a commercial grade cert between your httpd and tomcat as thats in essence a private comms channel between your 2 servers the client won't know / see / care Use a self sign - as long as httpd has your cert all should be well D On 25/11/09 10:32, Pid wrote: On 25/11/2009 10:28, jkv wrote: Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Note: you'll probably need more cert licenses, if they're commercial ones, if you're deploying the cert on multiple Tomcats rather than on one HTTPD. p On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
On 25/11/09 10:36, Peter Crowther wrote:
2009/11/25 jkvj.kumara...@gmail.com:
I got one small doubt in the last point that you said.
In this environment, you only want your public certificate on httpd.
Tomcat will not be doing anything that uses it, so don't put a copy
on those machines.
this means that I will not enable SSL in my tomcat.. I will comment
!--Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
--
tag totally from server.xml file in tomcat and have just one connetor
element i.e.,
Connector port=8009 protocol=AJP/1.3 redirectPort=443 /
Certainly you only need the AJP connector, as Tomcat will never be
handling http or https requests.
If you want your tomcat to ever know that its getting a secure request
you'll need 2 ajp connectors - one as the default is not secure
the other needs to say i'm secure otherwise when you do a
transport-guarantee in your web.xml
your client will be in an infinite loop
as tomcat never sees a secure request
Thanks for the reply, that really helped a lot and we can also conclude we
cannot have a secure horizontal loadbalancing with Apache and Tomcat!
Depends what you mean by secure, as the level of security is
relative, not absolute. There are more moving parts to secure, but
it's possible to secure all of them to a reasonable standard.
No system is *ever* 100% secure from attack, even if it's 100 metres
underground, powered by its own generator, no network,
Faraday-shielded, has a division of armed guards protecting its bunker
and has self-destruct systems built in. It just depends how much the
attacker wants your data, and therefore what resource (s)he is willing
to commit to acquiring them.
- Peter
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Cyrille, Nice if you've got that sort of money. it is quite cool because you can off-load the https part so some custom hardware - again cool if you've got the money Personally i prefer mod_proxy_ajp with the balancing as well. D On 25/11/09 10:57, Cyrille Le Clerc wrote: Hello, As Ronald said, we made some drawings on a detailed document Tomcat, SSL, secure communications and X-Forwarded-Proto (1) that explains solutions to handle HTTPS at the Tomcat, Apache Httpd and Load Balancer layers. The document is written in french but the google translation is quite good (2). My preference is to use a level 7 load balancer in front of Apache httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat servers. Of course, this topology is not always the best one but is very often relevant. Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://translate.google.com/translate?js=yprev=_thl=enie=UTF-8u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2Fsl=frtl=en On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop ronald-mailingl...@base.nl wrote: Always make a drawing. client - https - tcp-loadbalancer - still same https connection- multiple tomcats client - https - http-loadbalancer (Apache, proxy) - new ajp/http(s) connection- multiple tomcats Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network. Ronald. Op woensdag, 25 november 2009 10:18 schreef jkvj.kumara...@gmail.com: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Out of memory being caused by notFoundResources in org.apache.catalina.loader.WebappClassLoader
Guys Tomcat 6.0.20, java 1.6, linux x64 org.apache.catalina.loader.WebappClassLoader records every resource you asked for that doesn't exist. On our site we have alot of pages ( 800,000 ) all of which are using struts2 with validation. every hit means the validator does a request for a resource actionName-validation.xml This then gets cached in the WebappClassLoader about line 249 /** * The list of not found resources. */ protected HashMap notFoundResources = new HashMap(); Can this be made into a weak hash map perchance ? or something so that it won't invoke a out of memory. I'm also looking at removing the validator from those urls if anyone knows how to tell the validation interceptor that we don't use the xml files and ONLY use annotations then that would be great :) Ta D
Re: Out of memory being caused by notFoundResources in org.apache.catalina.loader.WebappClassLoader
Chris Yes - ouch indeed ! Yes i'll try them as well - might have a look at the source as well see if there is anything to turn of teh file based validation I had a quick look at the caching and thats totally different sadly. No its definitely the things that are not found. When i get an out of memory the JVM will dump the heap. I've walked it (i know 1 gig...) and its really things that are not found. there are no files by those names so... Hey ho D On 12/10/09 17:50, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 10/12/2009 12:03 PM, David Cassidy wrote: org.apache.catalina.loader.WebappClassLoader records every resource you asked for that doesn't exist. On our site we have alot of pages ( 800,000 ) all of which are using struts2 with validation. every hit means the validator does a request for a resource actionName-validation.xml Ouch. I can't see any obvious way to disable the file-based validation configuration. You'd have to ask the struts folks about that. You could try setting cachingAllowed=false in yourContext element in context.xml. This page documents that attribute to disable caching of static resources: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html You could also play with the cacheTTL setting, too. It's possible that the caching you are disabling is merely the contents of the files that /are/ found. I haven't looked at the code, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrTXl0ACgkQ9CaO5/Lv0PDfYwCeMp/92uTjLKcMLF6Biku7L91k ip0An1n4+SHQmDPEdoZAVPL4sceelyf0 =6LS+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Out of memory being caused by notFoundResources in org.apache.catalina.loader.WebappClassLoader
Mark, Okies will do David On 12/10/09 18:05, Mark Thomas wrote: David Cassidy wrote: Guys Tomcat 6.0.20, java 1.6, linux x64 org.apache.catalina.loader.WebappClassLoader records every resource you asked for that doesn't exist. On our site we have alot of pages ( 800,000 ) all of which are using struts2 with validation. every hit means the validator does a request for a resource actionName-validation.xml This then gets cached in the WebappClassLoader about line 249 /** * The list of not found resources. */ protected HashMap notFoundResources = new HashMap(); Can this be made into a weak hash map perchance ? Please create a bugzilla entry for this so it doesn't get lost. Cheers, Mark or something so that it won't invoke a out of memory. I'm also looking at removing the validator from those urls if anyone knows how to tell the validation interceptor that we don't use the xml files and ONLY use annotations then that would be great :) Ta D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Faking a login through JAAS into tomcat.
