Re: fail_on_status question
On 05.06.2010 00:53, Mohit Anchlia wrote: On Thu, Jun 3, 2010 at 4:30 PM, Mohit Anchliamohitanch...@gmail.com wrote: In our present environment we have a WS and APP server. When request comes in, WS sends it to APP server using mod_jk and then APP server inserts it into JMS queue. So essentially APP server is also dependent on JMS server which runs on the same box. My question is can I use fail_on_status in worker.properties to take one of the APP servers out of service from mod_jk(WS) by returning some Http error code as a response to a request when JMS server is down and a request comes in? Since cping and cpong will still return success would this mechanism of fail_on_status work? Are there any other suggestions? I would appreciate if somone gave their suggestion on my post above. I am going to try fail_on_status with -503 kind of setting and see if request is load balanced to a different server. I am assuming mod_jk will not be able to put worker in error state if that worker returned error code specified in fail_on_status because cping and cpong will continue to see tomcat up and running. Is this assumption correct? Read about the feature on http://tomcat.apache.org/connectors-doc/reference/workers.html Using -503 will not take the app server out of service because of the minus sign. It will only replace the error page, headers and status code for the responses with status 503 send by the app server. Not what you want. Furthermore using 503 as a value for fail_on_status will likely not help. It is very unreasonable for your app server to return a 503 status itself, if JMS is not available. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: RE: Re: intermittent SocketException on startup tomcat 5.5.28 and under JBOSS 4.2.3GA
On 05.06.2010 09:23, Pid * wrote: On 5 Jun 2010, at 04:33, ago...@libero.itago...@libero.it wrote: Hi I m very tired because the intermittent socket close exception reappear. We now use tomcat 5.5.28 on win2003 ED SO and jdk 1.6.16. The error that occours is: 4-giu-2010 7.48.35 Date and Time in a bit strange format: 4th of June 2010, 07:48:35. Rainer What is the above? It doesn't look familiar to me. Can you refresh our memories and please post the current server.xml (comments removed)? p org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket GRAVE: Endpoint ServerSocket [addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: socket closed java.net.SocketException: socket closed at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(Unknown Source) at java.net.ServerSocket.implAccept(Unknown Source) at java.net.ServerSocket.accept(Unknown Source) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket (DefaultServerSocketFactory.java:61) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket (PoolTcpEndpoint. java:408) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt (LeaderFollowerWorkerThread.java:71) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (ThreadPool. java:689) at java.lang.Thread.run(Unknown Source) 4-giu-2010 7.48.56 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket AVVERTENZA: Reinitializing ServerSocket 4-giu-2010 8.04.39 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket GRAVE: Endpoint ServerSocket [addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: socket closed java.net.SocketException: socket closed at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(Unknown Source) at java.net.ServerSocket.implAccept(Unknown Source) at java.net.ServerSocket.accept(Unknown Source) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket (DefaultServerSocketFactory.java:61) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket (PoolTcpEndpoint. java:408) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt (LeaderFollowerWorkerThread.java:71) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (ThreadPool. java:689) at java.lang.Thread.run(Unknown Source) 4-giu-2010 8.05.00 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket AVVERTENZA: Reinitializing ServerSocket 4-giu-2010 8.05.00 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket GRAVE: Endpoint ServerSocket [addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: socket closed java.net.SocketException: socket closed at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(Unknown Source) at java.net.ServerSocket.implAccept(Unknown Source) at java.net.ServerSocket.accept(Unknown Source) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket (DefaultServerSocketFactory.java:61) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket (PoolTcpEndpoint. java:408) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt (LeaderFollowerWorkerThread.java:71) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (ThreadPool. java:689) at java.lang.Thread.run(Unknown Source) 4-giu-2010 8.05.21 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket AVVERTENZA: Reinitializing ServerSocket 4-giu-2010 8.06.55 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket GRAVE: Endpoint ServerSocket [addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: socket closed java.net.SocketException: socket closed at java.net.PlainSocketImpl.socketAccept(Native Method) . This error slow down the application. we don't have firewall, pool of tcp connection seem correct, the processor and memory usage are normal (10% CPU and 50% RAM). How can i investigte who cuse the problem? Jconsole observe memory but seem not tcp connection. How can i understand why i have close socket? whath are flakey router error? How can i understand if i have saturate the connection on SO? Thank for all suggest Best regards Agostino Messaggio originale Da: chuck.caldar...@unisys.com Data: 24/05/2010 15.38 A: Tomcat Users Listusers@tomcat.apache.org, ago...@libero.it ago...@libero.it Ogg: RE: Re: intermittent SocketException on startup tomcat 5.5.28 and under JBOSS 4.2.3GA From: ago...@libero.it [mailto:ago...@libero.it] Subject: R: Re: intermittent SocketException on startup tomcat 5.5.28 and under JBOSS 4.2.3GA ERROR [org.apache.tomcat.util.net.JIoEndpoint] Socket accept failed java.net.SocketException: socket closed This isn't really a problem with the Tomcat server - it usually means the client terminated
Re: fail_on_status question
On 06.06.2010 03:52, Mohit Anchlia wrote: On Sat, Jun 5, 2010 at 2:02 AM, Rainer Jungrainer.j...@kippdata.de wrote: On 04.06.2010 01:30, Mohit Anchlia wrote: In our present environment we have a WS and APP server. When request comes in, WS sends it to APP server using mod_jk and then APP server inserts it into JMS queue. So essentially APP server is also dependent on JMS server which runs on the same box. My question is can I use fail_on_status in worker.properties to take one of the APP servers out of service from mod_jk(WS) by returning some Http error code as a response to a request when JMS server is down and a request comes in? Since cping and cpong will still return success would this mechanism of fail_on_status work? fail_on_status will trigger nevertheless. Otherwise it would be useless. I didn't get this piece that fail_on_status will trigger nevertheless? My understanding is that cping and cpong decide if to keep a worker in error state or not. But http response code will be returned only when http request comes in. To cping and cpong server is still up. So even if app server return status same as configured for fail_on_status cping and cpong will still not bring the worker in error state. cping and cpong themselves don't bring the worker in error state. There are several mechanism involved to detect feilure and each of those mechanisms can bring worker into error state by itself. Once the worker is in error state, it will not be used for 60 seconds and then retried with the next request eligible for it. If that requests triggers some error condition again, the worker will stay in error state, otherwise it will be back to normal. So if cping/cpong succeed, and later during processing of the same request an error occurs, like e.g. triggered by fail_on_status or reply_timeout or whatever else is configured, the worker will be put into error state. If you still doubt it: try it! Writing a simple servlet or JSP returning some error status is easy and you can see what's happening. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk problem - 1457: All tomcat instances failed, no more workers left (attempt=1, retry=1)
On 07.06.2010 20:22, Mangold, Daniel wrote: Hello to all, I have a problem with mod_jk (hope this is the right place form my problem). Used servers and versions: - Apache 2.2.15 (Win32) - mod_jk/1.2.30 - Apache Tomcat/6.0.20 using AJP/1.3 - jdk1.5.0_12 Problem description: I enter the appropriate URL pointing to the balancing web server into the internet explorer address bar (IE on a host different to the machine where web server and tomcats are installed), press enter and get a '503 - service unavailable message' back. I have 2 Tomcat instances, both up and running and http accessible. When (with the same internet explorer window) I first enter the URL of one Tomcat instance directly, get the requested page back, then again try the URL using the web server, it suddenly works. This seems not to be due to caching, because I do not see the failure message in mod_jk.log anymore and I get log information which indicates that everything went fine. When I try to access the web server URL locally from the machine where all servers are installed, it works from the beginning. I tried several configurations and don't know what else to try. The mod_jk status page shows that the tomcat instances were found and that there is no error. mod_jk.log shows those messages when I enter the web servers URL: (I attached 2 full mod_jk.conf to this email with different configs but same result). [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/Wh/' from 4 maps [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/Wh/*=balancer' source 'JkMount' [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/Wh/*=balancer' [Mon Jun 07 18:29:29 2010][1944:408] [debug] mod_jk.c (2462): Into handler jakarta-servlet worker=balancer r-proxyreq=0 [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_worker.c (116): found a worker balancer [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_worker.c (339): Maintaining worker balancer [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_ajp_common.c (3197): reached pool min size 32 from 64 cache slots [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_ajp_common.c (3197): reached pool min size 32 from 64 cache slots [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_worker.c (293): Found worker type 'lb' [Mon Jun 07 18:29:29 2010][1944:408] [debug] mod_jk.c (978): Service protocol=HTTP/1.0 method=GET ssl=false host=(null) addr=**.*.*.130 name=* port=8080 auth=(null) user=(null) laddr=**.*.*.21 raddr=**.*.*.130 uri=/Workbench/ [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_lb_worker.c (1118): service sticky_session=1 id='933BF867682BC5657E3F27E5D17917D7' [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_lb_worker.c (946): searching worker for partial sessionid 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (985): all workers are in error state for session 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (1448): All tomcat instances failed, no more workers left for recovery (attempt=0, retry=0) [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_lb_worker.c (946): searching worker for partial sessionid 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (985): all workers are in error state for session 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (1457): All tomcat instances failed, no more workers left (attempt=1, retry=0) [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_lb_worker.c (1131): retry 1, sleeping for 100 ms before retrying [Mon Jun 07 18:29:29 20 10][1944:408] [debug] jk_lb_worker.c (946): searching worker for partial sessionid 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (985): all workers are in error state for session 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (1457): All tomcat instances failed, no more workers left (attempt=0, retry=1) [Mon Jun 07 18:29:29 2010][1944:408] [debug] jk_lb_worker.c (946): searching worker for partial sessionid 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (985): all workers are in error state for session 933BF867682BC5657E3F27E5D17917D7 [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (1457): All tomcat instances failed, no more workers left (attempt=1, retry=1) [Mon Jun 07 18:29:29 2010][1944:408] [info] jk_lb_worker.c (1468): All tomcat instances are busy or in error state [Mon Jun 07 18:29:29 2010][1944:408] [error] jk_lb_worker.c (1473): All tomcat instances failed, no more workers left [Mon Jun 07 18:29:29 2010]balancer * 0.109377 [Mon Jun 07 18:29:29 2010][1944:408] [info] mod_jk.c (2618): Service error=0 for worker=balancer
Re: mod_jk problem - 1457: All tomcat instances failed, no more workers left (attempt=1, retry=1)
On 08.06.2010 16:45, Mangold, Daniel wrote: On 07.06.2010 20:22, Mangold, Daniel wrote: First: sorry, it looks like at least half of my previous mail was truncated for whatever reason. The attachment did not go through as well. And it's true, the pasted log file above is not complete. However, this is now my current configuration of workers.properties which seems to work. worker.list=balancer,status # DEFAULT CONFIG FOR WORKERS worker.default.host=localhost worker.default.type=ajp13 worker.default.socket_connect_timeout=5000 worker.default.socket_keepalive=true worker.default.connection_pool_minsize=16 worker.default.connection_pool_size=1024 worker.default.connection_pool_timeout=3000 worker.default.reply_timeout=30 # disable retries, whenever a part of the request was successfully send to the backend worker.template.recovery_options=3 # Define Node1 worker.worker1.reference=worker.default worker.worker1.port=8033 # Define Node2 worker.worker2.reference=worker.default worker.worker2.port=8044 # Load balancing behaviour worker.balancer.type=lb worker.balancer.balance_workers=worker1,worker2 # Load balancing method can be [R]equest, [S]ession, [T]raffic, or [B]usyness worker.balancer.method=S worker.balancer.sticky_session=true #worker.balancer.sticky_session_force=true worker.balancer.max_reply_timeouts=10 # Status worker for managing load balancer worker.status.type=status Well...after trying different things, it seems that the problem was the force mode for sticky sessions. The Tomcat webapp requires sticky sessions for load balancing, otherwise it won't work. So this works fine now: worker.balancer.sticky_session=true #worker.balancer.sticky_session_force=true When uncommenting the sticky_session_force, I always get the '503 service temporarily unavailable' message after the second click. If I read the log messages right, the reason I that mod_jk could not establish establish the connection to any of the Tomcat instances. For a while I was desperate enough to try load balancing with isapi_redirect-1.2.30 on IIS instead of Apache web server. It behaves in the same way when I use the sticky_session_force property (service unavailable page). On the other hand, when commenting the sticky_session_force there, I had another problem. My guessing is that with IIS and isapi-redirect, the sticky_session property did not work at all. But maybe I misconfigured IIS...I'm not really familiar with it. Are there any known issues with sticky_session on Apache Webserver or IIS? Most of the code is the same for IIS and Apache, especially all the load balancing stuff. So no difference to expect. There are no known issues around session stickyness. From what I remember in your incomplete log snippet, your JSESSIONID did not contain a worker route. In order to make session stickyness work, you need to set jvmRoute in server.xml of yur tomcat to the same value as the name of the worker pointing to that Tomcat (worker1 resp. worker2). Tomcat will append the value of the jvmRoute at the end of each session id, separated with a dot. mod_jk will find the route there and then look up the correct worker by name. Look at http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html for instance the second block in red. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat deletes default web.xml [Tomcat version 6.0.14]
On 08.06.2010 11:37, Mark Thomas wrote: On 08/06/2010 10:22, Jitendra G wrote: Hi, We are using Tomcat 6.0.14 and we found that sometimes if Tomcat is restarted few number of times it deletes the default web.xml under “../Tomcat/apache-tomcat-6.0.14/conf” directory. Sometimes this issue also occurs if we are hot deploying our WAR. I found similar bug Bug 44725 https://issues.apache.org/bugzilla/show_bug.cgi?id=44725 -Tomcat delete context.xml and web.xml if re-naming Folders in CONF in Tomcat bug list. But we are not doing anything like renaming any critical directory when Tomcat is running. We are only either doing a hot deployment or just restarting Tomcat and still facing this issue. We are defining contexts explicitly and Tomcat best practices recommend that one should probably turn off automatic application deployment in such cases. Still Tomcat should not delete default web.xml, the best practices say nothing about problems to default web.xml it only states about problem to context.xml. Can you please help let us know what might be the possible cause in this issue? Tomcat won't delete the default files under conf (it wasn't doing that in bug 44725 either). This looks like soemthing the app is doing or a result of configuration (odd docBase or appBase etc). Make the file read only and see if an error is triggered. ... and the directory also. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on IE zones with Mod_jk
