Re: [OT] redirecting people to maintenance mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 8/24/12 8:43 PM, Martin Gainty wrote: dont forget with PEM you will need to deploy a single-rooted PKI http://en.wikipedia.org/wiki/Privacy_Enhanced_Mail WTF are you talking about? No single-root is necessary: web servers support multi-rooted PKI all the time (they are called Certificate Authorities), and most web servers (or the OSs on which they run) ship with an unbelievably-long list of CA roots (and intermediate certs) from which you can get a valid server certificate. IMHO: If the certificate from the CA Authority is a X.509 cert use DER http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules If you want to be able to read the certificate with your own eyes, stick to PEM: it makes it much easier to do things like have multiple certificates in a single file (say, for adding intermediate certs required by your CA). Christopher Schultz wrote: As always, benchmark your own environment and don't let anybody else tell you what is or is not faster. PEM is faster only if you have a single-rooted PKI Server-client operational..UGH.. I don't think anyone is concerned about how long it takes to decode a 1 kilobyte file a single time over the life of a web server process. Once decoded, the encryption speed has nothing to do with the file format used to store the certificate(s) on disk. I'm fairly confident you'll see a significant performance improvement when switching to APR for both static content (in general) anyone can shark the static content I have no idea what you are talking about. and non-static content (over SSL). non-static content you'll want to protect Of course he'll protect non-static content. I was explaining that the APR connector will improve performance for both static content (because of the use of sendFile) and even non-static content because SSL is faster through APR as well. Seriously, please stop polluting this list with your incessant noise. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA7jM4ACgkQ9CaO5/Lv0PC5bQCeJKwaKFpmPlUdOE/bzwxK98Ua HQQAn26N38bVvgzfmPG6ewnHF9+5oVPy =3xR3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] redirecting people to maintenance mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred, (Marking OT because this strays from the OP's topic) On 8/23/12 4:21 PM, Fred Janon wrote: I am interested in more details from your comment: This is a common misconception: Apache httpd is *not* faster than Tomcat for static content *when configured appropriately*. The current default configuration is unfortunately much less optimized than Apache httpd's default configuration, so httpd beats Tomcat out-of-the-box. Do you mean the Default Servlet configuration ( http://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html )or any servlet? The DefaultServlet is perfectly capable of delivering content quickly (it's just copying bytes from the disk, which isn't that difficult). IF you have another servlet that delivers static content, then you'll have to look at it to see if it is wasting any time :) Where can I learn more about optimizing serving static content with Tomcat? I want to stick with Tomcat alone. Your best bet when using Tomcat standalone is to use either the NIO or APR connectors with sendFile support enabled: this is the key. See my presentation from ApacheCon NA 2012 on the subject (http://people.apache.org/~schultz/ApacheCon%20NA%202010/ApacheCon%20NA%202010%20Slides.pdf) - -- although Mladen pointed out at that presentation that my data was irrelevant due to the use of Linux's loopback interface for all my testing. He's got a point, but the data still suggests that performance of NIO+sendFile/APR+sendFile is always on par with Apache httpd and the performance of the BIO connector and either NIO or APR without sendFile is always relatively bad. When you think about it, Tomcat ought to have almost identical performance with using APR+sendFile connector because it is the *same code that Apache httpd uses* under the hood (that's what APR is: native code shared with Apache httpd, including the sendFile support). The fact that the NIO connector is so competitive with APR I think speaks to the optimization that has occurred within the NIO stack, allowing the data to get to the hardware with very little overhead. One more thing: if you are using TLS, you definitely want to go with the APR connector to use OpenSSL-based encryption: it's much faster than the JSSE-based encryption that you'll get when using the NIO connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA3nDIACgkQ9CaO5/Lv0PAMggCfSZB4qqzksbInBobRddN6ZFgH iaYAoK8svXqiCxZJxALb9I7eUkIZkcuC =tsTE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] redirecting people to maintenance mode
Hi Chris, Excellent, thanks for all these suggestions. I never really understood why Tomcat standalone would be that much slower than something else serving files like you pointed it out. So good things to look at and try out. thanks for the SSL pointer as well, I need it. Thanks again. Fred On Fri, Aug 24, 2012 at 5:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred, (Marking OT because this strays from the OP's topic) On 8/23/12 4:21 PM, Fred Janon wrote: I am interested in more details from your comment: This is a common misconception: Apache httpd is *not* faster than Tomcat for static content *when configured appropriately*. The current default configuration is unfortunately much less optimized than Apache httpd's default configuration, so httpd beats Tomcat out-of-the-box. Do you mean the Default Servlet configuration ( http://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html )or any servlet? The DefaultServlet is perfectly capable of delivering content quickly (it's just copying bytes from the disk, which