Hey Guys, I've got a page that allows a user to join up to the service. I want them then to continue using the site as a logged in user. I'm sure there's a really really easy way to fake the login. I've got a custom JAAS login module which authenticates the user. The flow is User goes to join page fills in details presses join Request comes back into the system validates the users details - the usual As a response to a successful join the user is sent to a page in the logged in section of the site. Now the issue is that the user is being presented the login page requesting the username / password - i don't want that :) what do I need to do to make it work ? I'm using tomcat 6, java 1.6 on linux Thanks D - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Newbie: Question about first Servlet
If i recall correctly the servlet must be in a package
On Mon, 2008-04-07 at 09:52 -0400, Russo, Joe wrote:
Try calling the servlet name instead of the class. You may need to get
rid of the space in the name.
-Original Message-
From: Kurt L Harless [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 06, 2008 1:14 AM
To: users@tomcat.apache.org
Subject: Newbie: Question about first Servlet
Greetings,
Specifics:
Window XP
TomCat 5.5
Java 1.6
Created webapp dirs under;
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\
Called ch1\WEB-INF\classes
In WEB-INF at created a web.xml file with the following contents;
?xml version=1.0 encoding=ISO-8851-1 ?
web-app xmlns=http://java.sun.com/xml/ns/j2ee;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd;
version=2.4
servlet
servlet-nameChapter1 Servlet/servlet-name
servlet-classCh1Servlet/servlet-class
/servlet
servlet-mapping
servlet-nameChapter1 Servlet/servlet-name
url-pattern/Serv1/url-pattern
/servlet-mapping
/web-app
In the classes subdir to WEB-INF I compile the following java src
successfully
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Ch1Servlet extends HttpServlet
{
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException
{
PrintWriter out = response.getWriter();
java.util.Date today = new java.util.Date();
out.println(html +
body +
h1 align=centerHF\'s Chapter1
Server/h1 +
br + today +
/body +
/html);
}
}
I installed TomCat 5.5 as a windows server and can successfully launch
http://localhost:8080 http://localhost:8080/ and get the TomCat
initial
page
Under this page I can select the link for TomCat manager and see under
applications an entry for /ch1
However, when I try to run http://localhost:8080/ch1/Serv1
http://localhost:8080/ch1/Serv1 I get HTTP Status 404 - /ch1/Serv1
Anyone want to help a newbie?
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Database connections grow after redeploy
try netbeans its free and the profiler will watch all your objects being created. it will also work with snapshots... On Thu, 2008-03-13 at 20:56 +0200, Juha Laiho wrote: Scott McClanahan wrote: On Thu, 2008-03-13 at 12:02 -0400, Christopher Schultz wrote: Caldarale, Charles R wrote: | From: Scott McClanahan [mailto:[EMAIL PROTECTED] | Subject: Re: Database connections grow after redeploy | As far as the continuing data base connections, I can only speculate | that the prior instances of the webapp are still active, thereby | preventing cleanup of their resources. I agree. Scott: are you able to run your application through a tool that allows you to observe the heap and object graphs? More likely is that one or more application-level objects has retained a reference to a specific Connection object, which, of course, retains references back to the connection pool that created it. I would check any ServletContextListener classes you have, and then a generic search for putting things into the ServletContext, since that is one of the only places that applications typically store long-lived objects. Do you have any suggestions for a profiling tool like you described? Preferably open source. Thanks. Don't know about open source products, but I can vouch for YourKit Java Profiler. As far as I know, the main difference between YourKit and other profilers is that YourKit allows you to work through snapshots, whereas other profilers inject their probes into Java object creation methods. This means that more or less the only moment when YourKit has an effect on the performance of your application is when you take a memory snapshot. The other profilers I've seen attempt to trace each object allocation and deallocation in real time, which can be rather CPU consuming (especially if you're tracing a problem you cannot replicate in test environments). With YourKit, you take snapshots of the Java VM memory of your application, and compare them off-line (i.e. without needing any connection to the live application). - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat 6.0
Chuck, Do you know if the admin app will ever re-appear as it was really quite nice. or is the only options to use lambda probe / jconsole ? Ta D On Tue, 2008-03-11 at 23:26 -0500, Caldarale, Charles R wrote: From: Weng Hon Wong [mailto:[EMAIL PROTECTED] Subject: tomcat 6.0 Does tomcat 6.0 come with 'admin' pack? No, there is no admin webapp for Tomcat 6. Some of the capabilities are available through LambdaProbe and JConsole. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: memoryrealm
