Re: Failover not working even after configuration.

tomcat Wed, 09 Dec 2015 12:59:42 -0800

On 09.12.2015 17:02, Kernel freak wrote:

Hi,


Thank you for finding out that mistake with port-number. What I fail to
understand is, where to redirect the AJP request then?


Why would you need to ?

Again :

Your AJP <Connector> (in Tomcat) will *never* receive requests that are HTTPS. It expects(and in your configuration, receives) only requests in the AJP protocol format (from theApache-httpd-side mod_jk or mod_proxy_ajp module).

(And if it received anything else, it would bitterly complain).

Also again:
Your configuration is :

User browser <-- HTTP(S) --> Apache httpd + mod_jk <- AJP -> Tomcat AJP Connector<-->Tomcat webapp


The user's browser talks to Apache httpd using either HTTP or HTTPS.
If it is HTTPS, Apache unencrypts it.

The request is then (partially) processed in Apache httpd (parsing the headers etc.), andthen it is forwarded to (one of the) Tomcat by the mod_jk module, in AJP format (which hasno encrypted version). It is received by the AJP Connector in Tomcat (which understandsAJP, but not HTTP/HTTPS). The AJP Connector in Tomcat makes this into a Tomcat/java HTTPRequest object, that object is passed to the webapp, and that is what the webapp isdealing with.


The webapp Response object goes the opposite way.

Tomcat outputs this response through the AJP connector, which encodes it as an "AJPmessage". This message goes to the Apache mod_jk connector. The mod_jk connector decodesthis back for Apache-httpd, into an "Apache httpd response". Apache httpd then sends thisresponse back to the browser, in HTTP or HTTPS, depending on how the browser originallyconnected to httpd to send that request.

The thing to understand here, is that along with the request in AJP format that mod_jksends to the Tomcat AJP Connector, there will be (optionally) a number of "SSLattributes", which allow the recipient webapp to know that the original browser-to-httpdconnection was HTTPS (or not), even though Tomcat received that request through the AJPConnector, in non-SSL AJP format.


See here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
--> JkExtractSSL

I do not know Spring, and I do not know under what conditions it would send back https://links or not. But this should not be a problem, if the configuration on both Apache-httpdand Tomcat is correct.

Now, all that I am saying above, and also all your load-balancing setup, is only validassuming that *all* browser-to-Tomcat communications always goes through Apache httpd.

If you allow browsers to access Tomcat directly, then all this is moot.

A browser cannot talk directly to the Tomcat AJP Connector, they would not understandeachother. But if your Tomcats have active HTTP/HTTPS Connectors, and the browser is ableto connect to them, then forget all the above, it will not work as you expect.

(Such connections would also bypass the load-balancing that you want).





 Can you tell me

that. I am as of now creating additional mail, as I changed the config and
added a Cluster in tomcat. I just need to know what's the deal with those
connectors, as the webapp requires https..

Should I remove that redirectPort in ajp? Kindly let me know. Thank you.

On Wed, Dec 9, 2015 at 4:46 PM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:


On 09.12.2015 15:56, Kernel freak wrote:

I am working on Apache and tomcat to setup Load-balancing and fail-over.
Initially I thought that load-balancing would include fail-over, but I was
wrong. I thought that if one instance is not active, then consuming other
instance also becomes a part of load-management.


It should :
quote : http://tomcat.apache.org/connectors-doc/reference/workers.html

  Load balancer management includes:

     Instantiating the workers in the web server.
     Using the worker's load-balancing factor, perform weighed-round-robin
load balancing where high lbfactor means stronger machine (that is going to
handle more requests)
     Keeping requests belonging to the same session executing on the same
Tomcat worker.
     Identifying failed Tomcat workers, suspending requests to them and
instead fall-backing on other workers managed by the lb worker.

The overall result is that workers managed by the same lb worker are
load-balanced (based on their lbfactor and current user session) and also
fall-backed so a single Tomcat process death will not "kill" the entire
site.


  Enough with the

terminologies, I setup fail-over, but the ironical part is fail-over
itself
is failing.

As soon as I shut down one instance of tomcat, the entire setup is dead
and
I am getting 503. Can someone help me understand what is the problem.

Maybe the first step would be to remove the irrelevant parts of he
configuration below.
Also, please make an effort at formatting your email, in plain text.
What comes below is almost unreadable as it is.
(Even in the original mail to the list, see by yourself)

I have reformatted what I could..


Added this in apache2.conf :


JkWorkersFile /etc/apache2/workers.properties
JkMount /* loadbalancer

workers.properties :

worker.list=loadbalancer
   worker.server1.port=8010
   worker.server1.host=localhost
   worker.server1.type=ajp13

   worker.server2.port=8011
   worker.server2.host=localhost
   worker.server2.type=ajp13

   worker.server1.lbfactor=1
   worker.server2.lbfactor=1

   worker.loadbalancer.type=lb
   worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.method=B
worker.balancer.sticky_session=True

000-default in sites-enabled :


JkMountCopy On


<Proxy balancer://mycluster>

      BalancerMember ajp://localhost:8010 route=server1
connectiontimeout=10
      BalancerMember ajp://localhost:8011 route=server2
connectiontimeout=10

     ProxySet stickysession=JSESSIONID|jsessionid
     Order Deny,Allow
     Deny from none
     Allow from all
</Proxy>
<VirtualHost *:80>ProxyRequests off
ProxyPass /balancer-manager !