On 09.06.2010 11:18, André Warnier wrote: Robin Diederen wrote: Hi Andre, Thanks for the tip. What should I be looking for when analyzing this communication? You should be examining the detail of the requests/responses between bnrowser and server, to see if your assumptions are correct about the redirection etc.. A 401 response is not an error. It is the server telling the browser that this resource is protected and requires authentication. With NTLM, there is a 3-phase exchange that must take place, before the connection is authenticated. Maybe that sequence is not being respected, and therefore IE thinks your are somewhere else. Also, the NTLM authentication system (starting with v2) is specially designed to avoid man in the middle attacks, so this can give problems with firewalls and proxies, and in this case you do have a man in the middle (Apache+mod_jk). It is difficult for anyone else than yourself to debug this, because by definition, one must be inside your Windows domain to see really what happens. To even begin to help, you need to be really precise when supplying the information about the components you are using (versions). The latest versions is not precise, because there are dozens of sites where you can download each of these modules, and their latest versions may not match. You should also find out from your windows network security people, which kind of authentication (and NTLM version) your servers and workstations should be using (for example, if NTLMv2 is mandatory, or if NTLMv1 is allowed also). You can also change the log level of mod_jk (e.g. to debug) and see if the request from mod_jk to Tomcat contains a user-id or not. Browser/server authentication with NTLM is a sequence like this : 1) browser sends request to server, without authentication 2) server responds with 401 (auth required, type=NTLM) 3) browser re-sends request with an Authorization header, type=NTLM, plus an encoded token 4) server responds with a new (different) 401 response, type=NTLM, plus also an encoded token 5) browser repeats the request again, with an Authorization header, type=NTLM, with a final encoded token 6) server now checks, and grants or denies the authentication. If granted, it sends the requested document. If denied, it sends a 403 response (forbidden). All the above must happen on the same browser-to-server TCP connection, because in the end it is this connection which will be authenticated. If the connection is somehow broken in the middle and a new connection created, it will not work. But first, check with Fiddler2 the exact sequence of requests/responses, and see if that matches your assumptions. Have a look at: http://marc.info/?l=tomcat-userm=119886120025980 Maybe that helps. Caution: NTLM is a broken protocol. It assumes that the connection between the client and the authenticating server does not change during the NTLM flow of a couple of requests. If there is nothing between the client and the authentication server, this is easy by just enabling HTTP Keep Alive. If there is a reverse proxy between the client and the backend, i.e. the proxy does not do the authentication, but the backend, this will likely break, because proxies do not make any guarantees about reusing the same backend conection even when the same client connection is used for multiple requests. This is especially true for mod_jk and mod_proxy. It might work with low load, because then there might be only one backend connection but when load increases more backend connections will be opened and finally requests will be dispatched to different connections. When using Apache you can fix that by using the prefork MPM. It is signle threaded and each client connection is associated with a single Apache process. mod_jk in combination with prefork only opens one backend connection per process, so for prefork no connection switching will happen. Not sure whether that all really is your problem. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question to post to the list
On 09.06.2010 12:33, Pid wrote: On 09/06/2010 11:08, Gregor Schneider wrote: Pid, I believe the problem here is that Fiona tried to use File=$\{logs\}/stdout.log However, this will only work if an environment-variable logs is defined - which is IMHO no default configuration. Yep. You seemed to have that angle covered - I was suggesting an alternative approach. I forgot to add the final statement though. (I plead pre-coffee). log4j.appender.R.File=$\{catalina.base\}/logs/tomcat.log ... plus if the line is part of a log4j.properties file, I never saw backslashes in those. Works without them. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk stability issues
On 11.06.2010 16:28, LES wrote: Well, your suggested changes worked...until today. It was absolutely rock solid. Then, the last two days, with no load I started receiving errno=110 again. It didn't last all day, only a couple of hours yesterday and a couple today. I have added a socket timeout and am trying to track down any issues on the tomcat side that could have contributed. Any idea where I should look?? 1) I'm not a big fan of socket_timeout. It can do more harm than good. 2) where should I look: Errno 110 is a timeout, so maybe mod_jk just does what you told it to: timing out. Why? There might be a problem on the backend (performance problem, thread deadlocks or similar). Activate an access log on the backend (Tomcat) and add %D to the log pattern which will give you millisecond response times for Tomcat. Then it's easier to check, whether responses get slow. You can also monito the busy counts in the jk status worker display. Finally: Look at the mod_jk log file or provide it for us. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk stability issues
On 11.06.2010 20:06, LES wrote: I only added socket_timeout in after looking at the included file in 1.2.30. I was hoping that there was something in that file that I was missing. I attached the log files that you asked for. Looking through them, I don't see any notable increases in response times. This is a system that is not (yet) actively used, so there is very little load. The thread dumps and the gc log do not seem to indicate that tomcat is pausing in some meaningful way. Also, during this time period, the http connectors in the tomcat instances are responding without delay (hitting the manager page). Another detail is that bouncing tomcat will clear up this problem for some unknown period of time. Here is the worker.properties file: *** ... Any thoughts? Thanx for the time, LES http://old.nabble.com/file/p28858465/modjk_log_files.tar.gz modjk_log_files.tar.gz You have a locking issue in your webapp. Look at the thread dump. the threads used for processing of requests coming in via the AJP connector are named TP-ProcessorN where N is some number. There are 188 of them that hang in the stack: java.lang.Object.wait(Native Method) java.lang.Object.wait(Object.java:485) com.tc.object.lockmanager.impl.ClientLock.waitForLock(ClientLock.java:688) com.tc.object.lockmanager.impl.ClientLock.basicLock(ClientLock.java:242) com.tc.object.lockmanager.impl.ClientLock.lock(ClientLock.java:133) com.tc.object.lockmanager.impl.ClientLock.lock(ClientLock.java:120) com.tc.object.lockmanager.impl.ClientLockManagerImpl.lock(ClientLockManagerImpl.java:341) com.tc.object.lockmanager.impl.StripedClientLockManagerImpl.lock(StripedClientLockManagerImpl.java:105) com.tc.object.lockmanager.impl.ThreadLockManagerImpl.lock(ThreadLockManagerImpl.java:46) com.tc.object.tx.ClientTransactionManagerImpl.begin(ClientTransactionManagerImpl.java:232) com.tc.object.bytecode.ManagerImpl.begin(ManagerImpl.java:355) com.tc.object.bytecode.ManagerImpl.beginLock(ManagerImpl.java:340) com.tc.object.bytecode.ManagerUtil.beginLock(ManagerUtil.java:180) com.tc.object.bytecode.ManagerUtil.beginLock(ManagerUtil.java:162) com.terracotta.session.util.Lock.getWriteLock(Lock.java:36) com.terracotta.session.util.DefaultSessionId.getWriteLock(DefaultSessionId.java:64) com.terracotta.session.SessionDataStore.find(SessionDataStore.java:144) com.terracotta.session.TerracottaSessionManager.getSessionIfExists(TerracottaSessionManager.java:426) com.terracotta.session.SessionRequest.getTerracottaSession(SessionRequest.java:104) com.terracotta.session.SessionRequest.getSession(SessionRequest.java:63) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:206) The locks they are waiting for are not the same, i.e. 188 different ones. Another problem is 4 more threads also waiting for locks in the stack: java.lang.Thread.sleep(Native Method) com.beip.domain.integration.cognos.c8.exec.ConnectionManager.getConnection(ConnectionManager.java:132) com.beip.domain.integration.cognos.c8.request.ConversationManager.validateReportPath(ConversationManager.java:80) com.beip.domain.integration.cognos.c8.request.ConversationManager.createConversation(ConversationManager.java:43) sun.reflect.GeneratedMethodAccessor11599.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:86) groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:226) groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:899) groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:740) org.codehaus.groovy.runtime.InvokerHelper.invokePojoMethod(InvokerHelper.java:765) org.codehaus.groovy.runtime.InvokerHelper.invokeMethod(InvokerHelper.java:753) org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodN(ScriptBytecodeAdapter.java:167) com.beip.gap.framework.controller.C8Controller$_closure2.doCall(script1274905317445.groovy:63) sun.reflect.GeneratedMethodAccessor11597.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:86) groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:226) org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:250) org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnCurrentN(ScriptBytecodeAdapter.java:77) com.beip.gap.framework.controller.C8Controller$_closure2.doCall(script1274905317445.groovy) sun.reflect.GeneratedMethodAccessor11596.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597)
Re: ISAPI log question regarding authentication
On 11.06.2010 23:21, Savoy, Melinda wrote: I am working in my local Eclipse development environment on a Windows XP box. (As stated in a previous post, I was able to get authentication working in the Windows 2003 environment after talking to a MS IIS engineer) I just got off of a phone call with another IIS engineer at Microsoft regarding the authentication issue again that I am getting Windows XP and we spotted something interesting in the ISAPI log and wanted to run it by you guys. I've now setup my IIS and browser in Windows XP to FORCE NTLM authentication and I am getting in the request, per the ISAPI log, the credentials that it passes from IIS to Tomcat. What is interesting is that it would appear that from the ISAPI log that the AJP is returning a 401 code to the browser and therefore executing a Windows Login prompt. Please see bolded/red type below. Below is a copy of the entries in my ISAPI log and wanted to get any input on WHY it would appear that the redirector is returning a 401 status back to my IE or Firefox browser(?): Because it receives a 401 response form your web application in Tomcat and forwards the response as is to the client. So why is your web application sending a 401? Regards, Rainer [Fri Jun 11 15:46:59.853 2010] [2292:2200] [info] jk_isapi_plugin.c (2573): Jakarta/ISAPI/isapi_redirector/1.2.30 initialized [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_isapi_plugin.c (1835): Filter started [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 1 maps [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*=scmisWorker' [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Fri Jun 11 15:46:59.853 2010] [2292:4624] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] [Fri Jun 11 15:46:59.869 2010] [2292:4624] [debug] jk_worker.c (339): Maintaining worker scmisWorker [Fri Jun 11 15:46:59.869 2010] [2292:4624] [debug] jk_isapi_plugin.c (2792): Reading extension header HTTP_TOMCATWORKER6A6B: scmisWorker [Fri Jun 11 15:46:59.869 2010] [2292:4624] [debug] jk_isapi_plugin.c (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B: 0 [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (2794): Reading extension header HTTP_TOMCATURI6A6B: /SCMIS/index.jsp [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (2795): Reading extension header HTTP_TOMCATQUERY6A6B: (null) [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (2850): Applying service extensions [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/SCMIS/index.jsp [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=0 chunked=no content-length=0 available=0 [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_worker.c (116): found a worker scmisWorker [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_isapi_plugin.c (2162): got a worker for name scmisWorker [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_ajp_common.c (605): ajp marshaling done [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_ajp_common.c (2376): processing scmisWorker with 2 retries [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_ajp_common.c (1579): (scmisWorker) all endpoints are disconnected. [Fri Jun 11 15:46:59.884 2010] [2292:4624] [debug] jk_connect.c (480): socket TCP_NODELAY set to On [Fri Jun 11 15:46:59.900 2010] [2292:4624] [debug] jk_connect.c (604): trying to connect socket 2112 to 127.0.0.1:8009 [Fri Jun 11 15:46:59.900 2010] [2292:4624] [debug] jk_connect.c (630): socket 2112 connected to 127.0.0.1:8009 [Fri Jun 11 15:46:59.900 2010] [2292:4624] [debug] jk_ajp_common.c (967): Connected socket 2112 to (127.0.0.1:8009) [Fri Jun 11 15:46:59.900 2010] [2292:4624] [debug] jk_ajp_common.c (1152): sending to ajp13 pos=4 len=524 max=8192 [Fri Jun 11 15:46:59.900 2010] [2292:4624] [debug] jk_ajp_common.c (1152): 12 34 02 08 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4..HTTP/1.1 [Fri Jun 11
Re: RewriteRule rewrites, but mod_jk persists with old URI
On 15.06.2010 16:13, Tobias Crefeld wrote: Am Tue, 15 Jun 2010 15:04:01 +0200 schrieb André Warniera...@ice-sa.com: In other words, it appears to receive the URI /mir/search.jsp, try to map it to a worker, succeed, but then forwarding the request to Tomcat as /jsp/search.jsp anyway (which was the original URL, not the rewritten one). This /jsp/search.jsp is indeed not found by Tomcat (because in Tomcat it is /mir/search.jsp), and I receive in return a 404 error page from Tomcat. I'm not quite sure whether I have understood your problem but maybe this additional setting (after JkMount) helps: JkOptions +ForwardURIProxy Right, the Forward* JkOptions are the key here. There have been various attempts during the lifetime of mod_jk to try getting this right, so there are various possible options. Finally because of security problems, ForwardURIProxy was introduced in 1.2.24 and made the new default. http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding explains the options and also the limitations with respect to mod_rewrite. There's also a short note at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Encoding It is possible, that you have explicitely configure ForwardURICompatUnparsed, i.e. please forward the original URI without any interpretation, decoding etc. Since decoding cannot be undone, this means any rewriting by mod_rewrite is not respected. This option was only default at the exact version 1.2.23 but it existed as an option in 1.2.18. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RewriteRule rewrites, but mod_jk persists with old URI
On 15.06.2010 20:08, André Warnier wrote: Rainer Jung wrote: On 15.06.2010 16:13, Tobias Crefeld wrote: Am Tue, 15 Jun 2010 15:04:01 +0200 schrieb André Warniera...@ice-sa.com: In other words, it appears to receive the URI /mir/search.jsp, try to map it to a worker, succeed, but then forwarding the request to Tomcat as /jsp/search.jsp anyway (which was the original URL, not the rewritten one). This /jsp/search.jsp is indeed not found by Tomcat (because in Tomcat it is /mir/search.jsp), and I receive in return a 404 error page from Tomcat. I'm not quite sure whether I have understood your problem but maybe this additional setting (after JkMount) helps: JkOptions +ForwardURIProxy Right, the Forward* JkOptions are the key here. There have been various attempts during the lifetime of mod_jk to try getting this right, so there are various possible options. Finally because of security problems, ForwardURIProxy was introduced in 1.2.24 and made the new default. http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding explains the options and also the limitations with respect to mod_rewrite. There's also a short note at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Encoding It is possible, that you have explicitely configure ForwardURICompatUnparsed, i.e. please forward the original URI without any interpretation, decoding etc. Since decoding cannot be undone, this means any rewriting by mod_rewrite is not respected. This option was only default at the exact version 1.2.23 but it existed as an option in 1.2.18. Hi. Thanks to both for your suggestions and explanations. The version of mod_jk on that system is 1.2.18, and I have not any of the JKOptions Forward* configured in my setup, which is just this : JkWorkersFile /etc/apache2/workers.properties JkLogFile /var/log/apache2/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] Anyway, adding JkOptions +ForwardURICompat works ! (which is strange, because the docs says it should be the default before 1.2.22) Now I'll see if I can get a more recent mod_jk as a Debian package, and else I'll see if I can make one myself, so that I can use the latest default ForwardURIProxy. I also did not understand the reason why in the docs it says This is .. not safe if you are using prefix JkMount. Anyone care to elaborate ? I am not using prefix JkMount specifically, but I am using Location /mir SetHandler jakarta-servlet /Location Does this un-safeness apply in that case also ? The problem is, that ForwardURICompat forwards the URL as decoded by Apache, e.g. usual percent encoding gets resolved. Tomcat decodes again. So lets construct a URL like /publicapp/../privateapp/privatedata and so some encoding: /publicapp/%2E%2E/privateapp/privatedata Now if Apache gets this URK, it first decodes it /publicapp/../privateapp/privatedata and then normalizes it, /privateapp/privatedata Likely you don't have a JkMount /privateapp or a SetHandler in a Location /privateapp. OK, works. *Now*: Let's double encode: /publicapp/%252E%252E/privateapp/privatedata Apache will decode (once) to /publicapp/%2E%2E/privateapp/privatedata As a decoded URL. Now there's no .. in it, so normalization doesn't change anything and the URL will match JkMount /publicapp/* or Location /publicapp. Since ForwardURICompat is in use, mod_jk will forward this URL, so Tomcat gets the URL /publicapp/%2E%2E/privateapp/privatedata and decodes *again* resulting in /publicapp/../privateapp/privatedata normalizes to /privateapp/privatedata and serves your private data although you didn't map it in mod_jk. So double decoding is desaster. That's why we now reencode every problematic character before forwarding to Tomcat. So: depending on your Location URL the warning *does* apply. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat unexpected shutdown on Solaris
On 17.06.2010 05:35, Caldarale, Charles R wrote: From: Marco Castillo [mailto:mabcasti...@vdkit.net] Subject: Tomcat unexpected shutdown on Solaris I have checked all the logs and there is no exception displayed, no error, nothing. I look for an error file from java, but there is no one. It happens randomly. Sometimes the Tomcat works for large periods of time, sometimes it shutdowns 5 minutes after it has been started. Does somebody has any idea? Likely one of your webapps (possibly a 3rd-party library) is calling System.exit() - very anti-social behavior. You can use a security manager to prevent it and catch the culprit. ... or you are starting Tomcat with an interactive shell, and the shell is one of those which sends a signal (SIGHUP or similar) to all child processes when you logout (or get logged out by some idleness condition or similar). See man nohup. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0 documentation: is classloading description correct?