whats in your web.xml ? is your app forcing a login ? all the realm provides is a system to do authentication unless you are triggering it, it isn't used On Wed, 2008-03-12 at 10:36 +, Edward Quick wrote: Hi, I would like to specify my own tomcat-users.xml for my webapp to use (not the server's main one in conf/tomcat-user.xml). I tried the following configuration in my webapp's context.xml file but unfortunately when I went to the URL, I wasn't even prompted for a logon: Context path=/sample debug=0 privileged=true Realm className=org.apache.catalina.realm.MemoryRealm path=/tmp/tomcatusers.xml / /Context Could someone tell me if this is possible, and if so what I need to do to set up the login prompt please? Thanks, Ed. _ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: memoryrealm
On your realm up the level of debug and let us know whats in the logs D On Wed, 2008-03-12 at 11:16 +, Edward Quick wrote: Thanks David, I had forgotten the web.xml as you suggested. I have now added this so my web.xml is as shown below, and I get the prompt but the userid I'm using 'test' (passwd: test) isn't going through. Hope this isn't a daft question, but do I need to add code to the servlet to get this to work? Thanks for your help. Ed. ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 display-nameHello, World Application/display-name description This is a simple web application with a source code organization based on the recommendations of the Application Developer's Guide. /description servlet servlet-nameHelloServlet/servlet-name servlet-classmypackage.Hello/servlet-class /servlet servlet-mapping servlet-nameHelloServlet/servlet-name url-pattern/hello/url-pattern /servlet-mapping resource-env-ref description Link to the UserDatabase instance from which we request lists of defined role names. Typically, this will be connected to the global user database with a ResourceLink element in server.xml or the context configuration file for the Manager web application. /description resource-env-ref-nameusers/resource-env-ref-name resource-env-ref-type org.apache.catalina.UserDatabase /resource-env-ref-type /resource-env-ref security-constraint web-resource-collection web-resource-nametest/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-nametest/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameTomcat Sample Application/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the test application /description role-nametest/role-name /security-role /web-app and /tmp/tomcatusers.xml is: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=tomcat/ role rolename=role1/ role rolename=manager/ role rolename=admin/ user username=tomcat password=tomcat roles=tomcat/ user username=both password=tomcat roles=tomcat,role1/ user username=test password=test roles=test/ user username=admin password=tomcat roles=admin/ /tomcat-users whats in your web.xml ? is your app forcing a login ? all the realm provides is a system to do authentication unless you are triggering it, it isn't used On Wed, 2008-03-12 at 10:36 +, Edward Quick wrote: Hi, I would like to specify my own tomcat-users.xml for my webapp to use (not the server's main one in conf/tomcat-user.xml). I tried the following configuration in my webapp's context.xml file but unfortunately when I went to the URL, I wasn't even prompted for a logon: Context path=/sample debug=0 privileged=true Realm className=org.apache.catalina.realm.MemoryRealm path=/tmp/tomcatusers.xml / /Context Could someone tell me if this is possible, and if so what I need to do to set up the login prompt please? Thanks, Ed. _ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
James, You could put the stunnel into a while loop that makes it. perhaps you could send yourself an email each time it closed ? stunnel is probably the easiest to setup. I had written a secure version of mod_ajp for apache 1.3 (ie years ago) which did the whole ssl encryption of the traffic with 2 way authentication it wasn't added to the tomcat source as well no one wanted it :( D On Thu, 2008-03-06 at 17:54 -0500, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, James Ellis wrote: | I have done some goog'ling on IPSec and VPN and I have found three | possibilities: | | 1) OpenSSH and Port Forwarding | | 2) OpenVPN | | 3) Stunnel (thanks little voice) | | What concerns me about all three options is error handling. If my | OpenSSH or OpenVPN or Stunnel connection failed/timed out, the whole | site would go down. There would have to be a VERY good and almost | instant reconnection taking place. | | I am also concerned about performance. | | Any comments? If you want encryption, you have to sacrifice performance, so just forget about that concern right off the bat. Your concerns about robustness are certainly reasonable. You should be able to find information about restarting connections for each of these products by searching their forums, help, etc. Any good VPN should have options for restarting them when a failure is detected (but nothing is ever foolproof). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfQdjIACgkQ9CaO5/Lv0PCfxwCfTDsfjFquhx2Yibw8hKZyTh28 m8sAoJ8eHlCR5KI/br4KeMwKMDNEXPRH =wwmj -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why Tomcat hang for a while before starting