isn't that difficult). IF you have another servlet that delivers static content, then you'll have to look at it to see if it is wasting any time :) Where can I learn more about optimizing serving static content with Tomcat? I want to stick with Tomcat alone. Your best bet when using Tomcat standalone is to use either the NIO or APR connectors with sendFile support enabled: this is the key. See my presentation from ApacheCon NA 2012 on the subject ( http://people.apache.org/~schultz/ApacheCon%20NA%202010/ApacheCon%20NA%202010%20Slides.pdf ) - -- although Mladen pointed out at that presentation that my data was irrelevant due to the use of Linux's loopback interface for all my testing. He's got a point, but the data still suggests that performance of NIO+sendFile/APR+sendFile is always on par with Apache httpd and the performance of the BIO connector and either NIO or APR without sendFile is always relatively bad. When you think about it, Tomcat ought to have almost identical performance with using APR+sendFile connector because it is the *same code that Apache httpd uses* under the hood (that's what APR is: native code shared with Apache httpd, including the sendFile support). The fact that the NIO connector is so competitive with APR I think speaks to the optimization that has occurred within the NIO stack, allowing the data to get to the hardware with very little overhead. One more thing: if you are using TLS, you definitely want to go with the APR connector to use OpenSSL-based encryption: it's much faster than the JSSE-based encryption that you'll get when using the NIO connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA3nDIACgkQ9CaO5/Lv0PAMggCfSZB4qqzksbInBobRddN6ZFgH iaYAoK8svXqiCxZJxALb9I7eUkIZkcuC =tsTE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] redirecting people to maintenance mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred, On 8/24/12 12:02 PM, Fred Janon wrote: Excellent, thanks for all these suggestions. I never really understood why Tomcat standalone would be that much slower than something else serving files like you pointed it out. So good things to look at and try out. thanks for the SSL pointer as well, I need it. Since you are using SSL, I would highly recommend using the APR connector with both sendFile and SSL enabled. Note that you have to completely change your SSL certificate configuration. IMO, OpenSSL configuration is *much* easier because you don't have to deal with the nightmare that is Java's 'keytool' with all the aliases and odd formats and stuff. Give me PEM-encoded concatenated keys any day of the week. As always, benchmark your own environment and don't let anybody else tell you what is or is not faster. I'm fairly confident you'll see a significant performance improvement when switching to APR for both static content (in general) and non-static content (over SSL). Good luck. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA32KoACgkQ9CaO5/Lv0PBEbwCgpok8Jnns7LWMrDpcMFIiDff4 f1QAoKBP4s9DLfm4cVCgSxnGc44o7WGT =5wIj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] redirecting people to maintenance mode
Thanks for all of that, Chris. Cheers, Fred On Fri, Aug 24, 2012 at 9:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred, On 8/24/12 12:02 PM, Fred Janon wrote: Excellent, thanks for all these suggestions. I never really understood why Tomcat standalone would be that much slower than something else serving files like you pointed it out. So good things to look at and try out. thanks for the SSL pointer as well, I need it. Since you are using SSL, I would highly recommend using the APR connector with both sendFile and SSL enabled. Note that you have to completely change your SSL certificate configuration. IMO, OpenSSL configuration is *much* easier because you don't have to deal with the nightmare that is Java's 'keytool' with all the aliases and odd formats and stuff. Give me PEM-encoded concatenated keys any day of the week. As always, benchmark your own environment and don't let anybody else tell you what is or is not faster. I'm fairly confident you'll see a significant performance improvement when switching to APR for both static content (in general) and non-static content (over SSL). Good luck. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA32KoACgkQ9CaO5/Lv0PBEbwCgpok8Jnns7LWMrDpcMFIiDff4 f1QAoKBP4s9DLfm4cVCgSxnGc44o7WGT =5wIj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] redirecting people to maintenance mode
MGFrederich, MGcomments interspersed From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: [OT] redirecting people to maintenance mode -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred, On 8/24/12 12:02 PM, Fred Janon wrote: Excellent, thanks for all these suggestions. I never really understood why Tomcat standalone would be that much slower than something else serving files like you pointed it out. So good things to look at and try out. thanks for the SSL pointer as well, I need it. Since you are using SSL, I would highly recommend using the APR connector with both sendFile and SSL enabled. Note that you have to completely change your SSL certificate configuration. IMO, OpenSSL configuration is *much* easier because you don't have to deal with the nightmare that is Java's 'keytool' with all the aliases and odd formats and stuff. Give me PEM-encoded concatenated keys any day of the week. MGdont forget with PEM you will need to deploy a single-rooted PKI MGhttp://en.wikipedia.org/wiki/Privacy_Enhanced_Mail MGIMHO: If the certificate from the CA Authority is a X.509 cert use DER MGhttp://en.wikipedia.org/wiki/Distinguished_Encoding_Rules As always, benchmark your own environment and don't let anybody else tell you what is or is not faster. MGPEM is faster only if you have a single-rooted PKI Server-client operational..UGH.. I'm fairly confident you'll see a significant performance improvement when switching to APR for both static content (in general) MGanyone can shark the static content and non-static content (over SSL). MGnon-static content you'll want to protect Good luck. MGViel Gluck - -chris MG--Martin -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA32KoACgkQ9CaO5/Lv0PBEbwCgpok8Jnns7LWMrDpcMFIiDff4 f1QAoKBP4s9DLfm4cVCgSxnGc44o7WGT =5wIj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