On 17.06.2010 16:37, Konstantin Kolinko wrote: 2010/6/16peter_f...@blm.gov: Looking at section 10 of the 6.0 user guide, which describes classloading, the text makes perfect sense and matches the way I understand things work. However the summary at the end of the section Class Loader Definitions looks wrong; it basically says that the search order is... Bootstrap $CLASSPATH WEB-INF/classes WEB-INF/lib/*.jar $CATALINA_HOME/lib $CATALINA_HOME/lib/*.jar ...when my understanding is it should be... WEB-INF/classes WEB-INF/lib/*.jar Bootstrap $CLASSPATH $CATALINA_HOME/lib $CATALINA_HOME/lib/*.jar So, is the documentation just wrong, or have I misunderstood something? The order is Bootstrap $CLASSPATH WEB-INF/classes WEB-INF/lib/*.jar $CATALINA_BASE/lib $CATALINA_BASE/lib/*.jar $CATALINA_HOME/lib $CATALINA_HOME/lib/*.jar as documented. Note, that many Bootstrap and $CLASSPATH classes are loaded at early stages of Tomcat startup sequence, that is before classloading hierarchy itself is created. It would be a mess if those classes were ignored. That is why people should not play with $CLASSPATH, unless in certain very rare cases. If you have some documentation changes in your mind, the patches are welcome. The sources are in webapps/docs/*.xml . Create a Bugzilla issue and attach a diff file there (svn diff or an 'Unified diff' (diff -u)). I guess part of the confusion comes from the terminology parent and delegating. The classloader used by the webapps is derived from the usual URLClassloader as an extension. In Tomcat land it's parent is the classloader that loads from the common lib directory. The webapp classloader is not delegating first in the sense that it first tries to find classes via it's own super URLClassloader, before asking the parent common loader. The URLClassloader in turn is the one, that first goes down to bootstrap and system/CLASSPATH before checking the configured URLs (WEB-INF). So in Tomcat terminology it's true, that the webapp classloader does only delegate (to common) if it can't find the class, but the webapp loader itself does delegate to bootstrap and system first. (hope that's true and not too confusing ...) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connector IIS7 Load balancing Issue (workers.properties)
On 17.06.2010 16:33, Luis Esquivel wrote: Hello, I have a situation where my IIS tomcat load balancing configuration between 2 nodes keeps switching in every single request from the same browser. The JSESSIONID changes every time I hit refresh on the browser because it switches between the 2 nodes each time. This was working at some point correctly where once a connection was established with a node, the connection stayed on that node until the browser was closed. Has anyone seen this problem before? Any help would be greatly appreciated. My workers.properties file looks like this: worker.list=loadbalancer,status worker.template.port=8009 worker.template.type=ajp13 worker.template.lbfactor=1 worker.template.ping_mode=A worker.template.socket_timeout=10 worker.template.connection_pool_timeout=600 worker.node1.reference=worker.template worker.node1.host=128.1.1.30 worker.node1.cachesize=10 worker.node2.reference=worker.template worker.node2.host=128.1.2.30 worker.node2.cachesize=10 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=node1,node2 worker.loadbalancer.sticky_session=1 worker.status.type=status Versions of the redirector and Tomcat? This configuration looks very outdated. You should do yourself a favour and switch to a recent version of the redirector and also have an extended look at the example configuration that comes with the source download. To make load balancing work, each Tomcat needs to have an individual jvmRoute set in server.xml and the workers in the balancers need to have names equal to the jvmRoute of the Tomcat they are pointing to. Here the worker names are node1 and node2, so those values should be set as jvmRoute in the respective server.xml. Apart from that look at the redirector logs whether there are errors reported there. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issues changing log4j levels for tomcat web apps
On 17.06.2010 19:44, Jeffrey Nguyen (jeffrngu) wrote: This question might be a little off topic, but I thought since it involved tomcat web apps, I figured someone might know the answer. I have Liferay EE 5.2.6 running on top of tomcat 6.0.26. Liferay has an admin GUI page to allows me to change log level settings for different packages. The issue I'm facing is changing the log levels seems to only take effect on the ROOT web apps. All the other plugin web apps do not seem to response to the new log levels. I checked on Liferay support forums and found that others are also facing this problem (http://www.liferay.com/community/forums/-/message_boards/message/492284 1) Is this really Liferay's specific problem or is it Tomcat issue in general? In plain vanilla Tomcat, are the web apps loaded in a WebAppClassLoader and ROOT web app is loaded by StandardClassLoader? If so, I assume this is really just an issue with Tomcat right? How do I get around this problem? In a previous project I worked with, we relied on DB change notification to relay the new log level to all tomcat web apps. However, I don't want to consider that solution because it requires design changes and it has its own set of problem. Any pointers would be much appreciated! Thanks in advance! The root context isn't special with respect to class loading. Each context has its own webapp classloader. What that means with respect to log configuration depends on the log frameworks used by the web applications, and how the frameworks are deployed. Often the webapps for example use log4j and each webapp contains a copy of the log4j jar file. That means each webapp would have its own copy of log4j and a completely independent configuration. If log4j would instead be deployed *only* via a shared loader (like the common loader), then all webapps would share a single instance and a single configuration. You can force log4j (example) to use a common configuration for all instances during startup by using the -Dlog4j.configuration=SOMEURL commandline parameter, but that doesn't help with later dynamic changes. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DefaultServlet and default character encoding
On 18.06.2010 11:04, Felix Schumacher wrote: On Thu, 17 Jun 2010 19:32:36 +0400, Konstantin Kolinko knst.koli...@gmail.com wrote: 2010/6/17 Felix Schumacherfelix.schumac...@internetallee.de: For the moment I have written a filter, which sets a default encoding, as soon as Response.setContentType(String type) is called and type.startsWith(text/). That works for the moment, but I would prefer the solution described in above thread. I know that setting charset in a mime-mapping works, e.g.: mime-mapping extensionhtm/extension mime-typetext/html;charset=iso-8859-1/mime-type /mime-mapping mime-mapping extensionhtml/extension mime-typetext/html;charset=iso-8859-1/mime-type /mime-mapping Note, that it would be better if the mime type set by a HTTP header and the one provided by HTML tag match strictly (case sensitively). Otherwise some browsers will start guessing. IIRC, the HTML spec says that the HTTP header takes precedence, but not all browsers follow it strictly. I will look into this one. Also there is AddDefaultCharsetFilter in Tomcat 7. It is similar to what you are doing, see its JavaDoc and source code. Yes, my filter looked like a twin, with the exception, that I called super.setCharacterEncoding(defaultEncoding) instead of manipulating the content-type directly (and of course that defaultEncoding is different to super.getCharacterEncoding() which would yield iso-8859-1). I could extend that filter to my needs. Should I file a enhancement request for that? apache httpd thinks it would be better to append a charset to the response I wonder, if there is a way to improve your Apache HTTPD configuration. I tried to let apache httpd now that in location /webapp the default charset was different from iso-8859-1. But mod_jk ignored my pledges :( Even so I think DefaultServlet should be able to set a charset if configured to. How did you do that in Apache? Did you use http://httpd.apache.org/docs/2.2/mod/core.html#adddefaultcharset and if so, how exactly? You can switch JkLogLevel on a system with low load to debug, then mod_jk will log all response headers it received from Tomcat. mod_jk itself takes the Content-Type header received from tomcat, extracts its full value and applies it to the Apache response via ap_set_content_type(). Apache later applies any configured default charset via ap_http_header_filter() in ap_http_header_filter(). At least that's what I expect to happen. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DefaultServlet and default character encoding
On 18.06.2010 13:50, Felix Schumacher wrote: On Fri, 18 Jun 2010 12:50:31 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 18.06.2010 11:04, Felix Schumacher wrote: On Thu, 17 Jun 2010 19:32:36 +0400, Konstantin Kolinko knst.koli...@gmail.com wrote: 2010/6/17 Felix Schumacherfelix.schumac...@internetallee.de: apache httpd thinks it would be better to append a charset to the response I wonder, if there is a way to improve your Apache HTTPD configuration. I tried to let apache httpd now that in location /webapp the default charset was different from iso-8859-1. But mod_jk ignored my pledges :( Even so I think DefaultServlet should be able to set a charset if configured to. How did you do that in Apache? Did you use http://httpd.apache.org/docs/2.2/mod/core.html#adddefaultcharset and if so, how exactly? I placed the following into the config for the corresponding virtual host: Location /webapp AddDefaultCharset utf-8 /Location Yesterday after restart of httpd I found no difference in behaviour... Now the directive does work as expected. So mod_jk/httpd can be configured to work around the issue. Maybe I saw an old page from some sort of cache/proxy :( Good to know. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Application stops responding, jk worker in error state
On 18.06.2010 22:44, Neil Aggarwal wrote: Rainer: If you are going to post part of your log file, please also do provide your mod_jk configuration and version information. I am using mod_jk 1.2.30 which I built from the source tarball. My application just locked up so I did a tail -f on the mod_jk log and made a request to it. Here is what generated in the log: [Fri Jun 18 15:30:17.614 2010] [394:47652193829632] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1230): (tomcat) can't receive the response header message from tomcat, network problems or tomcat (127.0.0.1:8009) is down (errno=11) Hmmm, errno 11 is often EAGAIN. What platform are you using (OS, version)? [Fri Jun 18 15:30:17.614 2010] [394:47652193829632] [error] ajp_get_reply::jk_ajp_common.c (2055): (tomcat) Tomcat is down or refused connection. No response has been sent to the client (yet) [Fri Jun 18 15:30:17.614 2010] [394:47652193829632] [info] ajp_service::jk_ajp_common.c (2540): (tomcat) sending request to tomcat failed (recoverable), (attempt=1) [Fri Jun 18 15:31:19.711 2010] [394:47652193829632] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1230): (tomcat) can't receive the response header message from tomcat, network problems or tomcat (127.0.0.1:8009) is down (errno=11) [Fri Jun 18 15:31:19.711 2010] [394:47652193829632] [error] ajp_get_reply::jk_ajp_common.c (2055): (tomcat) Tomcat is down or refused connection. No response has been sent to the client (yet) [Fri Jun 18 15:31:19.711 2010] [394:47652193829632] [info] ajp_service::jk_ajp_common.c (2540): (tomcat) sending request to tomcat failed (recoverable), (attempt=2) [Fri Jun 18 15:31:19.711 2010] [394:47652193829632] [error] ajp_service::jk_ajp_common.c (2559): (tomcat) connecting to tomcat failed. [Fri Jun 18 15:31:19.711 2010] [394:47652193829632] [info] jk_handler::mod_jk.c (2618): Service error=0 for worker=tomcat I took a look at the tomcat catalina.out and do not see any errors there. The CPU is empty and the RAM is available. I telnet to 127.0.0.1 port 8009 on the machine, I get a connection, so something is listening on the port. If I do a ps aux | grep java, I see two processes for tomcat which is normal. I checked the mysql log and do not see any errors. I did a show innodb status and do not see any deadlocks in the database. I am attaching the properties for my jk configuation and a screen shot of the JK Status in case it helps. What is really strange is the JK Status page says -48 connections. It seems like that number should always be positive or zero but not negative. That should be unrelated (and yes: it's not OK). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SPAM] RE: Application stops responding, jk worker in error state
On 19.06.2010 03:46, Neil Aggarwal wrote: Rainer: Hmmm, errno 11 is often EAGAIN. What platform are you using (OS, version)? I am using CentOS 5.5 freshly installed, not an upgrade. I tried that as a fix to this problem. I wiped the server clean and reinstalled everything from scratch. It was on CentOS 5.4 before and I had the same behavior. What is really strange is the JK Status page says -48 connections. It seems like that number should always be positive or zero but not negative. That should be unrelated (and yes: it's not OK). It seems to me if jk is confused about the number of backend connections, it may not be connecting correctly to Tomcat. That seems like it would cause the behavior I am experiencing. No, the total number of connections is shown only for convenience (monitoring etc.). The real process pool is local for each Apache process. there seems to be something wrong when tracking the total number via shared memory but that shouldn't influence in any way the usual functionality. It has only been added very recently. What *is* a problem is EAGAIN while reading from the socket. We don't expect that and handle it as an error, though strictly speaking it is only a temporary error condition. i'll see whether I can provide a patch. would you mind opening an issua in Bugzilla, attaching your log snippet and possibly your workers.properties (the property dump from the status worker is a little harder to digest, because it also shows all the defaults). You can also open a second issue concering the obvisouly wrong connection count shown in the status worker. Thanks and sory for the trouble Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 14:16, Savoy, Melinda wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. I thought you already managed to have a situation, where getRemoteUser() returned something meaningful. So what's the difference to the situation now? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 16:18, Savoy, Melinda wrote: Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. It does, but I expect something in your application stack to overwrite or delete it again. If you want to find out what happens, you need to get into a more simple test situation, like deploying a trivial app (e.g. the default Tomcat ROOT context), and simply add a JSP or servlet there that shows you the request.getRemoteUser(). I expect that to work. Then the question why it doesn't work in your app is up to your application and framework code. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:29, Savoy, Melinda wrote: That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). The ISAPI redirector log shows that it's correctly forwarding the data. How do your web.xml and server.xml for this test look like? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting Up AJP Workers as a Failover
On 23.06.2010 01:12, David Fisher wrote: Hi All, I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? No, value 0 ist not supported and will automatically be changed to 1. What about using activation=disabled? What are you trying to achieve? You should also look at the example configuration bundled with the 1.2.30 sources. It contains nice suggestions about timeouts that your configuration is lacking. My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. Yes my jvmroutes are set. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 16:58, Savoy, Melinda wrote: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? Yes. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat current thread count
On 25.06.2010 11:22, Mick Knutson wrote: TIME_WAIT is fine. Not an issue. That just means they are ready to take requests. CALL_WAIT is not good, if they stick around. If this is an OOM error, then have you started this server and attached javaVisualVM onto it to see what the threads and memory are doing? Not judging on whether that's the right approach, but you probably meant CLOSE_WAIT. There is no TCP state CALL_WAIT. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat current thread count
On 25.06.2010 17:51, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Özgür, On 6/25/2010 11:39 AM, Ozgur Ozdemircili wrote: Thanks for the useful link. I have gotten a thread dump using kill -3 . You can find it in the attached file. It looks like almost everything is idle, here. Can you wait a while, when you estimate you might be close to encountering this error, and then take another thread dump? That one would probably be more interesting. Yup, or maybe write a small shell script, sending the signal every 5 minutes or maybe even once every minute in order to make it likely to catch the problematic status. Be prepared for enough space in the logs directory though. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: questions on documentation for configuring AJP connector
On 28.06.2010 22:06, Rumpa Giri wrote: We are trying to upgrade to the latest connector. While going through the worker properties variables to set we have few questions regarding the following - Please do also grab the source tarball. In version 1.2.30 it contains an example configuration file that has a lot of helpful comments in it. 1) connection_pool_size - Usually this is the same as the number of threads per web server process. (cut-paste from the description for connection_pool_size) I am not familiar with IIS - so how do you determine the above? There was some debate, whether there's a way to automatically determine that. Microsoft doesn't really document it and it seems to depend a lot on IIS version and windows details. See also André's comments. Also does this property have any correlation with the attribute MaxThreads in theConnector tag of server.xml? How do you determine what value should you put for MaxThreads? If there is only one Tomcat you are forwarding to, then it would be the same number. Tomcat - without the tcnative/APR connector - uses one thread per incoming connection. Things get more complicated, if you start using IIS with multiple processes, or a farm of several Tomcats. 2) connection_pool_timeout - The server.xml - the default value if not specified explicitly is 6(60 secs). I see in our server.xml AJP connector tag - its not specified - which means I do need to specify this property connection_pool_timeout in our worker.properties as 60? The documentation says the default for connection_pool_timeout is 0, shouldn't it be 60 if this has to be in synch with server.xml? It should be in sync (apart form the fact that one is in seconds and the other in milliseconds) and you should expliciteley set both. See the commented example config in the 1.2.30 source download. 3) The worker.loadbalancer.method property - currently not set - but we are thinking of doing as B instead of default R. What do you use in general? Is there a disadvantage to switching from Request to Busyness? https://issues.apache.org/bugzilla/show_bug.cgi?id=44454 R should be good enough in most cases, except things like many parallel and long running requests, e.g. download farms for huge content. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: connector configuration values - need help to review
In addition to the comments in your other discussion thread. On 28.06.2010 23:23, Rumpa Giri wrote: Worker.properties ps=\ # ps=/ Remove, doesn't mean anything. worker.list=loadbalancer worker.template.type=ajp13 worker.template.lbfactor=1 worker.template.socket_keepalive=True worker.template.socket_timeout=300 I don't like socket_timeout. Have a look at http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html worker.template.connection_pool_timeout=600 worker.template.connection_pool_size=200 worker.template.connect_timeout=6 worker.server1.port=8009 worker.server1.host=192.168.100.119 worker.server1.reference=worker.template worker.server2.port=8009 worker.server2.host=192.168.100.120 worker.server2.reference=worker.template worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=server1,server2 worker.loadbalancer.method=B I'd start with R. --- uriworkermap.properties --- /myjsps/*=loadbalancer - Server.xml AJP connector tag - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 maxThreads=450 connectionTimeout=60 / Did you set jvmRoute? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI Redirector Help
On 30.06.2010 01:48, George Sexton wrote: I'm trying to get the ISAPI redirector working on IIS 7.0 running under Windows Server Data Center 64-bit. When I make a request, I get served the isapi_redirector.dll. Here's the detailed information. IIS is running in 32 bit mode. I have downloaded the latest 32-bit ISAPI redirector. I have configured the registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Jakarta Isapi Redirector\1.0 I have configured logging and set it to debug. I do get a isapi_redirect.log file in the specified directory. Here are the last few lines: [Tue Jun 29 19:11:30.520 2010] [1752:3920] [debug] jk_map.c (588): Dump of map: 'worker.list' - 'ajp13' [Tue Jun 29 19:11:30.520 2010] [1752:3920] [debug] jk_map.c (588): Dump of map: 'worker.ajp13.type' - 'ajp13' [Tue Jun 29 19:11:30.520 2010] [1752:3920] [debug] jk_map.c (588): Dump of map: 'worker.ajp13.host' - 'localhost' [Tue Jun 29 19:11:30.520 2010] [1752:3920] [debug] jk_map.c (588): Dump of map: 'worker.ajp13.port' - '8009' [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_isapi_plugin.c (1835): Filter started [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/mydigirad.com/calendar/View.html' from 1 maps [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/calendar/*=ajp13' source 'uriworkermap' [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/calendar/*=ajp13' source 'uriworkermap' [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/calendar/*=ajp13' [Tue Jun 29 19:25:45.911 2010] [4760:4676] [debug] jk_isapi_plugin.c (1916): check if [/calendar/View.html] points to the web-inf directory [Tue Jun 29 19:25:45.926 2010] [4760:4676] [debug] jk_isapi_plugin.c (1932): [/calendar/View.html] is a servlet url - should redirect to ajp13 [Tue Jun 29 19:25:45.926 2010] [4760:4676] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/calendar/View.html] When I invoke /calendar/View.html, IIS services the ISAPI Redirector DLL rather than the servlet content as expected. I have confirmed by looking at the catalina.log file that tomcat is running an AJP connector on port 8009 The jakarta application is running under the same application pool as the virtual host (Network Service). I have confirmed the permissions on the logs, tomcat conf directory, and the folder containing the isapi redirector binary. I checked the handler mappings and Tomcat Redirector *.dll shows up as enabled. At the Top level, I verified that the handler mapping for ISAPI Module *.dll is enabled. It seems like I'm really close here. If anyone could point me in the right direction, I would appreciate it. Did you check item 9. in http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html#Configuring%20the%20ISAPI%20Redirector Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Hello and Tomcat issues with sticky sessions