normally ls -l in the directory concerned works for me. On Thu, 2008-03-06 at 14:19 +0200, Mohamed Mohamedin wrote: Can you please tell me how to detect such symbolic link. Thanks a lot -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 12:42 AM To: Tomcat Users List Subject: RE: Why Tomcat hang for a while before starting From: Mohamed Mohamedin [mailto:[EMAIL PROTECTED] Subject: Why Tomcat hang for a while before starting main prio=1 tid=0x401161f0 nid=0x70ed runnable [0x7fdc1000..0x7fdc35d0] at java.io.UnixFileSystem.list(Native Method) at java.io.File.list(File.java:937) The only difference I can tell is the slow one have a symbolic link in its webapps while the other not. I'd be looking for symbolic links that are forming an infinite loop. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ NOD32 2922 (20080305) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
cough stunnel /cough On Mon, 2008-03-03 at 18:39 -0800, David Rees wrote: On Mon, Mar 3, 2008 at 9:26 AM, James Ellis [EMAIL PROTECTED] wrote: Do you think that little hollow voice can clarify how IPSec would solve this problem by giving an example of a software that I could implement to accomplish this? Google IPSec and VPN and you will find your answer. -Dave - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: hibernate3 / JPA / JBossCache / tomcat
Erik Thank you very much for this. I've used the link to the usun site to now use up your bandwidth Was there anything you had to configure in tomcat to make it all work or was it just magic ? :) Thanks again D We use the same configuration and use this in our Maven pom.xml http://ldvapp07.fao.org:8032/fenixRepo/javax/transaction/jta/1.0.1B/ If I remember correctly we downloaded this jar from the sun website. The link I sended is our own maven repository -Original Message- From: itay sahar [mailto:[EMAIL PROTECTED] Sent: Fri 01/02/2008 17:43 To: Tomcat Users List Cc: Subject: Re: hibernate3 / JPA / JBossCache / tomcat Tomcat can use JTA. I use it also with Hib3. My sugession to you is to find the appropriate jar with JBossCache and for tomcat version. On 2/1/08, David Cassidy [EMAIL PROTECTED] wrote: Hey guys Having problems getting Hib3/JPA working with JBossCache within tomcat. Am I trying for the impossible? I could get it working with OSCache but JBossCache likes to have a JTA now unless I'm missing something Tomcat doesn't do JTA Anyone got the answer as to what my persistence.xml should look like and if I need anything else in my server.xml Help Thanks guys David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
hibernate3 / JPA / JBossCache / tomcat
Hey guys Having problems getting Hib3/JPA working with JBossCache within tomcat. Am I trying for the impossible? I could get it working with OSCache but JBossCache likes to have a JTA now unless I'm missing something Tomcat doesn't do JTA Anyone got the answer as to what my persistence.xml should look like and if I need anything else in my server.xml Help Thanks guys David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: clarification of server.xml settings for AJP 1.3 Thread Limit
Mohan, You can use apache to serve all the static objects without the requests going anywhere near jboss / tomcat. Have a *careful* look at the JkMount command and look carefully at your url-patterns that your application uses. D On Wed, 2008-01-02 at 11:12 -0800, Mohan2005 wrote: thank you. we will look into this. Caldarale, Charles R wrote: From: Mohan2005 [mailto:[EMAIL PROTECTED] Subject: Re: clarification of server.xml settings for AJP 1.3 Thread Limit on jboss side server.xml file, we wish to increase the maximum THREAD count for the AJP 1.3 connector port 8009; Which parameter is used to do this ? What do the docs say? http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html Earlier we used the Apache front end to render all static pages such as image files, php files etc... Now we cannot do that, AS FAR AS WE KNOW, as j2ee does not allow it. Where in the J2EE specs did you find that restriction? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 6's nio protocol is slower than the regular HTTP/1.1protocol
Did anyone do the comparison between ajp13 and http for the protocol ? I'd like to understand what the test cases were that were used for the test. ie if the application takes a second to make the resulting html if it takes 2 seconds to make the html how does that affect the performance ? D On Wed, 2008-01-02 at 17:02 +0100, Rainer Jung wrote: Caldarale, Charles R schrieb: Does the new io really slower then the regular protocol? Yes; read this: http://marc.info/?l=tomcat-userm=119635696312254w=2 - Chuck and: speed != performance As an approximation: Throughput * AvgResponseTime = Parallelity Naively speed is the same as average response time. In most cases its better to think of performance as high throughput with acceptable response time. The formula shows you, that a solution, that is able to handle a very high parallelity could have a better performance (=throughput), than another one, even if the average response time might be worse. The NIO connector should be good in allowing a higher parallelism and thus achieve good throughput, even if the response times are worse than with the traditional connector. How important this is depends on the application scenario. Its never enough to only think about speed or only think about throughput when talking about high load. You need to define your minimal requirements for both of them and then search for the corresponding solution. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Process Memory Leak?