Christopher, I am interested in more details from your comment: This is a common misconception: Apache httpd is *not* faster than Tomcat for static content *when configured appropriately*. The current default configuration is unfortunately much less optimized than Apache httpd's default configuration, so httpd beats Tomcat out-of-the-box. Do you mean the Default Servlet configuration ( http://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html )or any servlet? Where can I learn more about optimizing serving static content with Tomcat? I want to stick with Tomcat alone. Thanks Fred On Wed, Aug 22, 2012 at 5:54 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/22/12 5:04 AM, Miguel González Castaños wrote: On 21/08/2012 17:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/21/12 6:25 AM, Miguel González Castaños wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? I don't know if you want to add this kind of complication to your environment, but this is pretty much what mod_jk was built for: distributing requests to one or more back-end Tomcat servers. With mod_jk's management interface, you can take (load-balanced) workers out of a pool, upgrade them, then add them back to the pool. Before you add them back, you can always access them directly if you have set up an HTTP Connector and you can feel free to use any technique (iptables, bind to 127.0.0.1, etc.) to prevent direct access to the HTTP port from normal users. The use of Apache httpd out in front of your app server(s) also means that you can detect error conditions in the Tomcat instance (like it's crashed or whatever) and give a semi-nice error message instead of a connection failure. This is one of those situations where using Apache httpd out in front of Tomcat makes some sense: not for performance, but for availability. See Mladen's article with explains some of the why, what and how of setting up a mod_jk-based cluster: http://people.apache.org/~mturk/docs/article/ftwai.html It makes sense. I will give it a thought. Unfortunately until we migrate to a bigger server, I'm not sure the overhead of Apache is too much. Although I know Apache is faster for static content. This is a common misconception: Apache httpd is *not* faster than Tomcat for static content when configured appropriately. The current default configuration is unfortunately much less optimized than Apache httpd's default configuration, so httpd beats Tomcat out-of-the-box. If you are going to end up fronting Tomcat with Apache httpd, it's probably worth your while to push your static content out to the httpd level so that you *can* serve your static content without proxying that stuff over to your Tomcat instances. That /will/ certainly improve performance given a two-tier setup. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA1AJoACgkQ9CaO5/Lv0PANlwCgtFR4YnlMDlsH4Mb1qlb8iBjt pA8AmgP1RzyXWBNNY+n2L3pNSn7PrvAc =u3UR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
On 21/08/2012 17:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/21/12 6:25 AM, Miguel González Castaños wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? I don't know if you want to add this kind of complication to your environment, but this is pretty much what mod_jk was built for: distributing requests to one or more back-end Tomcat servers. With mod_jk's management interface, you can take (load-balanced) workers out of a pool, upgrade them, then add them back to the pool. Before you add them back, you can always access them directly if you have set up an HTTP Connector and you can feel free to use any technique (iptables, bind to 127.0.0.1, etc.) to prevent direct access to the HTTP port from normal users. The use of Apache httpd out in front of your app server(s) also means that you can detect error conditions in the Tomcat instance (like it's crashed or whatever) and give a semi-nice error message instead of a connection failure. This is one of those situations where using Apache httpd out in front of Tomcat makes some sense: not for performance, but for availability. See Mladen's article with explains some of the why, what and how of setting up a mod_jk-based cluster: http://people.apache.org/~mturk/docs/article/ftwai.html It makes sense. I will give it a thought. Unfortunately until we migrate to a bigger server, I'm not sure the overhead of Apache is too much. Although I know Apache is faster for static content. Many thanks for your thoughts Miguel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/22/12 5:04 AM, Miguel González Castaños wrote: On 21/08/2012 17:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/21/12 6:25 AM, Miguel González Castaños wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? I don't know if you want to add this kind of complication to your environment, but this is pretty much what mod_jk was built for: distributing requests to one or more back-end Tomcat servers. With mod_jk's management interface, you can take (load-balanced) workers out of a pool, upgrade them, then add them back to the pool. Before you add them back, you can always access them directly if you have set up an HTTP Connector and you can feel free to use any technique (iptables, bind to 127.0.0.1, etc.) to prevent direct access to the HTTP port from normal users. The use of Apache httpd out in