On 30.06.2010 13:10, Gabriel Tabares wrote: have you also set de directive in de workers.properties I suggested? in your case that should look like worker.pub-app01.domain=pub-app01 etc My apologies, I am doing 10 things at the time and missed that bit. I now have made the change and it seems to be working (fingers crossed). I have a couple of people testing it out, so fingers crossed! It's weird because I've used mod_jk a lot and never had any domain specified. You won't need a domain setting for stickyness to work. There was something else wrong with your setup. Since your configuration looked OK, mod_jk should have logged any problems when doing stickyness in its log file. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat 5.5 and labels.properties
On 30.06.2010 15:43, Pid wrote: On 30/06/2010 14:13, Michael Rodov wrote: this is the link, but its not 100% sure since it depends on the installed directories C:\Program Files\Apache Software Foundation\Tomcat 5.5.26\work\Catalina\localhost\sm711\loader\*com\hp\ov\cwc\web* So the clue there is in the package name. This is not an Apache package, let alone Tomcat: com.hp.ov.cwc.web, it's something to do with your application - or an app / jar you're using. Likely the application in question is HP Service Manager. It seems the file was part of that. It is definitely not a Tomcat file. Talk to hP or your integration partner, why they dropped the file and where you can find the missing functionality. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Hello and Tomcat issues with sticky sessions
On 30.06.2010 16:18, János Löbb wrote: workers.properties --- ps=/ worker.list=pub-app01, pub-app02, pub-app03, pub-app04, pub-app05, pub-lb worker.pub-app01.type=ajp13 worker.pub-app01.host=app01 worker.pub-app01.port=8009 worker.pub-app01.socket_keepalive=1 worker.pub-app02.type=ajp13 worker.pub-app02.host=app02 worker.pub-app02.port=8009 worker.pub-app02.socket_keepalive=1 worker.pub-app03.type=ajp13 worker.pub-app03.host=app03 worker.pub-app03.port=8009 worker.pub-app03.socket_keepalive=1 worker.pub-app04.type=ajp13 worker.pub-app04.host=app04 worker.pub-app04.port=8009 worker.pub-app04.socket_keepalive=1 worker.pub-app05.type=ajp13 worker.pub-app05.host=app05 worker.pub-app05.port=8009 worker.pub-app05.socket_keepalive=1 worker.ajp13.lbfactor=1 worker.pub-lb.type=lb worker.pub-lb.balance_workers=pub-app01,pub-app02,pub-app03,pub-app04,pub-app05 worker.pub-lb.sticky_session=1 - I think this is what worker.list should look like: worker.list=pub-lb Aaaah, right. The above won't work, the lb worker needs to be in the list, not the members of the lb. with recent versions of mod_jk you would find a message in the log, that the worker pub-lb used in your JkMount isn't known to mod_jk (because it is missing in the list attribute). - You might also need for every balance_worker the worker.pub-app0x.redirect=machine_name_where_the_session_from_this_machine_should_be_redirected You can use it if you have a very special idea, which node should fail over to which other node, but you can omit it and the balancer will choose one on a per request basis, if there is a problem with a node. - For the load balance worker you might need something like: worker.pub-lb.sticky_session_force=False worker.pub-lb.sticky_session=True Those are both defaults. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI Redirector Help
On 30.06.2010 16:57, George Sexton wrote: I'm using IIS 7.0 so that step would not apply. Sure? The docs talk about version 6 because that was the last time they were updated. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Using httpd's mod_rewrite with mod_jk
On 30.06.2010 19:00, Christopher Schultz wrote: Slightly off-topic, but relevant. On our development servers, I'm trying to enforce a rule that all our users have the most up-to-date web browser available (yeah, it's an uphill battle, I know... just go with it). I decided to use mod_rewrite to check for a User-Agent pattern and then forward to a bad browser page, which works well for static content, but not for requests destined to be handled by mod_jk. Here's what I've got: # Handle Mozilla Firefox RewriteCond %{HTTP_USER_AGENT} Firefox/ RewriteCond %{HTTP_USER_AGENT} !(Firefox/(3\.0\.19|3\.5\.9|3\.6\.3)($|[^\.0-9])) RewriteRule .* /bad-browser.shtml [L] For dynamic requests, this will happily allow the request to go through to mod_jk. Usually mod_rewrite is perfectly compatible with mod_jk. I must confess, that I'm not 100% sure about the case, where you try to rewrite a request that originally would have been handled by mod_jk to something that should not be handled by it. Two possibilities: if it doesn't actually work, you can set the env var no-jk as a side effect in your rewrite rule. If mod_jk fins this env var set, it will decline to handle the request. Alternatively, if you are fine with redirecting by mod_rewrite instead of rewriting internally, the redirecting should also win over mod_jk. There is a chance though, that it should work out of the box and you are using some indirect mapping to mod_jk that wins. That would be the case if you are either using one of the outdated JkOptions ForwardXXX options, or you are using an indirect mapping like setting the handler to jakarta-servlet, or using the environment variable trick (JK_WORKER_NAME or JkWorkerIndicator) to define the target worker. So you might want to tell us, how you map your dynamic requests (JkMount, setting handler etc.) to mod_jk and what other Jk directives (like JkOptions) you are using. To complete the picture: in cases were the RewriteRule works, but then the request is not forwarded via mod_jk although it should, you need to add the PT flag. In your case I guess its the opposite situation you are looking for. Regards, Rainer I also tried this: RewriteRule .* /bad-browser.shtml [L,H=alias] This works in the sense that I get the page I want, but I also get a 404 error because the URL doesn't map to anything mod_alias can handle successfully. I also tried this: RewriteRule .* /bad-browser.shtml [L,F] This gives me a 403 response code, httpd's standard forbidden page, and a 500 response code in the access log (looks like a runaway redirect... I'll have to fix that). Does anyone have any suggestions for getting: 1. My custom page rendered 2. A 403 (or any specific) response code sent to the browser Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JK connector and extra characters showing up
On 01.07.2010 03:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 6/30/2010 3:32 PM, David Brown wrote: Problem: Extra characters showing up in some content delivered from tomcat. I believe they are from the JK connector when it breaks up the content into 8k packets. Setup: Tomcat 5.5 - JK 1.2.30 - SunOne 6.1sp11 So you're using mod_jk 1.2.30 to connect Tomcat 5.5 and SunOne? I tested using Apache2 and the problem does not show up there. Using apache is not an option here. Okay. Tomcat to web server through JK connector, same for Sun One and Apache Is this data /from/ Tomcat /to/ Sun One, or from Sun One /to/ Tomcat? That is, are we looking at a request or a response? It kind of looks like a response, but I just want to be sure. 0090 20 47 4d 54 00 00 0c 43 6f 6e 74 65 6e 74 2d 54 GMT...Content-T 00a0 79 70 65 00 00 08 74 65 78 74 2f 63 73 73 00 00 ype...text/css.. 00b0 0e 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 00 .Content-Length. 00c0 00 05 32 32 33 37 33 00 41 42 1f fc 03 1f f8 40 ..22373.AB.@ 00d0 43 48 41 52 53 45 54 20 22 55 54 46 2d 38 22 3b CHARSET UTF-8; 00e0 23 74 70 63 72 7b 62 61 63 6b 67 72 6f 75 6e 64 #tpcr{background 00f0 2d 63 6f 6c 6f 72 3a 57 68 69 74 65 3b 6d 61 72 -color:White;mar 0100 67 69 6e 3a 31 30 70 78 20 30 20 32 30 70 78 20 gin:10px 0 20px Can you dump the whole response? Browser from Apache 0120 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 ve..Content-Type 0130 3a 20 74 65 78 74 2f 63 73 73 0d 0a 0d 0a 40 43 : text/css@c 0140 48 41 52 53 45 54 20 22 55 54 46 2d 38 22 3b 23 HARSET UTF-8;# 0150 74 70 63 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d tpcr{background- 0160 63 6f 6c 6f 72 3a 57 68 69 74 65 3b 6d 61 72 67 color:White;marg 0170 69 6e 3a 31 30 70 78 20 30 20 32 30 70 78 20 30 in:10px 0 20px 0 Why are the hex offsets different? Differing standard headers? Again, can you post the whole response? Browser from SunOne 00e0 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 GMT..Content-Typ 00f0 65 3a 20 74 65 78 74 2f 63 73 73 0d 0a 43 6f 6e e: text/css..Con 0100 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 32 33 tent-Length: 223 0110 37 33 0d 0a 54 72 61 6e 73 66 65 72 2d 65 6e 63 73..Transfer-enc 0120 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a oding: chunked.. 0130 0d 0a 31 66 66 38 0d 0a 40 43 48 41 52 53 45 54 ..1ff...@charset 0140 20 22 55 54 46 2d 38 22 3b 23 74 70 63 72 7b 62 UTF-8;#tpcr{b 0150 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a ackground-color: 0160 57 68 69 74 65 3b 6d 61 72 67 69 6e 3a 31 30 70 White;margin:10p 0170 78 20 30 20 32 30 70 78 20 30 3b 7d 0a 23 74 70 x 0 20px 0;}.#tp Are all of these dumps from the same response, but at different points in the process? I can see that there is a 1ff8 (in text) in that last dump. What is that? It appears that some component is switching the Transfer-encoding to chunked. Do you know if that's intentional? The first snippet is from between the web server and tomcat through the JK connector. This looks the same for either Apache or SunOne. The thing to note is line 00c0 where the hex is 1f f8. Is that a Greek Omicron? Or something else? The second snippet is when a browser hits Apache. The thing to note is line 0130 where the hex is 0d 0a 0d 0a. (carriage return, line feed, carriage return, line feed) The CR LF CR LF seems to be more likely to be correct. The third snippet is when a browser hits SunOne for the same file. Here on line 0130 there is 0d 0a 31 66 66 38 0d 0a, notice the extra 4 characters between the carriage return/line feeds. Those 4 extra characters are likely to be the chunk size. 31 66 66 38 is, well, 1ff8, which is 792 in decimal. So, the chunk size is 792 bytes. Did you get 792 bytes after the next CR LF? Again, a complete response would be helpful in determining what's happening. And that is where my problem lies. These characters 1ff8 are showing up in the body of the content and is causing errors. Technically speaking, this is not content: it's header. Your client is misinterpreting the data it's receiving from the server. Take a look at http://www.httpwatch.com/httpgallery/chunked/ - the page is chunked with each line of text in a separate chunk. I think it will demonstrate what I'm talking about. If you can't view it any other way, you can do this: $ telnet www.httpwatch.com 80 temp.out GET /httpgallery/chunked/ Connection closed by foreign host. $ less temp.out You should see content like this: [snip] Transfer-Encoding: chunked Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html 7b !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; 2d html xmlns=http://www.w3.org/1999/xhtml; [and so on] 9 /body 9 /html 2 0 [the 0 indicates the last chunk, which contains no data]. Is this what you're observing, here?
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
On 01.07.2010 03:26, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nikita, On 6/30/2010 6:20 PM, Nikita Tovstoles wrote: I'd like to make session cookie domain-wide, and ignore subdomains - in Tomcat 6. You could use the emptySessionPath=true setting in yourConnector. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html The next version of Tomcat 6 to be released will contain configuration options for changing the domain, path and name. Those options will be part of the context element and described on the docs page linked above. The vote for 6.0.28 is happening now, so if nothing bad is found we will have that release in a few days. You can already grab and test it: http://people.apache.org/~jfclere/tomcat-6/v6.0.28/ WARNING: this is not yet an official release! wait for the official release before using it in production. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Using httpd's mod_rewrite with mod_jk
On 02.07.2010 02:37, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 7/1/2010 4:54 AM, Rainer Jung wrote: Usually mod_rewrite is perfectly compatible with mod_jk. I must confess, that I'm not 100% sure about the case, where you try to rewrite a request that originally would have been handled by mod_jk to something that should not be handled by it. It appears that my setup (rewriting a request that normally would go to jk to one that shouldn't go to jk) still ends up being handled by jk. Two possibilities: if it doesn't actually work, you can set the env var no-jk as a side effect in your rewrite rule. If mod_jk fins this env var set, it will decline to handle the request. Alternatively, if you are fine with redirecting by mod_rewrite instead of rewriting internally, the redirecting should also win over mod_jk. Okay, I changed my RewriteRule to this: RewriteRule .* /bad-browser.shtml [L,E=no-jk] OK, I did a little test: RewriteRule .* /bad-browser.shtml [L,E=no-jk:1] should work. A quick glance at mod_rewrite's code indicates it drops E= rules when no value is present. Have fun! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk: Uri * is invalid. Uri must start with /
On 02.07.2010 14:50, Matteo Turra wrote: I have Apache/2.2.14 (Unix) and mod_jk/1.2.28 with a Tomcat 6.0.20 farm in load balancing. In the mod_jk.log I get a line like this each second. [warn] map_uri_to_worker_ext::jk_uri_worker_map.c (962): Uri * is invalid. Uri must start with / I checked all the JkMount directive in the virtual host Any suggestion? The broken URI is the one send with the request. I assume there's some probing going on, like live checking done by a load balancer, end-to-end monitoring or similar. I guess they are sending you something like OPTIONS * HTTP/1.1 which is a vlid request, but mod-jk complains. Nothings broken, but of course the warning is annoying. You could file an issue in bugzilla, because this will be easy to fix (don't warn if the URI is '*'). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Using httpd's mod_rewrite with mod_jk
On 02.07.2010 22:02, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 7/2/2010 10:13 AM, Rainer Jung wrote: On 02.07.2010 02:37, Christopher Schultz wrote: Okay, I changed my RewriteRule to this: RewriteRule .* /bad-browser.shtml [L,E=no-jk] OK, I did a little test: RewriteRule .* /bad-browser.shtml [L,E=no-jk:1] should work. A quick glance at mod_rewrite's code indicates it drops E= rules when no value is present. You know, I should have thought of that. My other experiences with environment variables and non-env variables with Apache was that you can set a variable to nothing but it is still considered set (or defined, if you prefer). In this case, it is not. Right, I'd say it's a buglet in mod_rewrite. Maybe something I can improve for httpd trunk ... (I need to check whether it still behaves the same there). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Using httpd's mod_rewrite with mod_jk
On 03.07.2010 14:08, Rainer Jung wrote: On 02.07.2010 22:02, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 7/2/2010 10:13 AM, Rainer Jung wrote: On 02.07.2010 02:37, Christopher Schultz wrote: Okay, I changed my RewriteRule to this: RewriteRule .* /bad-browser.shtml [L,E=no-jk] OK, I did a little test: RewriteRule .* /bad-browser.shtml [L,E=no-jk:1] should work. A quick glance at mod_rewrite's code indicates it drops E= rules when no value is present. You know, I should have thought of that. My other experiences with environment variables and non-env variables with Apache was that you can set a variable to nothing but it is still considered set (or defined, if you prefer). In this case, it is not. Right, I'd say it's a buglet in mod_rewrite. Maybe something I can improve for httpd trunk ... (I need to check whether it still behaves the same there). I made the VAL argument in ENV=VAR:VAL optional for httpd trunk: http://svn.apache.org/viewvc?rev=960233view=rev and proposed it for backport to httpd 2.2.x. It's a trivial change, no risk, and a nice shortcut for configuration. Otherwise the module should at least complain about an invalid flag syntax. Nice cross project interaction :) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Very slow HttpServletRequest.getLocalName()
On 07.07.2010 16:08, mmg wrote: Hello, I've recently deployed an application on our Linux staging server; a Tomcat 5.5.28 server on Java 1.5.0_09-b01. At some point, the application makes a call to request.getLocalName(). For some reason, this call takes a very long time (about 20 seconds!). I profiled the application, and I see that tomcat calls InetAddress.getHostName() in turn. This performs a reverse DNS lookup. It's this reverse DNS lookup that takes so long (since our host doesn't have a DNS address the resolve fails). Is there a way to disable this reverse DNS lookup in Tomcat or is there anything else I can do to speed this up? You might want to try getLocalAddr (if IP is enough) or getServerName() (if a host header is set by the client and that header is fine). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Very slow HttpServletRequest.getLocalName()
On 07.07.2010 18:03, mmg wrote: Hi Rainer, Thanks for that suggestion, but it's not my code that's calling the method: it's the icefaces framework so it's out of my control. If you don't find a good other solution, you can write a simple filter, that registers a ServletRequestWrapper, so all calls to getLocalName() go through your wrapper which can then do something more suited to your needs instead of simply calling super.getLocalName(). To add the filter you have to add the new classes to the webapp and add the filter configuration to web.xml of the webapp, but you don't have to change any existing code or similar of the webapp. Regards, Rainer Rainer Jung-3 wrote: On 07.07.2010 16:08, mmg wrote: Hello, I've recently deployed an application on our Linux staging server; a Tomcat 5.5.28 server on Java 1.5.0_09-b01. At some point, the application makes a call to request.getLocalName(). For some reason, this call takes a very long time (about 20 seconds!). I profiled the application, and I see that tomcat calls InetAddress.getHostName() in turn. This performs a reverse DNS lookup. It's this reverse DNS lookup that takes so long (since our host doesn't have a DNS address the resolve fails). Is there a way to disable this reverse DNS lookup in Tomcat or is there anything else I can do to speed this up? You might want to try getLocalAddr (if IP is enough) or getServerName() (if a host header is set by the client and that header is fine). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- kippdata informationstechnologie GmbH Tel: 0228 98549 -0 Bornheimer Str. 33aFax: 0228 98549 -50 53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann === kippdata informationstechnologie GmbH Tel: +49 228 98549 -0 Bornheimer Str. 33aFax: +49 228 98549 -50 D-53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error: Invalid or unreadable WAR file : error in opening zip file
On 09.07.2010 15:21, Fernando Morgenstern wrote: Hello, I'm running the following version of tomcat: Server version: Apache Tomcat/6.0-snapshot Server built: Nov 15 2009 11:02:53 Server number: 6.0.0.0 OS Name:Linux OS Version: 2.6.24-9-pve Architecture: i386 JVM Version:1.6.0_12-b04 JVM Vendor: Sun Microsystems Inc. And i have a shared mount between 4 tomcat servers. All of them run the same OS and tomcat version. For some reason, one of the tomcat servers stopped working and i can't start it anymore. At catalina.out, i get this error: INFO: Deploying web application archive Box.war mmap failed for CEN and END part of zip file Jul 9, 2010 2:42:27 PM org.apache.catalina.core.StandardContext resourcesStart SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Invalid or unreadable WAR file : error in opening zip file I've verified and tomcat user does have read permissions to war file. Also, i don't think this is a problem with the war file ( actually, all of them ), since other tomcat servers can deploy applications normally. Do you know what might be causing this issue? This one? http://scarybeastsecurity.blogspot.com/2008/08/ode-to-bug-that-almost-was.html http://bugs.sun.com/view_bug.do?bug_id=6740544 Or possibly glusterfs doesn't support mmap: http://gluster.org/pipermail/gluster-users/2009-November/003458.html The log message comes from JRE internal handling of zip resp. jar files which uses native mmap(). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat behind an apache reverse proxy
On 12.07.2010 19:00, Mark Thomas wrote: On 12/07/2010 17:53, Tapas Mishra wrote: but the application is not generating URLs properly.I have not written so it is not possible for me to change any thing in it. The application is generating URLs like this: GET /library/skin/default/portal.css GET /portal/styles/portalstyles.css GET /library/js/jquery.js mod_proxy does not rewrite HTML, only a few specific headers, so your application must generate the correct URLs, eg /'sakai/styles/portalstyles.css'. Is there any work around ? I have asked this on Sakai forum but did not got any answer. mod_substitute ... or mod_proxy_html ... Or: you can try to fix it on the incoming side instead of the outgoing, i.e. rewriting /portal/styles.* to /sakai/styles/* after you received the request, but before forwarding to Tomcat (mod_rewrite). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 404 with mod_jk
On 13.07.2010 23:17, Michael Powe wrote: Hello, I asked this question in the httpd list but no joy. I have set up tomcat 6 and IBM httpd server to proxy requests using mod_jk. IBM_HTTP_Server/6.0.2 Apache/2.0.47 (Unix) mod_jk/1.2.30 Server at localhost Port 80 I have followed all instructions as nearly as I can make out. The mod_jk log shows: [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] map_uri_to_worker_ext::jk_uri_worker_map.c (951): enter [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1036): Attempting to map URI '/TlTaggerTest/target.jsp' from 9 maps [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] find_match::jk_uri_worker_map.c (839): enter [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] find_match::jk_uri_worker_map.c (850): Attempting to map context URI '/TlTaggerTest/*.jsp=worker1' source 'JkMount' [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] find_match::jk_uri_worker_map.c (863): Found a wildchar match '/TlTaggerTest/*.jsp=worker1' [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] find_match::jk_uri_worker_map.c (866): exit [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] map_uri_to_worker_ext::jk_uri_worker_map.c (1065): exit The Apache access log shows: localhost - - [13/Jul/2010:16:41:02 -0400] GET /TlTaggerTest/target.jsp 404 332 - Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 - No indication on the Tomcat side of any activity. The ajp13 connector is enabled. Both mod_jk and ajp13 connector are on port 8009. The files are available directly from Tomcat through port 8080. The local files (in htdocs) are properly served. localhost - - [13/Jul/2010:16:58:01 -0400] GET /TlTaggerTest/target.html 200 67 - Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 - I sure would appreciate any pointers for troubleshooting or resolution. Thanks. mp Since you already have trace logging enabled: - is this all that gets logged in the jk log file for the request? - can you see your worker worker1 getting configured during startup (debug log messages)? - anything in the httpd error log? Maybe your mod_jk module file is not really compatible with your web server binary and you get process crashes? If those remarks do not help, we will need your configuration and more complete logs. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 404 with mod_jk