ProxyPass /  balancer://mycluster/
ProxyPassReverse / balancer://mycluster/</VirtualHost>
<Location /balancer-manager>
SetHandler balancer-manager
Order Deny,Allow
Deny from none
Allow from all
</Location>



First tomcat's server.xml :

On your front-end, you are re-directing everything to the tomcats, via AJP.
So this Connector is superfluous, and only makes the discussion more
confusing :

<Connector port="8080" proxyPort="80" protocol="HTTP/1.1"

compression="force" compressionMinSize="1024"
                 connectionTimeout="20000"
                 redirectPort="443" URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>

Same for this one. You are using AJP, so you are never accessing tomcat
directly via HTTPS. Useless :

<Connector port="443" enableLookups="false" protocol="HTTP/1.1"

SSLEnabled="true" maxThreads="200" compression="force"
                compressionMinSize="1024" scheme="https" secure="true"
clientAuth="false"  sslProtocol="TLS"
                  keystoreFile="keystore_file" keystorePass="PASSWORD"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>


This one is being used :

     <Connector port="8010" protocol="AJP/1.3" redirectPort="443"

URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
      <Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
      // No modifications inside</Engine>

Second Tomcat's server.xml :


useless, see above :


<Connector port="8081" proxyPort="80" protocol="HTTP/1.1"

compression="force" compressionMinSize="1024"
                 connectionTimeout="20000"
                 redirectPort="443" URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>

useless, see above :

<Connector port="443" enableLookups="false" protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="200" compression="force"
                compressionMinSize="1024" scheme="https" secure="true"
clientAuth="false"  sslProtocol="TLS"
                  keystoreFile="keystore_file" keystorePass="PASSWORD"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>


Used:

   <Connector port="8011" protocol="AJP/1.3" redirectPort="8443"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
      <Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
      // No modifications here
      </Engine>

Note : your HTTP(S) Connectors are useless, since nothing should in
principle ever reach tomcat via HTTP(S). But if you are going to use the
redirectPort="8443"
attribute, you may at least ensure that the corresponding port is attended
to.

So, I suggest that you clean up your configuration, and repost it in a
more readable format. Then maybe we'll see something.









I am working on Apache and tomcat to setup Load-balancing and
fail-over. Initially I thought that load-balancing would include
fail-over,
   but I was wrong. I thought that if one instance is not active, then
consuming other instance also becomes a part of load-management. Enough
with the terminologies, I setup fail-over, but the ironical part is
fail-over itself is failing.

As soon as I shut down one instance of tomcat, the entire setup is
dead and I am getting 503. Can someone help me understand what is the
problem.

Added this in apache2.conf :

JkWorkersFile /etc/apache2/workers.properties
JkMount /* loadbalancer

workers.properties :

GNU nano 2.2.6 File: workers.properties

   worker.list=loadbalancer
   worker.server1.port=8010
   worker.server1.host=localhost
   worker.server1.type=ajp13

   worker.server2.port=8011
   worker.server2.host=localhost
   worker.server2.type=ajp13

   worker.server1.lbfactor=1
   worker.server2.lbfactor=1

   worker.loadbalancer.type=lb
   worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.method=B
worker.balancer.sticky_session=True

000-default in sites-enabled :

JkMountCopy On<Proxy balancer://mycluster>
      BalancerMember ajp://localhost:8010 route=server1
connectiontimeout=10
      BalancerMember ajp://localhost:8011 route=server2
connectiontimeout=10

     ProxySet stickysession=JSESSIONID|jsessionid
     Order Deny,Allow
     Deny from none
     Allow from all
</Proxy>
<VirtualHost *:80>ProxyRequests off
ProxyPass /balancer-manager !ProxyPass /
balancer://mycluster/ProxyPassReverse /
balancer://mycluster/</VirtualHost>
<Location /balancer-manager>SetHandler balancer-manager
Order Deny,AllowDeny from noneAllow from all</Location>


First tomcat's server.xml :

<Connector port="8080" proxyPort="80" protocol="HTTP/1.1"
compression="force" compressionMinSize="1024"
                 connectionTimeout="20000"
                 redirectPort="443" URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>

<Connector port="443" enableLookups="false" protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="200" compression="force"
                compressionMinSize="1024" scheme="https" secure="true"
clientAuth="false"  sslProtocol="TLS"
                  keystoreFile="keystore_file" keystorePass="PASSWORD"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
     <Connector port="8010" protocol="AJP/1.3" redirectPort="443"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
      <Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
      // No modifications inside</Engine>

Second Tomcat's server.xml :

<Connector port="8081" proxyPort="80" protocol="HTTP/1.1"
compression="force" compressionMinSize="1024"
                 connectionTimeout="20000"
                 redirectPort="443" URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>

<Connector port="443" enableLookups="false" protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="200" compression="force"
                compressionMinSize="1024" scheme="https" secure="true"
clientAuth="false"  sslProtocol="TLS"
                  keystoreFile="keystore_file" keystorePass="PASSWORD"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
   <Connector port="8011" protocol="AJP/1.3" redirectPort="8443"
URIEncoding="utf-8"
   compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/x-javascript,application/javascript"/>
      <Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
      // No modifications here
      </Engine>

What mistake I am making in the config for implementing load-balancing and
fail-over together. Thanks a lot.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Failover not working even after configuration.

Reply via email to