You could try the profiler thats built into netbeans... On Tue, 2007-12-18 at 10:29 +, Stefano Martines wrote: Does anybody knows about a tool so that you can analyze and trace in detail the memory allocation of your application objects, classes etc? thank you Stefano - Original Message From: Bill Clarke-Fields [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Monday, December 17, 2007 5:27:36 PM Subject: Re: Tomcat Process Memory Leak? Thank you both for your responses. I am also pretty convinced now that it is an application-related issue. Especially since the memory usage jumps ~30mb in a few seconds. My investigation continues. Travis Haagen wrote: Any ideas about what could be causing this? I realize it could be an application-related leak, but in that case wouldn't we see it running out of heap? Server-side application leaks are really hard to figure out, because they usually only happen in a high-traffic production environment and are difficult to produce on development machines. Basically, you should look at bug reports (e.g., bugzilla) for all of the 3rd party libraries that your application uses, or at least those libraries that have been added/upgraded since this problem started occuring. For each component, search for 'memory leak' and see where that gets you. Good luck, Travis - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Tomcat-Process-Memory-Leak--tp14337929p14373437.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 6.0 with Apache 2.2 front-end
Tony, mod_jk - which uses the ajp13 protocol is not the same as the http11aprprotocol which uses http/1.1 as its protocol. Filip - is there a comparison between apache talking to http to tomcat vs apache with ajp to tomcat ? Ta D On Thu, 2007-11-29 at 13:37 -0800, Tony Anecito wrote: Thanks Filip I am interested in that information also. I will try to get it configured and running and give feedback on performance since I already use mod_jk or the Http11AprProtocol as I think you call it. Regards, -Tony --- Filip Hanik - Dev Lists [EMAIL PROTECTED] wrote: the speed of the connectors are (in order) Http11Protocol - Java BIO connector, no poller, blocking read/write Http11AprProtocol - APR connector, poller, blocking read/write Http11NioProtocol - Java NIO connector, poller, simulated blocking read/write the reason the NIO is slower, is cause it has to simulate blocking reads and writes through a non blocking API.The reason the BIO is the fastest, is cause there is no context switching during block simulation, or adding/removing the connection from a poller. When it comes to SSL, the APR connector is much faster than both the Java connectors. Filip David Cassidy wrote: Has anyone got a comparison of the NIO one vs standard java connectors ? both with and without the native libs ? Ta On Thu, 2007-11-29 at 08:38 -0600, Brian Millett wrote: Filip Hanik - Dev Lists escribío: using mod_proxy_http, you want to enable ProxyPreserveHost On Filip loknor wrote: Filip Hanik - Dev Lists wrote: three options mod_proxy_http mod_jk mod_proxy_ajp Filip Yep just found the other option, and a site that got me up to speed very quickly. I can now communicate between Apache and Tomcat. http://blog.taragana.com/index.php/archive/5-steps-to-integrate-tomcat-55-with-apache-20 Thanks, Brent I'd also recommend that you compile the apr native libs for tomcat (apache-tomcat-6.0.14/bin/tomcat-native.tar.gz) and enable it when you start tomcat by adding -Djava.library.path=/usr/local/apr/lib (I installed the lib in /usr/local/apr/lib). What gives you is the apr interface for handling the http connects. from the catalina.out: Nov 26, 2007 9:31:10 AM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 This handler scales and is quicker than the java handler. JBoss calls it JBossWeb. See http://labs.jboss.com/jbossweb/index.html for a nice graph of the performance differences between the native apr java handlers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 6.0 with Apache 2.2 front-end
Has anyone got a comparison of the NIO one vs standard java connectors ? both with and without the native libs ? Ta On Thu, 2007-11-29 at 08:38 -0600, Brian Millett wrote: Filip Hanik - Dev Lists escribío: using mod_proxy_http, you want to enable ProxyPreserveHost On Filip loknor wrote: Filip Hanik - Dev Lists wrote: three options mod_proxy_http mod_jk mod_proxy_ajp Filip Yep just found the other option, and a site that got me up to speed very quickly. I can now communicate between Apache and Tomcat. http://blog.taragana.com/index.php/archive/5-steps-to-integrate-tomcat-55-with-apache-20 Thanks, Brent I'd also recommend that you compile the apr native libs for tomcat (apache-tomcat-6.0.14/bin/tomcat-native.tar.gz) and enable it when you start tomcat by adding -Djava.library.path=/usr/local/apr/lib (I installed the lib in /usr/local/apr/lib). What gives you is the apr interface for handling the http connects. from the catalina.out: Nov 26, 2007 9:31:10 AM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 This handler scales and is quicker than the java handler. JBoss calls it JBossWeb. See http://labs.jboss.com/jbossweb/index.html for a nice graph of the performance differences between the native apr java handlers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: multithreaded with taglibs