On 14.07.2010 04:57, Michael Powe wrote: Hello, Thank you for the reply. See below for comments. On Wed, Jul 14, 2010 at 12:37:05AM +0200, Rainer Jung wrote: On 13.07.2010 23:17, Michael Powe wrote: Hello, I asked this question in the httpd list but no joy. I have set up tomcat 6 and IBM httpd server to proxy requests using mod_jk. IBM_HTTP_Server/6.0.2 Apache/2.0.47 (Unix) mod_jk/1.2.30 Server at localhost Port 80 I have followed all instructions as nearly as I can make out. Since you already have trace logging enabled: - is this all that gets logged in the jk log file for the request? I rotated the mod_jk log and restarted the server. I get a huge trace log, 33K. It appears to me to be initializing correctly, in the sense that there are no error messages. - can you see your worker worker1 getting configured during startup (debug log messages)? [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] uri_worker_map_dump::jk_uri_worker_map.c (195): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] uri_worker_map_open::jk_uri_worker_map.c (830): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] uri_worker_map_alloc::jk_uri_worker_map.c (240): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] init_jk::mod_jk.c (3112): Using fcntl() for locking. [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] init_jk::mod_jk.c (3128): Setting default connection pool max size to 25 [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_read_property::jk_map.c (491): Adding property 'worker.list' with value 'worker1' to map. [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_read_property::jk_map.c (491): Adding property 'worker.worker1.type' with value 'ajp13' to map. [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_read_property::jk_map.c (491): Adding property 'worker.worker1.host' with value 'localhost' to map. [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_read_property::jk_map.c (491): Adding property 'worker.worker1.port' with value '8009' to map. [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_map_resolve_references::jk_map.c (766): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_resolve_references::jk_map.c (774): Checking for references with prefix worker. with wildcard (recursion 1) [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_map_resolve_references::jk_map.c (830): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_shm_calculate_size::jk_shm.c (97): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_shm_calculate_size::jk_shm.c (132): shared memory will contain 1 ajp workers of size 256 and 0 lb workers of size 320 with 0 members of size 320+256 [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_shm_calculate_size::jk_shm.c (139): exit [ ... ] [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] wc_open::jk_worker.c (50): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_dump::jk_map.c (589): Dump of map: 'ServerRoot' - '/opt/IBMIHS' [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_dump::jk_map.c (589): Dump of map: 'worker.list' - 'worker1' [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_dump::jk_map.c (589): Dump of map: 'worker.worker1.type' - 'ajp13' [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_dump::jk_map.c (589): Dump of map: 'worker.worker1.host' - 'localhost' [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] jk_map_dump::jk_map.c (589): Dump of map: 'worker.worker1.port' - '8009' [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] build_worker_map::jk_worker.c (236): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] build_worker_map::jk_worker.c (242): creating worker worker1 [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] wc_create_worker::jk_worker.c (126): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] wc_create_worker::jk_worker.c (146): about to create instance worker1 of ajp13 [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] ajp13_worker_factory::jk_ajp13_worker.c (80): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] ajp_worker_factory::jk_ajp_common.c (2892): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] ajp_worker_factory::jk_ajp_common.c (2934): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] ajp13_worker_factory::jk_ajp13_worker.c (92): exit [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] wc_create_worker::jk_worker.c (159): about to validate and init worker1 [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] validate::jk_ajp13_worker.c (35): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] ajp_validate::jk_ajp_common.c (2579): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [debug] ajp_validate::jk_ajp_common.c (2605): worker worker1 contact is 'localhost:8009' [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_resolve::jk_connect.c (329): enter [Tue Jul 13 22:21:00 2010] [12002:3987136] [trace] jk_resolve::jk_connect.c
Re: 404 with mod_jk
On 14.07.2010 14:37, Konstantin Kolinko wrote: 2010/7/14 Michael Powemich...@trollope.org: VirtualHost localhost (...) #JkMount /host-manager ajp13 #JkMount /host-manager/* ajp13 JkMount /TlTaggerTest/*.jsp worker1 /VirtualHost The VirtualHost section was created by the ApacheConfig option in Tomcat. Trivial question: are you sure, that your worker name is correct (worker1 vs. ajp13). I am curious, why Tomcat-generated configuration has different worker name. The auto configuration feature of Tomcat should be deprecated. It is of no real use except for a trivial starter configuration. It *always* uses a single worker named ajp13. Because of this feature (I guess because) mod_jk has a builtin worker named ajp13, which even if no worker named ajp13 is explicitely defined tries to contact localhost at 8009 if the a URL is mounted to a worker named ajp13. Legacy stuff. Nevertheless, although the config the OP uses is not sufficient for prime time, it should work. I didn't yet have the time to compare, where exactly the log lines stop compared with a working request. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: i have a quick jk trace question
On 14.07.2010 16:50, fredk2 wrote: Hi, I am looking at a trace a friend made which raised my curiosity: [Mon Jul 12 17:49:13.534 2010] [3370:4160136960] [trace] ajp_read_into_msg_buff::jk_ajp_common.c (1188): enter [Mon Jul 12 17:49:13.534 2010] [3370:4160136960] [trace] ajp_read_fully_from_server::jk_ajp_common.c (1140): enter - this is a 5 min gap (i think KeepAliveTimeout is set to 5 min for this test) - is this waiting for data from Apache? why would it be hanging in this routine? It reads from the socket that connects the clint (=browser) with the web server (=apache). The read is going through Apache code. It hangs, because the browser doesn't send it or at least the data doesn't reach the web server. And yes, the timeout here is 300 seconds by default. It is not KeepAliveTimeout but Timeout. What's the problem? You will likely have to sniff and analyze traffic to check, whether something is coming or the web server is right in waiting for more data. If it is right (very likely), you will have to find out, whether the browser actually sends somthing and if so, where it gets lost. Try to find out, what type of request you are analyzing. Add pid and tid the the Apache accesslog and look for a maching time stamp and pid/tid combination (pid=3370, tid=4160136960) in the above log. Note that the acess log will log the time stamp the request started, so something closer to 17:49:13 in the above example, not 17:54:13. Check, whether it's a POST (e.g. a huge file upload or so), or maybe an AJAX request. [Mon Jul 12 17:54:13.539 2010] [3370:4160136960] [trace] ajp_read_fully_from_server::jk_ajp_common.c (1172): exit [Mon Jul 12 17:54:13.539 2010] [3370:4160136960] [trace] ajp_read_into_msg_buff::jk_ajp_common.c (1226): exit [Mon Jul 12 17:54:13.539 2010] [3370:4160136960] [trace] ajp_connection_tcp_send_message::jk_ajp_common.c (928): enter The source code for this jk version is: http://svn.apache.org/viewvc/tomcat/jk/tags/JK_1_2_26/jk/native/common/jk_ajp_common.c?view=markup any hint is appreciated Many Thanks - Fred Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No members active in cluster group
On 15.07.2010 10:08, Andrew Bruno wrote: Hello all, I am having problems in getting clustering to work in a windows server 2008 environment using tomcat 6.0.20 java 1.5 I get the No members active in cluster group message on both tomcats. The engine element on the first tomcat is: Engine name=Catalina defaultHost=localhost jvmRoute=1 Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=someapp expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=111.111.111.148 port=4001 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Host name=localhost unpackWARs=false autoDeploy=false xmlValidation=false xmlNamespaceAware=false Alias111.111.111.154/Alias Aliassomeapp.com/Alias Valve className=org.apache.catalina.valves.AccessLogValve directory=E:\logs\websites\secure_app_01 prefix=default_access_log. suffix=.txt pattern='%h %l %u %t %r %s %b %{user-agent}i %{referer}i' resolveHosts=true/ Logger className=org.apache.catalina.logger.FileLogger directory=E:\logs\websites\secure_app_com_01 prefix=error_log. suffix=.txt timestamp=true/ Context path= reloadable=false distributable=true docBase=E:\web_secure_01\secure_app_com_01 workDir=E:\web_secure_01\secure_work_01 WatchedResourceWEB-INF/web.xml/WatchedResource Logger className=org.apache.catalina.logger.SystemOutLogger verbosity=4 timestamp=true/ /Context /Host /Engine In the second tomcat, the engine element is: Engine name=Catalina defaultHost=localhost jvmRoute=2 Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=someapp expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=111.111.111.148 port=4002 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender
Re: 404 with mod_jk
On 13.07.2010 23:17, Michael Powe wrote: Hello, I asked this question in the httpd list but no joy. I have set up tomcat 6 and IBM httpd server to proxy requests using mod_jk. IBM_HTTP_Server/6.0.2 Apache/2.0.47 (Unix) mod_jk/1.2.30 Server at localhost Port 80 I have followed all instructions as nearly as I can make out. The mod_jk log shows: [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] map_uri_to_worker_ext::jk_uri_worker_map.c (951): enter [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1036): Attempting to map URI '/TlTaggerTest/target.jsp' from 9 maps [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] find_match::jk_uri_worker_map.c (839): enter [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] find_match::jk_uri_worker_map.c (850): Attempting to map context URI '/TlTaggerTest/*.jsp=worker1' source 'JkMount' [Tue Jul 13 16:41:02 2010] [7639:50215792] [debug] find_match::jk_uri_worker_map.c (863): Found a wildchar match '/TlTaggerTest/*.jsp=worker1' [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] find_match::jk_uri_worker_map.c (866): exit [Tue Jul 13 16:41:02 2010] [7639:50215792] [trace] map_uri_to_worker_ext::jk_uri_worker_map.c (1065): exit The next lines should have been: ... [7639:50215792] [trace] jk_handler::mod_jk.c (2383): enter ... [7639:50215792] [debug] jk_handler::mod_jk.c (2462): Into handler jakarta-servlet worker=worker1 r-proxyreq=0 It seems there is some other module, that handles the request instead of mod_jk or the handler is not set correctly. If you compiled to module yourself, you can easily find out by applying a little change: 2366 static int jk_handler(request_rec * r) 2367 { 2368 const char *worker_name; 2369 jk_server_conf_t *xconf; 2370 int rc, dmt = 1; 2371 2372 /* We do DIR_MAGIC_TYPE here to make sure TC gets all requests, even 2373 * if they are directory requests, in case there are no static files 2374 * visible to Apache and/or DirectoryIndex was not used. This is only 2375 * used when JkOptions has ForwardDirectories set. */ 2376 /* Not for me, try next handler */ 2377 if (strcmp(r-handler, JK_HANDLER) 2378 (dmt = strcmp(r-handler, DIR_MAGIC_TYPE))) 2379 return DECLINED; 2380 Before line 2372 add the following lines: if (JK_IS_DEBUG_LEVEL(xconf-log)) { jk_log(xconf-log, JK_LOG_DEBUG, Starting jk handler, Apache thinks it should use '%s', r-handler ? r-handler : NULL); } Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache + Mod-jk + Jboss Problem
On 15.07.2010 15:23, Rocky Chak wrote: Hi, I have a application using Apache 2.2.15, Mod_jk and Jboss 4.2.1. Apache and Jboss Running fine till now. Suddenly there is an issue of slow browsing and later it stopped serving pages. We moved to backup server and now trying to fix this one. When Application deployed on Jboss and Jboss run on Port 80 .. Application access functionality is PERFECT. When Apache is on a different machine with same configuration of the present host with mod_jk ... .. Application access functionality is PERFECT. But when Apache and Jboss are configured on the same machine with Jboss on 8080 ( Anyway this port is not required as AJP uses 8009 port ) - Application is behaving in weird fashion. JSP Pages in the application are not rendered fully. No error is displayed in Apache access_log. But mod_jk.log shows these errors: [Thu Jul 15 08:24:39 2010][29201:3086371680] [info] ajp_process_callback::jk_ajp_common.c (1788): Writing to client aborted or client network problems [Thu Jul 15 08:24:39 2010][29201:3086371680] [info] ajp_service::jk_ajp_common.c (2447): (node1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Thu Jul 15 08:24:41 2010][29201:3086371680] [info] service::jk_lb_worker.c (1384): service failed, worker node1 is in local error state [Thu Jul 15 08:24:41 2010][29201:3086371680] [info] service::jk_lb_worker.c (1403): unrecoverable error 200, request failed. Client failed in the middle of request, we can't recover to another instance. [Thu Jul 15 08:24:41 2010]loadbalancer abc.xyz.com 70.790837 (url removed by me) [Thu Jul 15 08:24:41 2010][29201:3086371680] [info] jk_handler::mod_jk.c (2608): Aborting connection for worker=loadbalancer [Thu Jul 15 08:24:48 2010][29199:3086371680] [info] ajp_process_callback::jk_ajp_common.c (1788): Writing to client aborted or client network problems [Thu Jul 15 08:24:48 2010][29199:3086371680] [info] ajp_service::jk_ajp_common.c (2447): (node1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Thu Jul 15 08:24:50 2010][29199:3086371680] [info] service::jk_lb_worker.c (1384): service failed, worker node1 is in local error state [Thu Jul 15 08:24:50 2010][29199:3086371680] [info] service::jk_lb_worker.c (1403): unrecoverable error 200, request failed. Client failed in the middle of request, we can't recover to another instance. [Thu Jul 15 08:24:50 2010]loadbalancer abc.xyz.com 10.869269 [Thu Jul 15 08:24:50 2010][29199:3086371680] [info] jk_handler::mod_jk.c (2608): Aborting connection for worker=loadbalancer [Thu Jul 15 08:24:52 2010][29195:3086371680] [info] ajp_process_callback::jk_ajp_common.c (1788): Writing to client aborted or client network problems [Thu Jul 15 08:24:52 2010][29195:3086371680] [info] ajp_service::jk_ajp_common.c (2447): (node1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Thu Jul 15 08:24:54 2010][29195:3086371680] [info] service::jk_lb_worker.c (1384): service failed, worker node1 is in local error state [Thu Jul 15 08:24:54 2010][29195:3086371680] [info] service::jk_lb_worker.c (1403): unrecoverable error 200, request failed. Client failed in the middle of request, we can't recover to another instance. [Thu Jul 15 08:24:54 2010]loadbalancer abc.xyz.com 6.253777 [Thu Jul 15 08:24:54 2010][29195:3086371680] [info] jk_handler::mod_jk.c (2608): Aborting connection for worker=loadbalancer [Thu Jul 15 08:24:55 2010][29198:3086371680] [info] ajp_process_callback::jk_ajp_common.c (1788): Writing to client aborted or client network problems [Thu Jul 15 08:24:55 2010][29198:3086371680] [info] ajp_service::jk_ajp_common.c (2447): (node1) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1) [Thu Jul 15 08:24:57 2010][29198:3086371680] [info] service::jk_lb_worker.c (1384): service failed, worker node1 is in local error state [Thu Jul 15 08:24:57 2010][29198:3086371680] [info] service::jk_lb_worker.c (1403): unrecoverable error 200, request failed. Client failed in the middle of request, we can't recover to another instance. This error occurs whenever there is a request. Can somebody please help why this is happening. What's your operating system? The error means, that mod_jk wants to send back response packet via Apache and Apache told mod_jk that it couldn't send the data to the client/browser. Usually that means the connections has been closed by the browser. Occasional occurence of this (e.g. for 1 percent of all requests) is OK, because typically it happens, when a user doesn't wait for the full answer and instead proceeds clicking. Then the browser closes the previous connection, likely with a connection reset, and starts a new connection for the next request. The web server doesn't know about the closed connection and only when it tries to send the next packet it gets an error from the OS, that the connction is
Re: [OT] Using httpd's mod_rewrite with mod_jk
On 04.07.2010 04:16, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 7/3/2010 1:54 PM, Rainer Jung wrote: On 03.07.2010 14:08, Rainer Jung wrote: On 02.07.2010 22:02, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rainer, On 7/2/2010 10:13 AM, Rainer Jung wrote: On 02.07.2010 02:37, Christopher Schultz wrote: Okay, I changed my RewriteRule to this: RewriteRule .* /bad-browser.shtml [L,E=no-jk] OK, I did a little test: RewriteRule .* /bad-browser.shtml [L,E=no-jk:1] should work. A quick glance at mod_rewrite's code indicates it drops E= rules when no value is present. You know, I should have thought of that. My other experiences with environment variables and non-env variables with Apache was that you can set a variable to nothing but it is still considered set (or defined, if you prefer). In this case, it is not. Right, I'd say it's a buglet in mod_rewrite. Maybe something I can improve for httpd trunk ... (I need to check whether it still behaves the same there). I made the VAL argument in ENV=VAR:VAL optional for httpd trunk: http://svn.apache.org/viewvc?rev=960233view=rev and proposed it for backport to httpd 2.2.x. It's a trivial change, no risk, and a nice shortcut for configuration. Otherwise the module should at least complain about an invalid flag syntax. Nice cross project interaction :) Always glad to help, even on trivial matters. Thanks for the patch. And as of revision 964741 it is part of 2.2.x. Will be released with 2.2.16. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache + Mod-jk + Jboss Problem
On 16.07.2010 12:55, Rocky Chak wrote: Hi, Thanks for the reply. Here are my answers. OS: RHEL 5 S/w: Apache 2.2.15, Mod_jk 1.2.x, Jboss 4.2.1GA - Yes, I am able to reproduce the situation ( actually this situation is consistent not going away) Can you reproduce without much other load? Then you could increase the log level to trace, run the reproduction and provide the log. We get a little more out of that. But this is not appropriate if there is much load, because trace logs to much. - I cannot check the traffic from the same machine as the machine located in a datacenter. That's bad, it is not unlikely, that you need to find someone, who can sniff between your client IP and the server. - I even modified the firewall rules to block access to Port 80 to the whole world and allow only single IP of my network. Still the problem persists. - No Errors were reproted at Apache level - When Apache is on a different machine the functionality looks normal. - I do suspect the reason give by you is valid that some network device is playing a role in between to close the traffic. Let me confirm that also. Please send any more suggestions. Do you compile the module yourself, in other words, if we add a couple of log statements to analyze the root cause and provide you with a new source tarball, can you build the module and reproduce? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache + Mod-jk + Jboss Problem
On 16.07.2010 13:11, shivanic wrote: Hello Rainer, Regarding the solution proposed to sniff for packet movement - what tool was used for this purpose. (wireshark is one of the tools used generally ) Wirshark or tcpdump. Both use libpcap format for the raw packet capture. So you can e.g. sniff using the commandline tool tcpdump which will be simpler to use on the server, and then have a look at the data using wireshark. If you are familar with tcdump, you can do the analysis also using only tcpdump, if you need a GUI to suppot you in doing the analysis, wireshark is helpful. Rainer Jung-3 wrote: Checking the MAC addresses revealed, those packets were not coming rom the browser, but instead from some other network security device. Thi device decided the traffic was malicious and send a reset packet. The traffic was not going through the device, it simply sniffed the LAN traffic and inserted a reset packet when it thought it would help security ... Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using Apache as a front end for Tomcat
On 20.07.2010 15:30, André Warnier wrote: James Godrej wrote: On your blog http://myunster.com/blog/10.html at step number 8 you mentioned to create worker.properties there a variable is workers.tomcat_home and workers.java_home I think that both of these variables/properties have been obsolete for a long time, and are not used at all by mod_jk. A long time meaning at least 4-5 years. Examples of workers.properties which have them still, are most probably out of date. Grab yourself the official source download of mod_jk 1.2.30. It contains a useful and well-commented example workers.properties. Older ones do not contain a good example config. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cluster session failover question
On 22.07.2010 16:19, Darren Kukulka wrote: Hi Tomcatters, Just a quick question regarding Apache Web Server load balancing down to Tomcat cluster. We have a number of 2-node Tomcat 6.0.20 clusters, all configured as peer to peer pairs, on the same subnet with no real network oddities mesh getting in the way to speak of. Apache Mod_jk is used to balance connections from users down to the Tomcat clusters, using the availability ('B') load balancing method, with sticky sessions on. There are situations where we need to restart either of the nodes to affect a change...or use Probe to bring a single application down/up for the same purpose on a single node. When we do this sometimes, users report that their sessions are lost...and they cannot re-establish a new connection, unless they refresh their browsers (no proxy configuration getting involved here), even if the node/app is back up. Another, more difficult scenario, is when one of the Tomcat cluster nodes begins to groan and become unresponsive, say when OldGen or PermGen becomes full...in this case the mod_jk connector does not identify the node as having failed and will continue to attempt to pass requests to it, rather than pass them to the more responsive node. Are there any configuration settings to be mindful of with these scenarios? Concerning the mod_jk configuration, grabbing a source tarball for mod_jk 1.2.30 and looking at the contained example configuration is a good start. Details can then be found at http://tomcat.apache.org/connectors-doc/ especially in the Reference Guide. Versions before 1.2.30 do not contain a good example config, so grab the latest. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection Refused On Tomcat Server Shutdowns if...