front of your app server(s) also means that you can detect error conditions in the Tomcat instance (like it's crashed or whatever) and give a semi-nice error message instead of a connection failure. This is one of those situations where using Apache httpd out in front of Tomcat makes some sense: not for performance, but for availability. See Mladen's article with explains some of the why, what and how of setting up a mod_jk-based cluster: http://people.apache.org/~mturk/docs/article/ftwai.html It makes sense. I will give it a thought. Unfortunately until we migrate to a bigger server, I'm not sure the overhead of Apache is too much. Although I know Apache is faster for static content. This is a common misconception: Apache httpd is *not* faster than Tomcat for static content when configured appropriately. The current default configuration is unfortunately much less optimized than Apache httpd's default configuration, so httpd beats Tomcat out-of-the-box. If you are going to end up fronting Tomcat with Apache httpd, it's probably worth your while to push your static content out to the httpd level so that you *can* serve your static content without proxying that stuff over to your Tomcat instances. That /will/ certainly improve performance given a two-tier setup. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA1AJoACgkQ9CaO5/Lv0PANlwCgtFR4YnlMDlsH4Mb1qlb8iBjt pA8AmgP1RzyXWBNNY+n2L3pNSn7PrvAc =u3UR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miguel, On 8/21/12 6:25 AM, Miguel González Castaños wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? I don't know if you want to add this kind of complication to your environment, but this is pretty much what mod_jk was built for: distributing requests to one or more back-end Tomcat servers. With mod_jk's management interface, you can take (load-balanced) workers out of a pool, upgrade them, then add them back to the pool. Before you add them back, you can always access them directly if you have set up an HTTP Connector and you can feel free to use any technique (iptables, bind to 127.0.0.1, etc.) to prevent direct access to the HTTP port from normal users. The use of Apache httpd out in front of your app server(s) also means that you can detect error conditions in the Tomcat instance (like it's crashed or whatever) and give a semi-nice error message instead of a connection failure. This is one of those situations where using Apache httpd out in front of Tomcat makes some sense: not for performance, but for availability. See Mladen's article with explains some of the why, what and how of setting up a mod_jk-based cluster: http://people.apache.org/~mturk/docs/article/ftwai.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAzoosACgkQ9CaO5/Lv0PCWaQCfXysurxElwe1NfGTJ51AHsFZk 744AoIVJG8eWspK9ArSIpg7dD5INIqqz =QtxN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
redirecting people to maintenance mode
Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? Regards, Miguel This message and any attachments are intended for the use of the addressee or addressees only. The unauthorised disclosure, use, dissemination or copying (either in whole or in part) of its content is not permitted. If you received this message in error, please notify the sender and delete it from your system. Emails can be altered and their integrity cannot be guaranteed by the sender. Please consider the environment before printing this email. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? You can try Valve filters . With Valve, you have access to Request and Response objects I didn't do ever , but it's an idea :-) Saludos - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
On 20/08/2012 12:37, Jose María Zaragoza wrote: I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? You can try Valve filters . With Valve, you have access to Request and Response objects I didn't do ever , but it's an idea :-) maybe I haven't worded my idea correctly. I can't assume the Tomcat service in server1 is running all the time (since it's under maintenance, tomcat might be restarted a few times during the maintenance). That's why I thought about iptables. The issue is that iptables run at the IP level while redirects work at application level. Miguel This message and any attachments are intended for the use of the addressee or addressees only. The unauthorised disclosure, use, dissemination or copying (either in whole or in part) of its content is not permitted. If you received this message in error, please notify the sender and delete it from your system. Emails can be altered and their integrity cannot be guaranteed by the sender. Please consider the environment before printing this email. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
What about a non-tomcat solution like a load balancer (apache, nginx?) in front of your tomcats? Sent from my iPhone On 21.08.2012, at 12:25, Miguel González Castaños miguel_3_gonza...@yahoo.es wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? Regards, Miguel This message and any attachments are intended for the use of the addressee or addressees only. The unauthorised disclosure, use, dissemination or copying (either in whole or in part) of its content is not permitted. If you received this message in error, please notify the sender and delete it from your system. Emails can be altered and their integrity cannot be guaranteed by the sender. Please consider the environment before printing this email. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
