Dne 24.3.2015 v 00:46 James Roper napsal(a): > On 24 March 2015 at 01:44, Martin Kuba <[email protected] > <mailto:[email protected]>> wrote: > Dne 23.3.2015 v 14:27 David Brown napsal(a): > > In the case of Apache this link appears to be > definitive:https://sites.google.com/a/ci2s.com.ar/wiki/technics/how-to-run-apache-httpd-and-tomcat-on-port-80-using-mod-proxy > > That information is very outdated. The best way how to connect Apache > with Tomcat since Apache version 2.2 > is to use mod_proxy_ajp which is included in Apache by default, see > http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html > > > Personally I wouldn't use AJP. I switched all my sites that used AJP to > mod_proxy years ago. I have encountered so many bugs and issues in AJP in > the past, including responses for one request being returned to another, > corrupted responses, etc, including issues that have impacted Pebble, and > debugging them is very difficult - sometimes it took days deep analysing > packet captures in wireshark to debug the issues. > > The problem is, AJP is practically an unspecified protocol - for example, the > protocol reference doc was written by someone who was trying to work out how > the protocol worked, and finishes with a list of questions that they wanted > help answering. For the most part, it works, but around the edge cases, when > the client or server are not behaving well, or when there's new HTTP features > or some unusual thing being done, rather than handling these situations > gracefully like mod_proxy does, AJP > prefers to blow up in your face, doing the exact opposite of what you would > expect it to do, introducing security issues and all sorts of other > loveliness along the way.
That's interesting experience. I am using mod_jk for about 10 years and mod_proxy_ajp for about 4 years on production servers and I have never had such problems. I prefer AJP because it forwards the request intact with all the available information about remote IP, authenticated user, SSL and so on. I use various authentication schemes heavily - X509 client certificates (mod_ssl), Shibboleth (mod_shib), Kerberos (mod_auth_kerb), LDAP (mod_ldap) - and for that AJP is better than plain HTTP proxy that replaces the original request with a new request. AJP even allows me to forward any Apache internal variables like SSL_CLIENT_S_DN which is impossible with HTTP proxy. Best regards Martin -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CERIT-SC Martin Kuba Institute of Computer Science email: [email protected] Masaryk University http://www.ics.muni.cz/~makub/ Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775 -------------------------------------------------------------- ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Pebble-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/pebble-user