On 22.07.2010 17:02, John A Parker wrote: Using apache-tomcat-6.0.28... We are encountering issue with catalina.sh stops IF we use a variable to set the SHUTDOWN port. e.g.: CATALINA_OPTS = ...-Dco.shutdown.port=8104 ... server.xml =... !- Server port=8104 shutdown=SHUTDOWN -- Server port=${co.shutdown.port} shutdown=SHUTDOWN ... After startup we see... ... java 24389 tcowner 42u IPv6 8406404 TCP localhost.localdomain:8104 (LISTEN) But on shutdown we get... SEVERE: Catalina.stop: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366) at java.net.Socket.connect(Socket.java:529) at java.net.Socket.connect(Socket.java:478) at java.net.Socket.init(Socket.java:375) at java.net.Socket.init(Socket.java:189) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:408) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) Tomcat did not stop in time. PID file was not removed. IF however I swap the server.xml SHUTDOWN port lines shown above then the catalina.sh stop works as it should. Any ideas on why the dynamic port definition works on startup but not on shutdown? CATALINA_OPTS is only used during startup. If you want to add parameters for startup and shutdown, use JAVA_OPTS. See also the comments at the beginning of catalina.(sh|bat). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection Refused On Tomcat Server Shutdowns if...
On 22.07.2010 17:24, David Fisher wrote: If you look at catalina.sh you will see that stop does not include CATALINA_OPTS: $_RUNJAVA $JAVA_OPTS \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS -classpath $CLASSPATH \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$CATALINA_TMPDIR \ org.apache.catalina.startup.Bootstrap $@ stop Change your catalina.sh to include your CATALINA_OPTS and it ought to work. Looks like a bug in Tomcat to me. Feature, not a bug. There are options that you actually do not want to occur for start and stop, e.g. assume you assign 1GB of heap per commandline parameter. If the same parameter were used for stopping, the shutdown process that lives only a few milliseconds to connect to the shutdown port of Tomcat would also be started with this huge memory size, although it doesn't need it. Another example is using a JMX port. If you use the same flag for the shutdown process, the JVM will not initialize, because it can not bind to the JMX port already in use. This has been introduced in 6.0.15, see https://issues.apache.org/bugzilla/show_bug.cgi?id=42951 Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL, mod_proxy_ajp and AJP connectors query
On 22.07.2010 19:31, Brett Delle Grazie wrote: Hi, I'm using RHEL5.5 (Up-to-date) Apache httpd-2.2.3 (from RHEL) with mod_proxy/mod_proxy_ajp Tomcat 6.0.28 (binary distribution from apache). Tomcat native libs (1.1.20, compiled) I have a question regarding AJP connectors and SSL Our application is being SSL offloaded at the HTTPD server end so communication with Tomcat doesn't need to be encrypted. I have two virtual hosts configured in Apache HTTPD (one for :80, one for :443) with the application being proxied in both virtual hosts. My question is, in the Tomcat server.xml, do I require _two_ AJP connectors as follows: (executor omitted for simplicity) !-- AJP connector pair (HTTP and fake HTTPS), proxied -- Connector executor=tomcatThreadPool enableLookups=false port=8009 protocol=org.apache.coyote.ajp.AjpAprProtocol redirectPort=8010 proxyPort=80 / Connector executor=tomcatThreadPool enableLookups=false port=8010 protocol=org.apache.coyote.ajp.AjpAprProtocol scheme=https secure=true proxyPort=443 / Or can I proxy both HTTP and HTTPS requests to the same AJP connector and have Tomcat correctly recognise when its SSL and return the correct port to the application so URLs are constructed properly? If I do this, are there any special configuration needed in the SSL vhost? It will work with well-behaved apps without special configuration. That's one strength of the AJP protocol. See http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html for more details. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat AJP vs mod_jk's max_pool_size
On 23.07.2010 04:07, Imran Khan wrote: Hi, I am currently using apache tomcat 5.5 using mod_jk to connect with apache 2.2. I am curious to understand how the AJP 1.3 connector works. Basically I would like to know if maxThreads attribute has the same meaning with the AJP connector as it does with standard HTTP connectors. I would like to increase the number of connectors, but I noticed there is also connection_pool_size and connection_pool_minsize on the workers.properties file. What is the relationship between the AJP connectors maxThreads and the connection_pool_size? The configuration of the connection pool size in workers.properties is per Apache *process*. On most platforms Apache has a dynamically managed number of processes, so in total there will be much more connections than the configured pool size. Pools are not shared over process boundaries. The most notable exception is Windows, since the Apache MPM for Windows uses a single process with lots of threads. mod_jk will automatically detect how many threads per process you have and set the pool size to this value, see docs at: http://tomcat.apache.org/connectors-doc/reference/workers.html So you should fiddle with the pool size on the mod_jk side only, if you want to artificially restrict it. You might want to set the minimum pool size though. For Tomcat the story is different, the max thread pool size is the maximum number of threads available to handle connections coming in on the respective Connector port. Since AJP uses persistent connections, you usually have much more connections, than in-flight requests. The numbers get even bigger, if you have a farm of Apache servers in front. Each one will consume Tomcat threads. A good starting point for the mod_jk configuration is the example configuration contained in the mod_jk source download for version 1.2.30. Previous versions do not include a production ready example config. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Shutting Down by Itself?
On 23.07.2010 19:43, Robinson, Eric wrote: We've observed tomcat5 shutting down seemingly by itself recently. This morning I saw this in the log: - Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED shutting down. Any way to tell why tomcat is shutting down? Maybe something from this recent discussion applies: http://marc.info/?t=12767355721r=1w=2 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL terminated at load balancer, Http11Processor sends ssl redirects to :80
On 26.07.2010 21:48, Leinartas, Michael wrote: So I have what appears to be an obscure issue which is a consequence of our architecture and am wondering if anyone's run into anything similar and if my proposed solution is valid. So here's the background of our setup: We run our tomcat by starting it within a simple container using the catalina.startup.Embedded class and wiring up everything manually (i.e. myembedded = new Embedded(new MemoryRealm()). We add two connectors, one for http and one for https. The hardware load balancers we use send http traffic to the http port and terminate ssl for https traffic, sending unencrypted http traffic to the https port. Make sense? The way we've been able to do this is to create an HTTP/1.1 connector and then mark it as secure and with an https scheme (so that request.getScheme() and request.isSecure() return correctly to the webapp): Connector c = new Connector(HTTP/1.1); c.setSecure(true); c.setScheme(https); This is similar to how I've seen it done when googling around for this: Connector port=8443 protocol=HTTP/1.1 scheme=https secure=true / Now this works fine *except* that when the application needs to send a redirect to a relative path using catalina.connector.Response.sendRedirect(String location), that method converts the path to an absolute path (catalina.connector.Response.toAbsolute) using the info from request.getScheme(), request.getServerName(), and request.getServerPort(). It's the request.getServerPort() that's causing a problem. getServerPort is implemented in coyote's Http11.*Processor classes to return port 80 if !ssl or !sslEnabled (depending on which implementation). So in this case, the method always returns port 80 (unless the url already has a port in it as it does in dev). To actually flip the values of those booleans would require setting the SSLEnabled property on the connector which is not what we want. The end result is that if we have, say a secure login page that redirects back to the home page on success, the user is redirected to https://www.mysite.com:80/ which is invalid. What I'm thinking is that getServerPort() should instead be checking to see whether the scheme is http or https rather than looking whether the processor is *actually* handling ssl or not. Is this a valid solution (i.e. should I test and submit a patch) or is there a clean (or hell, even dirty) alternative? Set proxyPort on the connector? See: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Shutting Down by Itself?
On 28.07.2010 01:01, Robinson, Eric wrote: 2) Use System.getRuntime().addShutdownHook() to trigger your own thread when the JVM does decide to exit. Assuming the OP does not have easy access to the running application, would that mean adding another application which is launched at Tomcat start, and runs the above ? Or do you need to do this in the application itself ? That was my next question, too. Sorry I don't remember the whole long discussion thread. So we definiteley know the process is gone and not that it is only no longer responding? Do we know whether it was an orderly Tomcat shutdown or not? Log messages in the Tomcat log files? Assuming it was not: do we know it was an orderly JVM shutdown. Here we could use the shutdown hook. You can - deploy another webapp (needs write access to Tomcat config or deployment area depending on config) - change the existing webapp (i.e. adding a context listner that registers the hook during startup; don't need to change existing webapp classes) - add a JSP which registers the hook when called (only needs write access to some content directory on the existing webapp) - Download TC source and add it there (if you can't change anything in the webapp or config directories, but can write to the Tomcat classes or lib directories. Or: do you see any hotspot error files, which should be there if the JVM crashes and can write to the working directory.If you had a newer JVM (recent 1.5 or 1.6) you could add the flag -XX:OnError=... to run a command at the moment it crashes. Concerning special requests which might trigger functionality leading to a crash: You could add a filter to the webapp doing a simplified access log in front of request processing and then check after crsh, which of those were missing in the final access log. To make matching easir, the filter could add a request attribute with a unique ID to each request and log it, and you can configure your normal access log pattern to also include this attribute. So you only have to compare the two ID lists to find the reuests, that entered Tomcat but were not finished when it crashed. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session ID changes when a node goes down
On 31.07.2010 15:06, Mark Thomas wrote: On 31/07/2010 13:58, Oscar Segarra Rey wrote: Hi, We are developing a web application wich uses session listeners and such kind of stuff in order to control which users are loged in every time. Nevertheless we have experienced a developement problem due to the session ID changes when one node goes down. 30/07/2010 13:08:27 org.apache.catalina.ha.session.JvmRouteBinderValve changeSessionID FINE: Changed session from [18434EBFCF3D1009BBEEE5C02D370BCF.workerW37] to [18434EBFCF3D1009BBEEE5C02D370BCF.workerW38] The jvmRoute part of the session ID is required for sticky sessions to work. If a node goes down, the session fails over to another node and hence the jvmRoute has to change. I think session ID should not change its ID or should be a way to avoid this rename processs. Is there any workarround or change this behaviour ? 1. Don't code your application assuming the session ID is constant 2. Don't use sticky sessions 3. Add a listener to handle the change in session ID 4. Remove everything behind a dot . from the session id before using it as a key into your own data. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
On 02.08.2010 06:31, Leon Kolchinsky wrote: Hello, I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http (v.2.2.3 ) using mod_jk. We have 2 of those Tomcat servers running on different machines. We also configured load balancer (CISCO CSM) which we want to use for SSL offloading and LB. Load balancer serves https requests and forwards them to http (on the above servers). The problem is that links given by apache - the generated html pages (by Sakai app.) appeared to include http:// And this is a major problem since we can't even serve forms from https URL's (the URL of the page is https://. but links inside the HTML page itself are from http:// format) I've been thinking to try to resolve this with ProxyHTMLURLMAp (mod_proxy_html) but I have no experience with this module. Can someone give me a sample syntax that I can try to include in my vhost configuration? Below is my virt. host configuration: NameVirtualHost *:80 VirtualHost *:80 ServerName servername.com ServerAdmin leo...@servername.com ServerAlias sakai-server # if not specified, the global error log is used ErrorLog /var/log/httpd/servername.com-error_log CustomLog /var/log/httpd/servername.com-access_log combined HostnameLookups Off UseCanonicalName Off # Add index.jsp to DirectoryIndex files DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp JkMount /* worker1 It might be worthwhile finding out, why sakai produces wrong links. E.g. if you are using mod_jk to connect Apache to Tomcat, and you are talking HTTPS to Apache, then the calls the isSecure(), getScheme(), getProtocol() will return the information as seen by Apache, so the webapp is able to find out that https is used and it seems to be a bug in sakai. See for instance: http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html If you are using http between Apache and Tomcat (not AJP13), then there are connector settings for Tomcat to let the webapp know, that you are actually using HTTPS on the proxy. If you can't fix it like this but instead really have to parse response pages and replace links in them, three Apache module choices are mod_proxy_html (which you already mentioned), mod_substitute and mod_sed. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Hi Felix, hope you are doing well! On 02.08.2010 11:46, Felix Schumacher wrote: Hi Rainer, On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 02.08.2010 06:31, Leon Kolchinsky wrote: Hello, I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http (v.2.2.3 ) using mod_jk. We have 2 of those Tomcat servers running on different machines. We also configured load balancer (CISCO CSM) which we want to use for SSL offloading and LB. Load balancer serves https requests and forwards them to http (on the above servers). The problem is that links given by apache - the generated html pages (by Sakai app.) appeared to include http:// And this is a major problem since we can't even serve forms from https URL's (the URL of the page is https://. but links inside the HTML page itself are from http:// format) I've been thinking to try to resolve this with ProxyHTMLURLMAp (mod_proxy_html) but I have no experience with this module. Can someone give me a sample syntax that I can try to include in my vhost configuration? Below is my virt. host configuration: NameVirtualHost *:80 VirtualHost *:80 ServerName servername.com ServerAdmin leo...@servername.com ServerAlias sakai-server # if not specified, the global error log is used ErrorLog /var/log/httpd/servername.com-error_log CustomLog /var/log/httpd/servername.com-access_log combined HostnameLookups Off UseCanonicalName Off # Add index.jsp to DirectoryIndex files DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp JkMount /* worker1 It might be worthwhile finding out, why sakai produces wrong links. E.g. if you are using mod_jk to connect Apache to Tomcat, and you are talking HTTPS to Apache, then the calls the isSecure(), getScheme(), getProtocol() will return the information as seen by Apache, so the webapp is able to find out that https is used and it seems to be a bug in sakai. as I understood the issue, the problems arise from using a loadbalancer in front of the apache httpd servers, which are using mod_jk to communicate with the tomcats. The loadbalancers are terminating the ssl connection and presumably changing hostnames too. Ah OK, missed that. But given the documentation link you gave below, it should be easy to configure the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic) by setting JkEnvVar for scheme, hostname and port if necessary. If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html correctly, one could use proxyPort, proxyName and scheme in the ajp-connector. If using mod_jk, you can tell mod_jk, that it should derive the information, whether SSL is used or not from some Apache environment variable. You can the set the variable as you like e.g. depending on the client IP is the connection coming from the loadbalancer) or some other params. So you would use JkHTTPSIndicator MyHTTPSIndicator to let mod_jk check the variable MyHTTPSIndicator instead of the Apache builtin HTTPS variable, whether HTTPS is used. Then you have to set the env var to On for each request you know, that it is actually using https from the client point of view, e.g. SetEnvIf Remote_Addr 10\.0\.0\.27 MyHTTPSIndicator=On where e.g. 10.0.27 is the address of the load balancer (if the requests arrive actually with this IP, see the acess log). Or you use a separate port and vhost in Apache where you connect the LB to and you know everything on this port was originally HTTPS, then you could simply set MyHTTPSIndicator always to On in this vhost. Regards, Rainer See for instance: http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html If you are using http between Apache and Tomcat (not AJP13), then there are connector settings for Tomcat to let the webapp know, that you are actually using HTTPS on the proxy. If you can't fix it like this but instead really have to parse response pages and replace links in them, three Apache module choices are mod_proxy_html (which you already mentioned), mod_substitute and mod_sed. