mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Hi All, I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 installation. They are both sitting on the same Linux box - uname -a returns the following: Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux I'd like if possible to add mod_jk to enable the two to talk to each other, without fiddling with the existing tomcat / apache versions. So far I've build mod_jk 1.2.28 from source on the destination machine, and set up the following workers: (in apache conf) IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkRequestLogFormat %w %V %T JkOptions +ForwardURICompatUnparsed JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT /IfModule (in apache conf, inside a virtual host) SSLEngine on SSLCertificateFile /etc/httpd/conf/filename SSLCertificateKeyFile /etc/httpd/conf/filename SSLCACertificateFile /etc/httpd/conf/filename JkMount /* tomcatssl (in workers.properties) # # First tomcat server # worker.tomcat1.port=8009 worker.tomcat1.host=10.13.0.218 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=50 #- # SSL tomcat server #- worker.tomcatssl.port=8443 worker.tomcatssl.host=10.13.0.218 worker.tomcatssl.type=ajp13 worker.tomcatssl.lbfactor=50 However when I kick things off and visit a URL matching the above virtual host, I get the following error message in mod_jk.log: [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 0x1503 from 10.13.0.218:8443 Looking at jk_ajp_common.c I can see the following @ line 1172: if (ae-proto == AJP13_PROTO) { if (header != AJP13_SW_HEADER) { if (header == AJP14_SW_HEADER) { jk_log(l, JK_LOG_ERROR, received AJP14 reply on an AJP13 connection from %s, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } else { jk_log(l, JK_LOG_ERROR, wrong message format 0x%04x from %s, header, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } So it seems the error has something do with AJP13 headers not being as expected. Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are compatible together ? If so - any ideas what might be going on here ? thanks, matt. _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
OK - sounds likely, many thanks. I'll give that a whirl. Date: Fri, 22 Jan 2010 12:49:49 + Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 From: peter.crowt...@melandra.com To: users@tomcat.apache.org I'm not an AJP expert, but I suspect: - You're telling AJP to use a secure connection between httpd and Tomcat; - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector; - AJP is getting confused. I believe you should only need to configure one worker (the one on 8009); AJP is capable of passing through the information as to whether or not the data arrived securely or not at httpd. I suspect you'll get a better answer once the States wakes up, but that's my guess. - Peter 2010/1/22 Matt Turner m4tt_tur...@hotmail.com: Hi All, I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 installation. They are both sitting on the same Linux box - uname -a returns the following: Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux I'd like if possible to add mod_jk to enable the two to talk to each other, without fiddling with the existing tomcat / apache versions. So far I've build mod_jk 1.2.28 from source on the destination machine, and set up the following workers: (in apache conf) IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkRequestLogFormat %w %V %T JkOptions +ForwardURICompatUnparsed JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT /IfModule (in apache conf, inside a virtual host) SSLEngine on SSLCertificateFile /etc/httpd/conf/filename SSLCertificateKeyFile /etc/httpd/conf/filename SSLCACertificateFile /etc/httpd/conf/filename JkMount /* tomcatssl (in workers.properties) # # First tomcat server # worker.tomcat1.port=8009 worker.tomcat1.host=10.13.0.218 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=50 #- # SSL tomcat server #- worker.tomcatssl.port=8443 worker.tomcatssl.host=10.13.0.218 worker.tomcatssl.type=ajp13 worker.tomcatssl.lbfactor=50 However when I kick things off and visit a URL matching the above virtual host, I get the following error message in mod_jk.log: [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 0x1503 from 10.13.0.218:8443 Looking at jk_ajp_common.c I can see the following @ line 1172: if (ae-proto == AJP13_PROTO) { if (header != AJP13_SW_HEADER) { if (header == AJP14_SW_HEADER) { jk_log(l, JK_LOG_ERROR, received AJP14 reply on an AJP13 connection from %s, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } else { jk_log(l, JK_LOG_ERROR, wrong message format 0x%04x from %s, header, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } So it seems the error has something do with AJP13 headers not being as expected. Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are compatible together ? If so - any ideas what might be going on here ? thanks, matt. _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Send us your Hotmail stories and be featured in our newsletter http://clk.atdmt.com/UKM/go/195013117/direct/01/
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests. (I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Many thanks, matt. Date: Fri, 22 Jan 2010 14:24:49 +0100 From: t...@cataneo.eu To: users@tomcat.apache.org Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 I guess that you should exchange the JkMount /* tomcatssl by JkMount /* tomcat1 provided you use a standard Tomcat-setup. For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2 virtual-hosts in Apache2. One for Port 443 with the standard-SSL-parameters Apache2 expects to integrate OpenSSL for https and another for Port 80 / plain http. The Jk-directives are the same for both virtual hosts and don't care about SSL and go to Tomcats port 8009 (= using standard configuration). 8443 is typically the http-over-ssl-port (=http) for direct SSL access via coyote-connector and has nothing to do with ajp. If your Apache2 is doing the SSL-integration Tomcat sees no SSL-traffic because Apache2 lets openssl do the conversion from SSL and is connecting to Tomcat without any SSL-traffic but simple http. You can give Tomcat some information about the SSL-session like you did with JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT but then you have to give Apache2 an advice to deliver these information by a SSLOptions +StdEnvVars +ExportCertData (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might give you an idea about the two possibilities to setup Tomcat + SSL) On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat 6 on Solaris - nearly the same setup as under Linux. These servers run with SSL and Non-SSL parallel but without these extra Jk-SSL-indicator-parameters you are using. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Thanks for the responses. In between times I tried the ProxyPass which seems to work fine, but I'd much rather use plain AJP so I'll try that next. I've had problems previously getting CAS working where the SSL is handled by the webserver - however from what everyone has said and having read around the issue a bit more, it does sound like using AJP ought to work, so long as Apache is configured to pass through all the relevant SSL and cert. info to tomcat (presumably so that isSecure() can work, plus I think CAS validates certificates too). Date: Fri, 22 Jan 2010 14:53:21 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 1/22/2010 9:25 AM, Matt Turner wrote: In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests. mod_jk ought to be able to forward all SSL information to Tomcat. Specifically, what does CAS require? (I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Unless something specific is actually not working, you ought to be able to use a vanilla AJP connection for both secure and non-secure HTTP (even via the same worker/Connector). Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really not function properly with an AJP connection? If you proxy HTTPS you are likely to get in all kinds of trouble because the client is no longer your user... it's your web server. And the server is no longer the web server... it's Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC JqMAoLyACwFx0JxEBozCMWt81KvGmq+B =Br3o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/