Errr how will you allow people to access the file over the internet with a file:// protocol ? are you only running the app and the users browser on the same machine ? file://C:\My Documents\image.gif ? Can't see that working over the internet On Sun, 2007-11-25 at 13:56 +0200, Yair Ben-Meir wrote: Thanks, but that's not good for me, I need the page to be with a real file link (file://), not through a servlet. -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 11:53 AM To: Tomcat Users List Subject: Re: multithreaded with taglibs Yair Ben-Meir wrote: Let say that the tag will have to generate the image with a text given as an attribute, and it takes time so I want the page to continue: my:img src=file text=first/ . my:img src=file text=first/ Why are you doing this with a tag, rather than sending the parameter to a servlet that serves an image into it's output stream? You exploit the browsers own request handling capabilities this way. img src=/img-app/generate?param1=some+text+here alt=an image / p -Original Message- From: David Cassidy [mailto:[EMAIL PROTECTED] Sent: Thursday, November 22, 2007 6:08 PM To: Tomcat Users List Subject: Re: multithreaded with taglibs Hi What is your tag going to produce ? is it an IMG SRC=. type tag ? or how are you allowing the browser to access the image ? Ta D On Thu, 2007-11-22 at 14:57 +0200, Yair Ben-Meir wrote: Hi Is there a way to write a taglib that will do a multithreading work? Meaning, that tomcatwill not wait till the first instance of the tag will end, and continue to the rest of the page, and maybe start with another instance, and than it will insert the result of each instance in the right place? Example: my:img name=/ . my:img name=/ And let say that each my:img is supposed to download the image and save it locally or something like that, and I don't want tomcat to wait till the first tag is finished. Thanks Yair Ben-Meir Office: 073-7997801 Fax: 073-7997800 Mob: 054-5769681 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 6 virtual host problem please help
If you were using apache infront of tomcat you can use the proxy to do this for you I think ProxyPass / ajp13://localhost:8009/app/ any requests for '/' go to '/app/' on tomcat Hope that helps D On Fri, 2007-11-23 at 09:43 +0100, Rocco Scappatura wrote: do you want your app to be the default one? Not necessarily. And even the app name can be avoid in a URL Path? Yes, but look below to understand precisily what I really want. I have an application, say 'app'. I access it trhough: http://www.example.com/app I have a valid URL: http://www.example.com/app/foo I would like to know if it possible to create a shortcut to this latest URL like: http://foo.example.com or http://www.example.com/foo rocsca - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multithreaded with taglibs
Hi What is your tag going to produce ? is it an IMG SRC=. type tag ? or how are you allowing the browser to access the image ? Ta D On Thu, 2007-11-22 at 14:57 +0200, Yair Ben-Meir wrote: Hi Is there a way to write a taglib that will do a multithreading work? Meaning, that tomcatwill not wait till the first instance of the tag will end, and continue to the rest of the page, and maybe start with another instance, and than it will insert the result of each instance in the right place? Example: my:img name=””/ … my:img name=””/ And let say that each my:img is supposed to download the image and save it locally or something like that, and I don’t want tomcat to wait till the first tag is finished. Thanks Yair Ben-Meir Office: 073-7997801 Fax: 073-7997800 Mob: 054-5769681 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_proxy_ajp TIME_WAIT
That would be excellent ! Is the only change - as far as mod_proxy_ajp is concerned the one below or is that a work around for 2.2.6 ? Thanks D On Tue, 2007-11-20 at 14:39 -0500, Jim Jagielski wrote: I'm hoping to get it out the top of December :) On Nov 20, 2007, at 3:57 AM, David Cassidy wrote: Hi Jim !!! This is fantastic news ! When is 2.2.7 going to be released ? :) Many many thanks David On Mon, 2007-11-19 at 15:27 -0500, Jim Jagielski wrote: 2.2.6 has a nasty bug were AJP connections are being closed when they shouldn't. 2.2.7 will fix that. In the meantime, trying building httpd with USE_ALTERNATE_IS_CONNECTED defined as 0 (proxy_util.c). On Nov 19, 2007, at 9:07 AM, Rainer Jung wrote: Hi David, TIME_WAIT is a normal TCP state after a connection was successfully closed. Only one side of the connection goes into TIME_WAIT, namely the side that sent the first FIN. So since you've got httpd and Tomcat on the same server, you first need to find out, which side of the conection is in TIME_WAIT. In netstat, usually the left hand IP:PORT is the local side, and the right IP:PORT the remote side. In case the left pair of the TIME_WAIT line includes the port 8009, this would mean, that Tomcat closed the connection first, in case 8009 is on the right side, it would mean, that Apache httpd closed the connection first. Maybe you could show us some of the TIME_WAIT netstat lines. Both could be OK, so we could ask ourselves, if we expect such behaviour. In general AJP connections should be used persistently and only closed, if they have been idle for to long. Is the number of TIME_WAIT connections much larger, than the concurrency (-c) used with ab? Regards, Rainer David Cassidy wrote: Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ After running a few hits with ab to give it some load there are a very large number of connections between apache and tomcat in a TIME_WAIT status. Is this a common happening ? Is there something that can be configured to prevent this from appearing ? Thanks David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_proxy_ajp TIME_WAIT
Hi Jim !!! This is fantastic news ! When is 2.2.7 going to be released ? :) Many many thanks David On Mon, 2007-11-19 at 15:27 -0500, Jim Jagielski wrote: 2.2.6 has a nasty bug were AJP connections are being closed when they shouldn't. 2.2.7 will fix that. In the meantime, trying building httpd with USE_ALTERNATE_IS_CONNECTED defined as 0 (proxy_util.c). On Nov 19, 2007, at 9:07 AM, Rainer Jung wrote: Hi David, TIME_WAIT is a normal TCP state after a connection was successfully closed. Only one side of the connection goes into TIME_WAIT, namely the side that sent the first FIN. So since you've got httpd and Tomcat on the same server, you first need to find out, which side of the conection is in TIME_WAIT. In netstat, usually the left hand IP:PORT is the local side, and the right IP:PORT the remote side. In case the left pair of the TIME_WAIT line includes the port 8009, this would mean, that Tomcat closed the connection first, in case 8009 is on the right side, it would mean, that Apache httpd closed the connection first. Maybe you could show us some of the TIME_WAIT netstat lines. Both could be OK, so we could ask ourselves, if we expect such behaviour. In general AJP connections should be used persistently and only closed, if they have been idle for to long. Is the number of TIME_WAIT connections much larger, than the concurrency (-c) used with ab? Regards, Rainer David Cassidy wrote: Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ After running a few hits with ab to give it some load there are a very large number of connections between apache and tomcat in a TIME_WAIT status. Is this a common happening ? Is there something that can be configured to prevent this from appearing ? Thanks David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_proxy_ajp TIME_WAIT