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Did you notice, that our expectation is you won't need any page rewriting when using JkHTTPSIndicator? Regards, Rainer On 03.08.2010 08:45, Leon Kolchinsky wrote: Thanks for your help Rainer/Felix, I've tested several options including mod_substitute and mod_sed and it seems that mod_substitute is a way to go. This is my working configuration now: LoadModule substitute_module modules/mod_substitute.so ... AddOutputFilterByType SUBSTITUTE text/html Substitute s|http://myserver|https://load-balancer|i Substitute s|http://load-balancer|https://load-balancer|i Don't ask me why there is a last line, I see no logic here, but without it I still get several http instead https links via load-balancer backend (May be Sakai or CISCO CSM side fault). Best Regards, Leon Kolchinsky On Mon, Aug 2, 2010 at 20:14, Rainer Jungrainer.j...@kippdata.de wrote: Hi Felix, hope you are doing well! On 02.08.2010 11:46, Felix Schumacher wrote: Hi Rainer, On Mon, 02 Aug 2010 10:00:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 02.08.2010 06:31, Leon Kolchinsky wrote: Hello, I've configured Tomcat (apache-tomcat-5.5.26) to run behind Apache Http (v.2.2.3 ) using mod_jk. We have 2 of those Tomcat servers running on different machines. We also configured load balancer (CISCO CSM) which we want to use for SSL offloading and LB. Load balancer serves https requests and forwards them to http (on the above servers). The problem is that links given by apache - the generated html pages (by Sakai app.) appeared to include http:// And this is a major problem since we can't even serve forms from https URL's (the URL of the page is https://. but links inside the HTML page itself are from http:// format) I've been thinking to try to resolve this with ProxyHTMLURLMAp (mod_proxy_html) but I have no experience with this module. Can someone give me a sample syntax that I can try to include in my vhost configuration? Below is my virt. host configuration: NameVirtualHost *:80 VirtualHost *:80 ServerName servername.com ServerAdmin leo...@servername.com ServerAlias sakai-server # if not specified, the global error log is used ErrorLog /var/log/httpd/servername.com-error_log CustomLog /var/log/httpd/servername.com-access_log combined HostnameLookups Off UseCanonicalName Off # Add index.jsp to DirectoryIndex files DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp JkMount /* worker1 It might be worthwhile finding out, why sakai produces wrong links. E.g. if you are using mod_jk to connect Apache to Tomcat, and you are talking HTTPS to Apache, then the calls the isSecure(), getScheme(), getProtocol() will return the information as seen by Apache, so the webapp is able to find out that https is used and it seems to be a bug in sakai. as I understood the issue, the problems arise from using a loadbalancer in front of the apache httpd servers, which are using mod_jk to communicate with the tomcats. The loadbalancers are terminating the ssl connection and presumably changing hostnames too. Ah OK, missed that. But given the documentation link you gave below, it should be easy to configure the vhost in apache httpd (or two - one for ssl, one for non-ssl traffic) by setting JkEnvVar for scheme, hostname and port if necessary. If I read http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html correctly, one could use proxyPort, proxyName and scheme in the ajp-connector. If using mod_jk, you can tell mod_jk, that it should derive the information, whether SSL is used or not from some Apache environment variable. You can the set the variable as you like e.g. depending on the client IP is the connection coming from the loadbalancer) or some other params. So you would use JkHTTPSIndicator MyHTTPSIndicator to let mod_jk check the variable MyHTTPSIndicator instead of the Apache builtin HTTPS variable, whether HTTPS is used. Then you have to set the env var to On for each request you know, that it is actually using https from the client point of view, e.g. SetEnvIf Remote_Addr 10\.0\.0\.27 MyHTTPSIndicator=On where e.g. 10.0.27 is the address of the load balancer (if the requests arrive actually with this IP, see the acess log). Or you use a separate port and vhost in Apache where you connect the LB to and you know everything on this port was originally HTTPS, then you could simply set MyHTTPSIndicator always to On in this vhost. Regards, Rainer See for instance: http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html If you are using http between Apache and Tomcat (not AJP13), then there are connector settings for Tomcat to let the webapp know, that you are actually using HTTPS on the proxy. If you can't fix it like this but instead really have to parse response pages and replace links in them, three Apache module choices are mod_proxy_html (which you already
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportal https://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether the browser used http or https, so Tomcat is aware of this. This protocol does not use the http or https connectors in server.xml, only the AJP13 connector. Here is the meat of my server.xml (pretty sure it's wrong): !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool-- Connector executor=tomcatThreadPool port=8009 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=mypassword keystoreType=pkcs12 / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Two connectors, both on port 8009, will not work. Use the latter one. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether the browser used http or https, so Tomcat is aware of this. This protocol does not use the http or https connectors in server.xml, only the AJP13 connector. Here is the meat of my server.xml (pretty sure it's wrong): !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I did read your post and I changed the Port Number. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This connector should be used depending on your redirector config which we haven't seen yet Here is my workers.properties: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Here is my uriworkermap.properties: /geoportal|/*=worker1 This didn't work, since the log snippet said it tried to use a worker named ajp13, not worker1. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 3:40 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name
Re: Tomcat 6 does not respond or freeze after startup
On 04.08.2010 22:54, T. Gau wrote: Hello, I have executed 'netstat -anopb tcp' with the following result: TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 3436 [java.exe] TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3436 [java.exe] TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING 3436 [java.exe] I could not find another listening port for java.exe. BUT the requests to the frozen Tomcat results into TCP 127.0.0.1:8080 127.0.0.1:2049 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:2050 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:1992 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:1991 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:2051 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:1990 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:1989 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:2043 CLOSE_WAIT 3436 [java.exe] TCP 127.0.0.1:8080 127.0.0.1:2042 CLOSE_WAIT 3436 [java.exe] Any ideas what happens here? Did we already see a full thread dump? WildGuessCould it be blocked by entropy gathering for random initialization?WildGuess/ Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
Comments inline On 05.08.2010 03:30, Leon Kolchinsky wrote: Hi, Hmm. Interesting. Of course I'd like to make it work with simple configuration or/and with JkHTTPSIndicator. I'm just not clear on how to make this simple configuration. As I've said there is no SSL handling on the server side. All SSL request handled on the load balance level which in turn talks to Apache (configured to talk to Tomcat via mod_jk) via http. myserv.mydomain.com - Tomcat server's Domain name sakai-stg.mydomain.com - Load balancer's Domain name Clients coming to Load Balancer's URL https://sakai-stg.mydomain.com need to use internal links (submit forms etc.) which appear as http:// sakai-stg.mydomain.com/. on the served pages. Submitting forms is not working in that scenario since the links should look like this inside the pages - https://sakai-stg.mydomain.com/. Please see my mod_jk.conf, workers.properties, 01myserv.mydomain.com.conf files below. Can you come up with a solution without using mod_substitute as I do now? [r...@myserv mod_sed]# cat /etc/httpd/conf/mod_jk.conf LoadModule jk_module modules/mod_jk.so # mod_jk config # Where to find workers.properties # Update this path to match your conf directory location (put workers.properties next to httpd.conf) JkWorkersFile /etc/httpd/conf/workers.properties # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile /var/log/httpd/mod_jk.shm # Where to put jk logs # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile /var/log/httpd/mod_jk.log Unrelated: you could use rotatelogs here, as in CustomLog or ErrorLog to automatically rotate the files. # Set the jk log level [debug/error/info] JkLogLevel info # Select the timestamp log format JkLogStampFormat [%a %b %d %H:%M:%S %Y] Unrelated: I would remove JkLogStampFormat. Since a few years mod_jk will log sub second timestamps by default, but this format disables that. #JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories Unrelated: You should remove +ForwardURICompat unless you understand what it does and that you will definitely need it. # JkRequestLogFormat set the request format JkRequestLogFormat %w %V %T Unrelated: Don't like the JkRequestFormat. Instead would use so called notes to add the info directly to the access log. # Globally deny access to the WEB-INF directory LocationMatch '.*WEB-INF.*' AllowOverride None deny from all /LocationMatch Unrelated: The application directory usually should not be reachable at all by Apache. [r...@myserv mod_sed]# [r...@myserv mod_sed]# cat /etc/httpd/conf/workers.properties # # This file provides minimal jk configuration properties needed to # connect to Tomcat. # # We define a workers named worker1 and worker2 workers.tomcat_home=/srv/tomcat/ workers.java_home=/srv/jdk ps=/ Unrelated: The above three are useless. worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.lbfactor=1 Unrelated: That's very minimal. # Load-balancing behaviour (add when you have more than 1 worker and change worker.workerX.host and worker.list accordingly) # worker.loadbalancer.type=lb Unrelated: You are not actually using mod_jk load balancing here. # Status worker for managing load balancer (add when you have more than 1 worker) worker.status.type=status Suggestion: grab the default workers.properties from the mod_jk 1.2.30 source download. It contains important hints about production ready configuration. [r...@myserv mod_sed]# [r...@myserv mod_sed]# cat /etc/httpd/conf/vhosts.d/01myserv.mydomain.com.conf LoadModule substitute_module modules/mod_substitute.so NameVirtualHost *:80 VirtualHost *:80 ServerName myserv.mydomain.com ServerAdmin leon.kolchin...@mydomain.com ServerAlias sakai-stg # Just in case DocumentRoot /srv/sakai # if not specified, the global error log is used ErrorLog /var/log/httpd/myserv.mydomain.com-error_log CustomLog /var/log/httpd/myserv.mydomain.com-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # Add index.jsp to DirectoryIndex files DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp JkMount /* worker1 Assuming that you always want Tomcat to assume https when a request came in via this VirtualHost: JkHTTPSIndicator FakeHTTPS SetEnv FakeHTTPS On (the module mod_env needs to be loaded). AddOutputFilterByType SUBSTITUTE text/html Substitute s|http://myserv|https://sakai-stg|i Substitute s|http://sakai-stg|https://sakai-stg|i Those three should then no longer be needed (if sakai behaves well). /VirtualHost Regards, Rainer - To unsubscribe, e-mail:
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
See inline On 05.08.2010 15:15, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Rainer, Thanks again for being patient with me. I've seen some different behavior this morning. When I am trying to access my page, I get Service Temporary Unavailable, which is better than what I was receiving. [Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps [Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c (873): Found an exact match '/geoportal=worker1' OK, uriworkermap.proprties worked, it found a match and wants to use the worker named worker1. [Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c (1916): check if [/geoportal] points to the web-inf directory [Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c (1932): [/geoportal] is a servlet url - should redirect to worker1 [Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/geoportal] [Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339): Maintaining worker worker1 [Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c (2792): Reading extension header HTTP_TOMCATWORKER6A6B: worker1 [Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B: 1 [Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c (2794): Reading extension header HTTP_TOMCATURI6A6B: /geoportal [Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c (2795): Reading extension header HTTP_TOMCATQUERY6A6B: (null) [Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c (2850): Applying service extensions [Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c (2930): Client Certificate encoding:1 sz:1022 flags:1 [Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT user=EIMS\john.doe uri=/geoportal [Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=9 chunked=no content-length=0 available=0 [Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found a worker worker1 [Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c (2162): got a worker for name worker1 [Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605): ajp marshaling done [Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376): processing worker1 with 2 retries [Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579): (worker1) all endpoints are disconnected. [Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480): socket TCP_NODELAY set to On [Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604): trying to connect socket 712 to 127.0.0.1:8009 Here it tries to open a new connction to the address 127.0.0.1 and port 8009 (as configured for the worker named worker1 in workers.properties). [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622): connect to 127.0.0.1:8009 failed (errno=61) It fails to open a TCP connection. Error is 61, which means winsock 10061, which is Connection refused. So either your Tomcat isn't started or not listening on port 8009 on localhost, or something else (Firewal etc.) blocks access to that port. Check whether you can see Tomcat listening on 8009 using netstat -ano. You should see *:8009 in status LISTEN and the pid would be the process ID of your Tomcat Java process. If it is there, you can try whether you can connect to that port using telnet. As long as you can't connect, the redirector can't either. If Tomcat is running on some other system, you need to adjust worker.worker1.host in workers.properties accordingly. [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959): Failed opening socket to (127.0.0.1:8009) (errno=61) [Thu Aug 05 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585): (worker1) connecting to backend
Re: Tomcat 6 does not respond or freeze after startup
On 05.08.2010 22:52, T. Gau wrote: Hello, @Thread dumps: I attached some current thread.Directly after startup and after Tomcat stops responding. Sorry, no idea here. Nothing obvious wrong in those dumps. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Just in case you didn't yet realize: the changelog is public: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html 6.0.29 has only 5 changes that were relevant for the changelog. Three of them link to an issue that can be viewed publicly, one is a pure enhancement, and the one fix without a link to bugzilla doesn't even have an issue link, because it wasn't observed as a problem in the wild. It is not to hard to check the three issue links to get a better basis for your decision of using 6.0.28 instead of 6.0.29 and to recognize faster in cse you run into one of the few fixed problems. Regards, Rainer On 06.08.2010 17:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Chuck, Besides the latest version, is there one that you recommend? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rewrite URLs inside HTML pages?