maybe I haven't worded my idea correctly. I can't assume the Tomcat service in server1 is running all the time (since it's under maintenance, tomcat might be restarted a few times during the maintenance). That's why I thought about iptables. The issue is that iptables run at the IP level while redirects work at application level. I thought that you only wanted to avoid that users access to server ,and if the server is down ... In this case, I wouldn't have 2 server ( one for display a maintenance page ). I'd prefer a frontend server , like Apache , and to use some module to proxy /filter/check connection , etc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
2012/8/21 Miguel González Castaños miguel_3_gonza...@yahoo.es: On 20/08/2012 12:37, Jose María Zaragoza wrote: I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? You can try Valve filters . With Valve, you have access to Request and Response objects I didn't do ever , but it's an idea :-) maybe I haven't worded my idea correctly. I can't assume the Tomcat service in server1 is running all the time (since it's under maintenance, tomcat might be restarted a few times during the maintenance). That's why I thought about iptables. The issue is that iptables run at the IP level while redirects work at application level. 1. Yes, with iptables you can redirect requests to another port number (where other Tomcat instance runs, or just some other web server). There is an example of redirecting from port 80 to port 8080 using iptables. https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileges.3F Note that there exists the proxyPort attribute on Connector element that will tell Tomcat what its public port number is. 2. Maybe you can redirect selectively by remote host address (I do not remember iptables docs so throughly, but I think it is possible), but an easier solution might be to just add a different Connector with different port number (and maybe with address=127.0.0.1 if you are connecting locally) that you would use for administering. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
Miguel González Castaños wrote: Dear all, I have a Tomcat web server. Apparently, you also have an email program that sends messages dated from the future. Or, maybe you should say then : I will have a Tomcat web server. Either way, it makes it a bit harder to follow the gist of the conversation here. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
On 20/08/2012 13:50, André Warnier wrote: Miguel González Castaños wrote: Dear all, I have a Tomcat web server. Apparently, you also have an email program that sends messages dated from the future. Or, maybe you should say then : I will have a Tomcat web server. Either way, it makes it a bit harder to follow the gist of the conversation here. Sorry, for any reason the date was changed in my system inadvertently Corrected. Miguel This message and any attachments are intended for the use of the addressee or addressees only. The unauthorised disclosure, use, dissemination or copying (either in whole or in part) of its content is not permitted. If you received this message in error, please notify the sender and delete it from your system. Emails can be altered and their integrity cannot be guaranteed by the sender. Please consider the environment before printing this email. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
Sorry, for any reason the date was changed in my system inadvertently Corrected. I don't have any problem to fix issues to people from the future :-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirecting people to maintenance mode
Miguel González Castaños wrote: Dear all, I have a Tomcat web server. From time to time, I need to do some maintenance and want people not to interact with the Tomcat server while I'm doing it. The key thing here is that the Tomcat server is up and running. This is what I want to achieve: - I want all people to be redirected from 80/443 port at server1 to a different URL http://server2/maintenance.html except my IP address (so I can check Tomcat myself). - If possible, I want this to be transparent to the user, so they get a http redirect showing the server1 in the client's browser, not server2 (but this is not that important). I assume I can use iptables to redirect people to a different web server, but how can I know that I need to redirect them to the maintenance.html if that server is serving other web pages too? This is a reply from someone who is not a Tomcat (nor even Java) programming specialist. If this was to do in Tomcat itself, I believe that it would have to be done in a Valve which you should program yourself (using the existing Valves as a guideline). The Valve could check on the request origin IP address, and either let the request go through unchanged (for your IP address), or change it to target maintenance.html (for all other IPs), depending on some condition that you could change dynamically (for example, whether a given flag file exists on the filesystem). If it is not in a Valve (which is involved before the request is attributed to a webapp), then you would have to do this in a servlet filter configured to run in every webapp. But since I am not a Tomcat or Java specialist, my own preference would be to do this at the level of a front-end webserver like Apache httpd. In normal circumstances, all requests get forwarded to Tomcat (via mod_proxy_http, mod_proxy_ajp or mod_jk). Whenever the maintenance flag is set at the Apache httpd level, it does not proxy anymore to Tomcat (except for your IP), but returns your maintenance.html page. Being myself more of a perl and mod_perl programmer, and since I am already running Apache httpd front-ends to all my Tomcats, I use a custom mod_perl module to do exactly that kind of thing. Apache httpd can have its configuration reloaded gracefully without stopping Apache httpd. So you could probably do this without mod_perl, using an alternative httpd.conf configuration file and conditional rewrite rules. I just created a custom mod_perl module because it was fun. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