Hi ! This is using worker rather than prefork - apache 2.2.6 as comes with fedora 7. I've changed /usr/sbin/httpd to be /usr/sbin/httpd.worker. If I make a 1000 requests with ab with keep alive to apache - eg ab -k -n 1000 url then I get alot of connections from apache to tomcat that are in TIME_WAIT - eg tcp0 0 127.0.0.1:46284 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46374 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46306 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46396 127.0.0.1:8009 TIME_WAIT the counts look like 1 LISTEN 2 ESTABLISHED 999 TIME_WAIT ie 999 connections in TIME_WAIT Is there anyway to tell Apache to keep the connections alive for a more connections ? Apache config is : ProxyPass / balancer://myclusterclear/ stickysession=JSESSIONID| jsessionid Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy Tomcat is Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ If I increase the concurrency to 10 from 1 and re-run the same 1,000 tests I get 1 LISTEN 20 ESTABLISHED 990 TIME_WAIT Slightly better but i'd have liked to see there be more ESTABLISHED connections. Running with 30 concurrency i get 1 LISTEN 60 ESTABLISHED 970 TIME_WAIT With 50 concurrency I get 1 LISTEN 28 CLOSE_WAIT 28 FIN_WAIT2 66 ESTABLISHED 939 TIME_WAIT In each case the netstat is performed immediately after the test has finished and before each test run the netstat only has the 1 listen socket for 8009. In each case the netstat is from apache to tomcat So any ideas why tomcat would close the connections ? Many thanks David On Mon, 2007-11-19 at 15:07 +0100, Rainer Jung wrote: Hi David, TIME_WAIT is a normal TCP state after a connection was successfully closed. Only one side of the connection goes into TIME_WAIT, namely the side that sent the first FIN. So since you've got httpd and Tomcat on the same server, you first need to find out, which side of the conection is in TIME_WAIT. In netstat, usually the left hand IP:PORT is the local side, and the right IP:PORT the remote side. In case the left pair of the TIME_WAIT line includes the port 8009, this would mean, that Tomcat closed the connection first, in case 8009 is on the right side, it would mean, that Apache httpd closed the connection first. Maybe you could show us some of the TIME_WAIT netstat lines. Both could be OK, so we could ask ourselves, if we expect such behaviour. In general AJP connections should be used persistently and only closed, if they have been idle for to long. Is the number of TIME_WAIT connections much larger, than the concurrency (-c) used with ab? Regards, Rainer David Cassidy wrote: Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ After running a few hits with ab to give it some load there are a very large number of connections between apache and tomcat in a TIME_WAIT status. Is this a common happening ? Is there something that can be configured to prevent this from appearing ? Thanks David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_proxy_ajp TIME_WAIT
Hi Rainer, I've set the ttl to 120 re-run the last test with 30 concurrent connections 1 LISTEN 25 CLOSE_WAIT 26 FIN_WAIT2 104 ESTABLISHED 924 TIME_WAIT Not made too much difference. But as the test is only taking 20 secs max none of the connections should have reached the ttl unless ttl is not seconds. Do you think I should be asking this on the httpd dev mailing list as its an apache prob and not tomcat ? Thanks David On Mon, 2007-11-19 at 15:47 +0100, Rainer Jung wrote: David Cassidy wrote: Hi ! This is using worker rather than prefork - apache 2.2.6 as comes with fedora 7. I've changed /usr/sbin/httpd to be /usr/sbin/httpd.worker. If I make a 1000 requests with ab with keep alive to apache - eg ab -k -n 1000 url then I get alot of connections from apache to tomcat that are in TIME_WAIT - eg tcp0 0 127.0.0.1:46284 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46374 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46306 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46396 127.0.0.1:8009 TIME_WAIT the counts look like 1 LISTEN 2 ESTABLISHED 999 TIME_WAIT ie 999 connections in TIME_WAIT Is there anyway to tell Apache to keep the connections alive for a more connections ? First of all, for me this looks like really Apache httpd is closing the connections (you ask later, if Tomcat can be told to keep the connection open, but this doesn't help, because httpd closes it). Does setting a ttl help (see http://httpd.apache.org/docs/2.2/mod/mod_proxy.html)? Regards, Rainer Apache config is : ProxyPass / balancer://myclusterclear/ stickysession=JSESSIONID| jsessionid Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy Tomcat is Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ If I increase the concurrency to 10 from 1 and re-run the same 1,000 tests I get 1 LISTEN 20 ESTABLISHED 990 TIME_WAIT Slightly better but i'd have liked to see there be more ESTABLISHED connections. Running with 30 concurrency i get 1 LISTEN 60 ESTABLISHED 970 TIME_WAIT With 50 concurrency I get 1 LISTEN 28 CLOSE_WAIT 28 FIN_WAIT2 66 ESTABLISHED 939 TIME_WAIT In each case the netstat is performed immediately after the test has finished and before each