Re: http-tomcat - AJP ilink receive failed - 500/503 errors
Thanks for the tips Chris. I had tried AJP PING/PONG options which worked for a while, but not consistently. Seems like a better solution would be to work with network folks regarding firewall config. Just want to mention a nice Perl script that I found during debugging: http://www.perlmonks.org/?node_id=766945 , useful for sending AJP ping requests to Tomcat independent of web server. -- Shantanu. On Dec 16, 2010, at 1:54 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shantanu, On 12/15/2010 5:45 PM, Shantanu Pavgi wrote: There was a firewall between two systems (distinct from CentOS iptables), which dropped (idle) connections after some time. Not sure about exact firewall config here. The Apache web server would throw an 500/503 error when it tried to reuse an open connection which firewall had already closed. The issue was resolved by using disablereuse parameter in ProxyPass directive. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass mod_jk (and therefore AJP) supports a ping operation in order to keep the channels open but validate them (and re-connect if necessary) before using them. You might want to look for those options in mod_proxy_ajp to improve performance. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Kbn4ACgkQ9CaO5/Lv0PBZGACfVg8rodAPEAn7bhqm3OGJrifC SrkAoIeWVDqZ+3Q0i4g8hcJ/10HXLrxY =9H2n -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http-tomcat - AJP ilink receive failed - 500/503 errors
Sorry for the late reply. But it might help someone having similar issue. There was a firewall between two systems (distinct from CentOS iptables), which dropped (idle) connections after some time. Not sure about exact firewall config here. The Apache web server would throw an 500/503 error when it tried to reuse an open connection which firewall had already closed. The issue was resolved by using disablereuse parameter in ProxyPass directive. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass Thanks for the suggestions. -- Shantanu Pavgi. On Sep 28, 2010, at 4:25 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 9/17/2010 4:42 PM, Pid wrote: On 17/09/2010 16:57, Shantanu Pavgi wrote: Hi, I have a Apache http server and a Tomcat server configured using AJP connector (mod_proxy_ajp). The http server serves HTML/PHP pages and also proxies Java webapp requests to back-end Tomcat server. System config: * Both servers are running as Virtual Machines * CentOS 5.4 * Apache Tomcat 6.0.26 and Sun JDK 1.6 * Apache http: 2.2.3 (it's old, but that's what comes with default CentOS repo) If you really have 2.2.3 and not a 2.2.3 that's been patched subsequently, then you're at risk of running into bugs in mod_proxy_ajp that have already been patched. +1 2.2.3 was the first release version containing that module and it was definitely buggy, so you really need to look at upgrading HTTPD before expending more time trying to solve the problem. +1 Another option would be to use mod_jk, which uses the same protocol (though wildly different configuration), and might be easier to install than trying to get an httpd upgrade accomplished. It's also much more well-tested and has more options for tweaking than mod_proxy_ajp (from my limited reading). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyiXVYACgkQ9CaO5/Lv0PAgqQCffT3C2bTbkje+zQDjSrm8GVZy RHsAoMH8nwfLhi05oHsnRQ8knR1lEfac =OdvG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
http-tomcat - AJP ilink receive failed - 500/503 errors
Hi, I have a Apache http server and a Tomcat server configured using AJP connector (mod_proxy_ajp). The http server serves HTML/PHP pages and also proxies Java webapp requests to back-end Tomcat server. System config: * Both servers are running as Virtual Machines * CentOS 5.4 * Apache Tomcat 6.0.26 and Sun JDK 1.6 * Apache http: 2.2.3 (it's old, but that's what comes with default CentOS repo) We are getting HTTP 500/503 errors quite frequently, but they appear to be random in nature and hence difficult to debug. I have tried increasing following config parameters, but it didn't help: * On http server: max and smax connections in proxy_ajp.conf * On Tomcat server: maxThreads and maxSpareThreads in Tomcat's server.xml Following logs were seen on both sides: == Apache http server == * In browser: 500/503 - internal server error. * In Apache logs at debug mode - same logs for 500 and 503 error: {{{ [Wed Sep 15 22:50:09 2010] [debug] ajp_header.c(430): ajp_marshal_into_msgb: Done [Wed Sep 15 22:50:09 2010] [debug] mod_proxy_ajp.c(239): proxy: APR_BUCKET_IS_EOS [Wed Sep 15 22:50:09 2010] [debug] mod_proxy_ajp.c(244): proxy: data to read (max 8186 at 4) [Wed Sep 15 22:50:09 2010] [debug] mod_proxy_ajp.c(259): proxy: got 0 bytes of data [Wed Sep 15 22:50:09 2010] [error] ajp_read_header: ajp_ilink_receive failed [Wed Sep 15 22:50:09 2010] [error] (120006)APR does not understand this error code: proxy: read response failed from 10.0.0.10:9080 (tomcat.lab.uab.edu) [Wed Sep 15 22:50:09 2010] [debug] proxy_util.c(2062): proxy: AJP: has released connection for (tomcat.lab.uab.edu) [Wed Sep 15 22:50:09 2010] [debug] ssl_engine_kernel.c(1765): OpenSSL: Write: SSL negotiation finished successfully [Wed Sep 15 22:50:09 2010] [info] [client 10.0.0.8] Connection closed to child 3 with standard shutdown (server httpd.lab.uab.edu:443) }}} * tcpdump on Apache http server: Shows a packet going out to Tomcat server == Tomcat server == * In Tomcat logs catalina.out: No logs * In Tomcat access logs catalina.out: No logs * tcpdump on Tomcat: No incoming packet seen The request doen't seem to reach Tomcat at all. I have checked syslog (/var/log/messages), but I don't see any dropped packet logs as well. Anyone else had this issues before? Any pointers on how to debugs this would be really helpful. Thanks, Shantanu Pavgi. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
no response although process is running
I am running into an issue where tomcat is not responding to any requests, but server process appears to be running fine. Following is the system config: CentOS 5.4, Sun JDK 1.5 and Tomcat 5.5.28 (not CentOS packaged, from tomcat site). A tcpdump on http listener port shows activity when a request is received, but there is no activity in tomcat logs. I have enabled FastCommonAccessLogValve in server.xml and that doesn't show any requests as well. I had to restart tomcat to continue development activity and it is working fine now, but this has occurred many times in last couple of weeks. Any pointers on debugging this further would be really helpful? Any particular logging config that I should look into? -- Thanks, Shantanu. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IP based request filters for admin/manager
I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. I have seen similar problems with Tomcat 5.527/28 and 6.0 on CentOS and Ubuntu, but they were not consistent to reproduce. Packages were downloaded from tomcat site and were not platform specific builds. I was running tomcat on non-standard port (not 8080 port) though. -- Shantanu Pavgi. From: Konstantin Kolinko [knst.koli...@gmail.com] Sent: Sunday, July 18, 2010 11:16 AM To: Tomcat Users List Subject: Re: IP based request filters for admin/manager 2010/7/18 Johan Martinez jmart...@gmail.com: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] as said in http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter the allow and deny attributes are regular expressions. So, '.' has to be escaped as '\.'. (an example in http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters is wrong) I would recommend to omit the deny attribute instead of setting it to an empty string. If there are doubts, the source code for the classes is available. * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. (...) Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. The file in /conf/ takes priority over the one in the webapp's META-INF, because it can be edited by a local administrator. The copying from webapp's META-INF to tomcat's conf/ occurs only when the file in conf/ does not exist, e.g. when a new web application is deployed. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org