On 09.08.2010 03:28, Leon Kolchinsky wrote: On Thu, Aug 5, 2010 at 18:26, Rainer Jungrainer.j...@kippdata.de wrote: On 05.08.2010 03:30, Leon Kolchinsky wrote: # JkRequestLogFormat set the request format JkRequestLogFormat %w %V %T Unrelated: Don't like the JkRequestFormat. Instead would use so called notes to add the info directly to the access log. Are you talking about mod_log_config ( http://tomcat.apache.org/connectors-doc/reference/apache.html)? Yes, exactly. mod_jk sets so called notes, which you can add to your standard AccessLog using them in a CustomLog format. # Globally deny access to the WEB-INF directory LocationMatch '.*WEB-INF.*' AllowOverride None deny from all /LocationMatch Unrelated: The application directory usually should not be reachable at all by Apache. So, Is it safe to remove thoseLocationMatch '.*WEB-INF.*'./LocationMatch lines? It depends :) If Apache can't see those directories, then yes. If you have them in directories visble by Apache and allowed to be served, then no and instead the question would be: why is Apache allowed to see (and serve) them. See and serve would mean: under htdocs or some other directory that is not secured. Usually Directory / has deny from all (secured) so Apache doesn't serve arbitrary content, and htdocs and some individually configured dirs like for the manual and icons are allow from all. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 2 POST requests to underlying Server
On 10.08.2010 09:38, Karthik Nanjangude wrote: Hi Spec Java 1.5 O/s : Linux APP Server: JBOSS4.2.1 (Tomcat built with) HTTP Server : apache_2.2.11 [ With out SSL ] Mod library: mod_jk-1.2.28-httpd-2.2.X.so LB 1 Apache : 1 JBOSS:Port of application Question : Some times We have observed that on WEB Application ( click on button in jsp ) Apache is sending 2 POST requests to underlying JBOSS ( Tomcat server ). Note: We even put a Java script filter to disable multiple Clicks for the page, How we Observed : Via TCP Thread dump using commandtcpdump -i bond0 -s 1500 -w / tmp / test.pcap Can this configuration worker.node1.socket_timeout=10 got any thing to do with this multiple request activity? I'm a bit afraid that everyone who was arguing against the above claim will jump at me but still ... It could be the missing recovery_options setting. See http://tomcat.apache.org/connectors-doc/reference/workers.html and do also read a bit about timeouts at http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html If you want to disallow resending any requests in case of communication errors, you need to set recovery_options to 7, if you want to allow resending for HEAD and GET, you can use 31. As others have mentioned we could easily see from your jk log files with increased log level, whether resending because of errors happens here. Since you have a 10 second socket_timeout and the two requests are 12 seconds apart, this is likely to happen (10 seconds timeout plus 2 seconds connection draining). You might want to have a close look at the example config contained in the mod_jk 1.2.30 source download, which looks better for production than you config above and is well commented. Note that although that config uses many timeouts, it does *not* use the general socket_timeout. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Socket 24 is not connected any more (errno=-1)
On 12.08.2010 10:45, HANDE CANORUÇ wrote: I am using mod jk in order to connect tomcat and glassfish 3.1. In the mod_jk log file I am getting these errors; [info] ajp_send_request::jk_ajp_common.c (1178): Socket 24 is not connected any more (errno=-1) [info] ajp_send_request::jk_ajp_common.c (1202): Error sending request. Will try another pooled connection [info] ajp_send_request::jk_ajp_common.c (1225): All endpoints are disconnected or dead [info] ajp_service::jk_ajp_common.c (1749): Sending request to tomcat failed, recoverable operation attempt=1 and in the server log file I am getting ; SEVERE|glassfish3.1|org.apache.tomcat.util.threads.ThreadPool|_ThreadID=17;_ThreadName=Thread-1;|threadpool.busy|#] Any suggestions?? First get yourself the recent mod_jk version (1.2.30). Version 2.15 does not exist. If you wanted to say version 1.2.15, that's pretty outdated. Then second grab the example config from the 1.2.30 source download as a starter. Finally: for recent versions of mod_jk there's nothing to worry as long as you only get info level log messages in the mod_jk log file. As soon as there are warnings or errors, the additional info log lines can be helpful to fully understand the problem. Inf alone without accompanying warnings or errors are harmless. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: excluding some path from tomcat
On 12.08.2010 15:59, Angelo Chen wrote: Hi, I use Apache web server 2.2 in front of tomcat, it works well with Apache's default proxy module, however, I can't exclude some path from it: ProxyPass / http://localhost:8080/ ProxyPass /static ! ProxyPassReverse / http://localhost:8080/ ProxyPreserveHost on example.com/static still goes to my tomcat app, any idea? thanks, Citing Apache docs [1]: Order is important: exclusions must come before the general ProxyPass directive. The directives are checked against the request in the order given. The first match wins. Regards, Rainer [1] http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: excluding some path from tomcat
On 12.08.2010 20:21, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Angelo, On 8/12/2010 9:59 AM, Angelo Chen wrote: I use Apache web server 2.2 in front of tomcat, it works well with Apache's default proxy module, however, I can't exclude some path from it: ProxyPass / http://localhost:8080/ ProxyPass /static ! ProxyPassReverse / http://localhost:8080/ ProxyPreserveHost on This is one of the reasons I have decided to stick with mod_jk instead of mod_proxy_http or mod_proxy_ajp: I couldn't figure out how to map different sub-URIs to different places. What happens if you do this: ProxyPass /static ! ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ ProxyPreserveHost on (I have only reversed the order of the ProxyPass directives). If mod_proxy processes rules in order until one matches, it may be that ProxyPass / is taking over without ever checking the /static rule you have there. Bonus point! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
Hi Igor, On 15.08.2010 16:14, Igor Galić wrote: Hi folks, I'm running Hudson in Tomcat 6.0.29 on Debian/Squeeze/amd64 with i.ga...@pheme /opt/tomcat6 % java -version java version 1.6.0_18 OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-1) OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode) I'm starting the server with: CATALINA_OPTS--Djava.awt.headless=true -Djavax.net.debug=ssl:handshake -DHUDSON_HOME=${CATALINA_HOME}/webapps/hudson -Xmx512m In server.xml's Engine context there is a single JNDI Realm configured: Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://mail.brainsware.org:389/; alternateURL=ldap://mail.esotericsystems.at:389; commonRole=admin connectionName=uid=whatever connectionPassword=securityisgreat. userBase=ou=people,dc=brainsware,dc=org userPattern=(uid={0})(postOfficeBox=internal_projects) userSearch=(uid={0}) / The LDAP server I'm connecting to is Zimbra (OpenLDAP), and requires StartTLS. It has a valid Certificate, signed by Go Daddy. I've made sure that all parts of Go Daddy's chain are in the JVM's cacerts. When starting the server, I see this in the log: INFO: Starting Servlet Engine: Apache Tomcat/6.0.29 Aug 15, 2010 2:04:18 PM org.apache.catalina.realm.JNDIRealm open WARNING: Exception performing authentication javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.init(InitialContext.java:214) at javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99) at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954) at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:581) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) I've traced the operation with wireshark only to find it's not even trying to do any kind of SASL negotiation. That seems weird, since: http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm suggests it should be doing that by default. I'm out ideas now. and welcome any advise you can offer. So long o/~ Never used it, but wouldn't you configure ldaps:// URLs instead of ldap://; URLs? And maybe also using Port 636 instead of 389 (or removing the port to use it as the default port). No idea about SASL though. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can i tell how much of allocated heap is being used?
On 18.08.2010 20:41, laredotornado wrote: Hi, I'm using Tomcat 6.0.26, Java 1.6 on Linux kernel 2.6.18-164.11.1.el5. I'm trying to figure out if there if we can figure out how much of our allocated heap memory is actually being used. Grateful for any thoughts you might have, - Dave Caution 1: used does include garbage. Dead object size is never known. If you want to know used without garbage, you need to wait for a GC (or trigger one). Caution 2: There are different GC's cleaning up the young generation, the tenured generation and perm gen. It might even be very different when using JVMs like JRockit, or the IBM or HP JVM or Apache Harmony (the later is not certified for legal reasons). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat sessions issue?
To add the obvious: Use your browser to have a look at your JSESSIONID cookies (and any other cookies of the same name used by both apps) after loging in to LifeRay and after loging in to Alfresco. Write down domain and path properties and see whether they conflict (whether one of the cookies from Liferay would also apply to Alfresco or vice versa). You might need to read a bit about how cookies work (domain and path). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
On 18.08.2010 22:45, Igor Galić wrote: org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269) This means, that you specified userPattern='...' in your realm configuration. And you since your pattern looks like '(uid={0})(...)' it is probably wrong. You have specified userSearch='uid={0}', too. So I believe you want to read the fine documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html especially about JNDIRealm and settle using userSearch. Great! That fixed it, and it now works! Thank you very much, Felix. I would very much like to document this. I am thus asking you for permission to use, host, reference or whatever is your liking, the code you have provided. Igor: It would be nice if you could add it to the Tomcat Wiki. Felix: would you like to contribute your code? I didn't read it in detail but I guess it is very generic and would be a nice addon to the standard JNDIRealm? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat sessions issue?
On 19.08.2010 09:25, Pid wrote: On 19/08/2010 04:50, Christopher Schultz wrote: Robin, On 8/18/2010 5:57 PM, Robin Diederen wrote: That's interesting to say the least. I agree with André's assessment: you have a cookie collision. See below for hints for removing the conflict. Without cookies enabled, I can't login to either of both applications. You probably haven't been properly encoding your URLs. Or the app designers haven't. Tut. So I designed another test: using two browsers I visited both applications. And guess what: it works like a charm! So I guess you are right on the cookies :-). The only one thing I do not understand: I've done this a few times before and I never ran into these issues. The only difference is that I'm using a newer version of LifeRay for the first time, but AFAIK the other LifeRay version I used uses JSESSION too.. The difference is probably that in other installations you haven't deployed both applications to the root (/) context path. You never did tell us how you deployed the two, so I suspect that both webapps are deployed as ROOT. In that case, you get cookies from both webapps that look like this: host=myserver.com, path=/, name=JSESSIONID, value=12345... Two Tomcats can't both exist in the same domain name space, unless there's a mapping error in mod_jk. After a cursory look through the server.xml, (cursory because of the trauma of wading through comments), I note: Listener className=org.apache.jk.config.ApacheConfig modJk=/opt/zimbra/httpd/modules/mod_jk.so / The OP made reference to the jvmRoute=jvmAlfresco1, so I think we need to understand what's going on there to find a resolution. Good point, so adding to the look at the cookies recommendation: if you are using load-balancing with mod_jk, you need to configure a unique jvmRoute for each Tomcat in server.xml. Tomcat will then add a dot . and the value of jvmRoute to the end of the session id used in the JSESSIONID cookies. You can see it when looking at the value of the cookie in the browser. mod_jk reads this suffix from the cookie when it is send together with each request by the browser and looks up the right Tomcat, assuming that the name of the member workers in the load-baancers are the same as the jvmRoute of the Tomct they are pointing to. If for some reason you get that wrong (worker names do not fit the jvmRoutes of the respective Tomcats), requests will eventually be send to the wrong Tomcat which does not know about the user session (except when using session clustering, an advanced topic). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
On 19.08.2010 18:55, Igor Galić wrote: Use it as you like. As Rainer has hinted, the apache wiki would be a good place for documentation :) Excellent. Thank you very much, will do that. URL: http://wiki.apache.org/tomcat/ :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache reverse proxy to tomcat application server
On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 Is the application deployed on Tomcat using the same context name /application? What was the exact result, when you tried that? The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache reverse proxy to tomcat application server
On 19.08.2010 21:17, li...@cgi-net.ch wrote: On Thu, 19 Aug 2010 20:57:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 I tried it with JkMount /application worker1 and with JkMount /application* worker1 Quick question, you've written JkMOunt /application|/, what does the | stand for? JkMount /application|/* worker1 is a short syntax for the two rules JkMount /application worker1 JkMount /application/* worker1 Is the application deployed on Tomcat using the same context name /application? Yes Good. What was the exact result, when you tried that? Well it displays the login page, but the formatting of the does not work, and when I hit the submit button, nothing is happening. Do you think that it is possible that /application does require / to be access able as well (both application coming from the same vendor and are related to each other) Aaaah! Yes it is quote possible that the page contains links to other content that does not reside under /application. Those could be CSS (style sheets) responsible for correct rendering and JS (JavaScript files) responsible for actions when pressing buttons. You can look at the source code of the login page or use some browser plugin that shows you all links referenced in the page. Some browsers might show you the info out of the box. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. OK, I've anyway disabled them already since they were not working # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. I can send you more log files, but I think the problem is more related with the application it self. Right. The error I receive from apache is 404 which means he can not find the document (which indicates that I've made some configuration mistake) You can look at the Apache access log to check, what other resources the browser tries to access. Maybe they are contained in a few other folders or have a few file content suffixes you can add with a couple of additional JkMounts. General question, is it possible to allow access to /* to make the stuff working but restrict access for customers to /application (like you can do it withdirectory stanza in apache) In principle it is possible. The details depend on what customers are (defined by IP or what?) and which URLs precisely need to be public vs. private. Regards, Rainer - To unsubscribe, e-mail:
Re: logging from a filter
On 20.08.2010 11:43, David Goodenough wrote: How do I write log entries from a Filter. In a servlet there is a log method but as a filter only implements Filter that is obviously not an option. The init() of the filter is called with a FilterConfig argument, from which you get a ServletContext via getServletContext(), which you can store locally. The ServletContext then has the log methods you want. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Version Numbers
On 25.08.2010 20:57, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 8/25/2010 11:15 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat Version Numbers why not have a tag progression that looks like this: 6.0.0-alpha 6.0.0-beta1 6.0.0-beta2 Because there are no changes to an x.y.z level, regardless of how its marking progresses. _Any_ changes require a new dot number. The 6.0.0-alpha and 6.0.0 are identical; only the labeling changed to indicate that the particular level had progressed through more testing. Your suggestion causes no end of confusion, since there will be flavors of 6.0.0 running around with different content. Okay. Does that mean that: [DIR] v6.0.2-alpha/ 2006-11-16 00:02- [DIR] v6.0.2-beta/2006-11-16 00:02- [DIR] v6.0.2/ 2006-11-16 00:02- ...means that 6.0.2, 6.0.2-alpha, and 6.0.2-beta are all the exact same sets of files, just with different tag names? On the file system, the directories named *alpha and *beta are symlinks to the one without suffix. Looking at the list archives I would say the RM found it easiest to always produce the directory without suffix and then add symlinks according to the release status. From this digging into history I would say: 6.0.0: alpha 6.0.1: alpha 6.0.2: beta 6.0.4: alpha 6.0.6: alpha 6.0.7: beta 6.0.8: alpha 6.0.9: beta Starting with 6.0.10: stable And yes it is possible, that a release after a beta release is again alpha, or a release after stable is again beta incase there is a major regression. So the use of the terminology is slightly non-standard. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: pick load
On 26.08.2010 03:28, Alexandre Chapellon wrote: Hello, I'm quite new to tomcat and have an old webapps running on tomcat 4.1 and jvm 1.4.2 with apach2.2 in front ofthem (using modjk). I'm trying to get ready for a comming pick load I will have to face. I Try to do some benchmark using ab and the jkstatus worker. Whatever the configuration of my connecter (both on the apache or tomcat side) I never go upper than 20 requests / second. Here are few parameters I changed in order to get better performances: -Apache2 (worker): increased ServerLimit (64), ThreadLimit (256), MaxClients (2048), ThreadsPerChild (128) set to a non zero value MaxRequestsPerChild (500) - modjk (1.2.30): set to non-zero value worker.selfcare.connection_pool_timeout=60 -Tomcat AJP13 Connector: acceptCount=50 enableLookups=false maxProcessors=500 bufferSize=4096 socketBuffer=2 Unfortunately this doesn't help and am still stuck with 20req/s when the machines' load is not that high and 60% of CPU at most is used during stress test. I've googled around but can't find anything else about increasing performances of apache/tomcat... Help much appreciated Regards P.S: right now am using ab to send 2000 request with 50 concurrents. Take thread dumps of the Tomcat JVM and check what your applicaion is actually doing (like waiting for locks or externals components). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access StandardContext in WebappClassLoader
On 26.08.2010 17:24, Chefo wrote: Hi again and thanks for the quick responses. What bothers me in the WebappClassLoader is the fact that before it checks its repositories (lib folder and classes) and asks its parent class loader, it will first attempt to load a class from the system class loader - from the jvm. This is not standard classloader logic but sth done on purpose in the webapp class loader. I want to prevent that for certain packages and I want it to be configurable for each web application. That's why I wrote my WebappClassLoader and configured its usage in the default context.xml (Loader loaderClass=org.chefo.OSGiWebappClassLoader/ incatalina home/conf/context/xml). I figured the easiest way to configure a list of packages that should not be loaded through the system class loader is with a parameter in the context of the web application, thus I need to access a context parameter in my webapp class loader. I thought it would be normal for the webapp class loader to be able to access the context that is associated with it... Hope that makes it a bit clearer... You can configure your loader by extending WebappLoader (not only WebappClassLoader) and then using attributes in the loader element you added to context.xml (and corresponding setters in the loader implementation). For an example see http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/loader/VirtualWebappLoader.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: pick load
On 26.08.2010 21:00, Alexandre Chapellon wrote: Le jeudi 26 août 2010 à 09:25 +0200, Rainer Jung a écrit : On 26.08.2010 03:28, Alexandre Chapellon wrote: Hello, I'm quite new to tomcat and have an old webapps running on tomcat 4.1 and jvm 1.4.2 with apach2.2 in front ofthem (using modjk). I'm trying to get ready for a comming pick load I will have to face. I Try to do some benchmark using ab and the jkstatus worker. Whatever the configuration of my connecter (both on the apache or tomcat side) I never go upper than 20 requests / second. Here are few parameters I changed in order to get better performances: -Apache2 (worker): increased ServerLimit (64), ThreadLimit (256), MaxClients (2048), ThreadsPerChild (128) set to a non zero value MaxRequestsPerChild (500) - modjk (1.2.30): set to non-zero value worker.selfcare.connection_pool_timeout=60 -Tomcat AJP13 Connector: acceptCount=50 enableLookups=false maxProcessors=500 bufferSize=4096 socketBuffer=2 Unfortunately this doesn't help and am still stuck with 20req/s when the machines' load is not that high and 60% of CPU at most is used during stress test. I've googled around but can't find anything else about increasing performances of apache/tomcat... Help much appreciated Regards P.S: right now am using ab to send 2000 request with 50 concurrents. Take thread dumps of the Tomcat JVM and check what your applicaion is actually doing (like waiting for locks or externals components). This sounds an excellent idea indeed, and it's surely what I would have done if I new it was possible and how I could do it :) What's the way to do it? http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a better way to disable JSESSIONID in the URLs?
On 26.08.2010 23:29, Wesley Acheson wrote: On Sat, Aug 21, 2010 at 12:12 PM, Pidp...@pidster.com wrote: On 20/08/2010 22:40, Wesley Acheson wrote: I'm a bit lost with this thread. Are people suggesting I should submit a patch. I really wouldn't know where to begin looking. That's where the discussion was heading. Tomcat is Open Source. The first place to look would be SVN. http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/ p Hi everyone, I've done this and was naturally quite nervous about it having never contributed to anything in this way. That's quite normal :) It gets better once you do it more regularly ;) Would It be too much to ask to get some feedback if you have time? I'd really appreciate it. Feedback about anything from the code changes to if you feel the bugzilla report was adaquate. It was a good initiative and I'm sure we will have a look at the patch. Please be patient though. If you don't see any progress (comments in the Bugzilla issue), then it is fine to nag after about one or two weeks. I do honestly appreciate that you are all busy but It could go a long way to encouraging new users to help chip in if they felt there was adaquate feedback. Much better to be honest though than to pamper to them. If anythings wrong with what I did I'd love to know but If it was okay I'd like to know also. If it gets committed to the Tomcat source, you will see, whether there was a need to change anything. All changes applied to the code are public. If this is a subject for the dev mail list then I'd appreciate being told that too. I didn't want to interrupt the dev mail list as it seems pretty busy with svn commits and bugzilla reports. It is in the middle of the two lists, since most of the discussion was here (users) I understand you reply here. If there is need to discuss technical details of the patch, the discussion will switch over to Bugzilla, or if the discussion switches topic, like starting to discuss a more general implementation thing it might switch to the dev list. In case your not in a threaded email client the link was https://issues.apache.org/bugzilla/show_bug.cgi?id=49811 again. Thanks for starting to contribute! Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
On 27.08.2010 19:22, Thiago Locatelli da Silva wrote: Hi Rainer, I followed your suggestions and it seems to be working, the load balacing, now i need to look into why my application, created with gwt + comet is not working. It seems that comet stopped working. Any information about what the solution was? Upgrading Apache, using the backend server URLs in ProxyPassReverse, something else? Regards, Rainer Rainer Jung escreveu: On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org