test run the netstat only has the 1 listen socket for 8009. In each case the netstat is from apache to tomcat So any ideas why tomcat would close the connections ? Many thanks David On Mon, 2007-11-19 at 15:07 +0100, Rainer Jung wrote: Hi David, TIME_WAIT is a normal TCP state after a connection was successfully closed. Only one side of the connection goes into TIME_WAIT, namely the side that sent the first FIN. So since you've got httpd and Tomcat on the same server, you first need to find out, which side of the conection is in TIME_WAIT. In netstat, usually the left hand IP:PORT is the local side, and the right IP:PORT the remote side. In case the left pair of the TIME_WAIT line includes the port 8009, this would mean, that Tomcat closed the connection first, in case 8009 is on the right side, it would mean, that Apache httpd closed the connection first. Maybe you could show us some of the TIME_WAIT netstat lines. Both could be OK, so we could ask ourselves, if we expect such behaviour. In general AJP connections should be used persistently and only closed, if they have been idle for to long. Is the number of TIME_WAIT connections much larger, than the concurrency (-c) used with ab? Regards, Rainer David Cassidy wrote: Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ After running a few hits with ab to give it some load there are a very large number of connections between
Re: mod_proxy_ajp TIME_WAIT
OK I'll give that a go ! Thanks Rainer for your help D On Mon, 2007-11-19 at 16:09 +0100, Rainer Jung wrote: David Cassidy wrote: Hi Rainer, I've set the ttl to 120 re-run the last test with 30 concurrent connections 1 LISTEN 25 CLOSE_WAIT 26 FIN_WAIT2 104 ESTABLISHED 924 TIME_WAIT Not made too much difference. But as the test is only taking 20 secs max none of the connections should have reached the ttl unless ttl is not seconds. Do you think I should be asking this on the httpd dev mailing list as its an apache prob and not tomcat ? Yes, maybe starting with the httpd user list, before going to dev. Thanks David On Mon, 2007-11-19 at 15:47 +0100, Rainer Jung wrote: David Cassidy wrote: Hi ! This is using worker rather than prefork - apache 2.2.6 as comes with fedora 7. I've changed /usr/sbin/httpd to be /usr/sbin/httpd.worker. If I make a 1000 requests with ab with keep alive to apache - eg ab -k -n 1000 url then I get alot of connections from apache to tomcat that are in TIME_WAIT - eg tcp0 0 127.0.0.1:46284 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46374 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46306 127.0.0.1:8009 TIME_WAIT tcp0 0 127.0.0.1:46396 127.0.0.1:8009 TIME_WAIT the counts look like 1 LISTEN 2 ESTABLISHED 999 TIME_WAIT ie 999 connections in TIME_WAIT Is there anyway to tell Apache to keep the connections alive for a more connections ? First of all, for me this looks like really Apache httpd is closing the connections (you ask later, if Tomcat can be told to keep the connection open, but this doesn't help, because httpd closes it). Does setting a ttl help (see http://httpd.apache.org/docs/2.2/mod/mod_proxy.html)? Regards, Rainer Apache config is : ProxyPass / balancer://myclusterclear/ stickysession=JSESSIONID| jsessionid Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy Tomcat is Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ If I increase the concurrency to 10 from 1 and re-run the same 1,000 tests I get 1 LISTEN 20 ESTABLISHED 990 TIME_WAIT Slightly better but i'd have liked to see there be more ESTABLISHED connections. Running with 30 concurrency i get 1 LISTEN 60 ESTABLISHED 970 TIME_WAIT With 50 concurrency I get 1 LISTEN 28 CLOSE_WAIT 28 FIN_WAIT2 66 ESTABLISHED 939 TIME_WAIT In each case the netstat is performed immediately after the test has finished and before each test run the netstat only has the 1 listen socket for 8009. In each case the netstat is from apache to tomcat So any ideas why tomcat would close the connections ? Many thanks David On Mon, 2007-11-19 at 15:07 +0100, Rainer Jung wrote: Hi David, TIME_WAIT is a normal TCP state after a connection was successfully closed. Only one side of the connection goes into TIME_WAIT, namely the side that sent the first FIN. So since you've got httpd and Tomcat on the same server, you first need to find out, which side of the conection is in TIME_WAIT. In netstat, usually the left hand IP:PORT is the local side, and the right IP:PORT the remote side. In case the left pair of the TIME_WAIT line includes the port 8009, this would mean, that Tomcat closed the connection first, in case 8009 is on the right side, it would mean, that Apache httpd closed the connection first. Maybe you could show us some of the TIME_WAIT netstat lines. Both could be OK, so we could ask ourselves, if we expect such behaviour. In general AJP connections should be used persistently and only closed, if they have been idle for to long. Is the number of TIME_WAIT connections much larger, than the concurrency (-c) used with ab? Regards, Rainer David Cassidy wrote: Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false
mod_proxy_ajp TIME_WAIT
Guys, I'm using mod_proxy in apache 2.2.6 with the ajp connector in tomcat. apache config - Proxy balancer://myclusterclear BalancerMember ajp://localhost:8009 route=server1 min=0 smax=1000 max=1000 keepalive=On /Proxy ProxyPass // balancer://myclusterclear/ stickysession=JSESSIONID|jsessionid Tomcat config (Using the native apr libs) Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ Connector executor=tomcatThreadPool port=8009 secure=false protocol=AJP/1.3 enableLookups=false proxyPort=80 redirectPort=443 maxKeepAliveRequests=2000 tcpNoDelay=true keepAliveTimeout=1 connectionTimeout=60/ After running a few hits with ab to give it some load there are a very large number of connections between apache and tomcat in a TIME_WAIT status. Is this a common happening ? Is there something that can be configured to prevent this from appearing ? Thanks David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
