Re: Http11AprProtocol took 2 hr to init on http-443
To make port 80 use APR and port 443 NOT use APR, I have tried it several times, without any luck. After tomcat starts, port 80 is fine, but connections to port 443 are always timeout. It looks from the log the Http11BaseProtocol was not used on port 443. The log looks like: === Jun 22, 2006 1:33:14 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 22, 2006 1:33:14 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 22, 2006 1:33:14 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 22, 2006 1:33:14 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1554 ms Jun 22, 2006 1:33:14 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jun 22, 2006 1:33:14 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 Jun 22, 2006 1:33:14 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Jun 22, 2006 1:33:15 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 22, 2006 1:33:15 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 22, 2006 1:33:15 PM org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache. webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.bal ancer.rules.RequestParameterRule: Target param name: paramName / Target param va lue: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balanc er.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] Jun 22, 2006 1:33:15 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 22, 2006 1:33:15 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 22, 2006 1:33:16 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-80 Jun 22, 2006 1:33:16 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 Jun 22, 2006 1:33:16 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Jun 22, 2006 1:33:16 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Jun 22, 2006 1:33:16 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 2840 ms = I built the jni connectors without ssl: ./buildconf --with-apr=/usr/local/apr --without-ssl ./configure --with-apr=/usr/local/apr --without-ssl make make install My connectors figuration: Connector port=80 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=443 acceptCount=100 connectionTimeout=2 debug=0 disableUploadTimeout=true / Connector class=org.apache.coyote.http11.Http11BaseProtocol port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true debug=0 scheme=https secure=true acceptCount=100 clientAuth=false keystoreType=PKCS12 keystoreFile=/data/CA/mycert.p12 keystorePass=mypass / Please correct me if anything wrong. From my point of view, APR optimization on port 80 is very important for static content, but not important as on port 443. Since I could not wait Http11AprProtocol initialization on port 443 for 2+ hours on my FC5-amd_64, I would be very happy to see if Http11AprProtocol works on port 80 and Http11BaseProtocol works on port 443 with PKCS12 certificate. Regards, Jeff Markus Schönhaber wrote: Mladen Turk wrote: Markus Schönhaber wrote: Maybe someone of the devs chimes in and proves me right or wrong. Use class=org.apache.coyote.http11.Http11BaseProtocol inside Connector ... Thanks for proving me wrong ;-) Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Jeff Chuang wrote: To make port 80 use APR and port 443 NOT use APR, I have tried it several times, without any luck. After tomcat starts, port 80 is fine, but connections to port 443 are always timeout. It looks from the log the Http11BaseProtocol was not used on port 443. The log looks like: [...] I've just tried to configure a Connector which uses the Http11BaseProtocol by setting the attribute class=org.apache.coyote.http11.Http11BaseProtocol on the Connector element. If the nativ lib was present, Http11AprProtocol was used nevertheless. Maybe my guess that APR is always used when the native lib is present wasn't that wrong. BTW: the HTTPS configuration attributes needed for a Base Connector differ from those needed for an Apr Connector. Since APR is used for your Connector on port 443 but the config is suited for Base, you have - after all - configured a normal HTTP Connector on port 443. That's what the timeout you're seeing stems from. If you do http://your host:443 instead of https://your host it will propably work - but the connection will not be encrypted obviously. Of course this doesn't help you, it's simply meant as an explanation. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
On 6/22/06, Markus Schönhaber [EMAIL PROTECTED] wrote: Jeff Chuang wrote: To make port 80 use APR and port 443 NOT use APR, I have tried it several times, without any luck. After tomcat starts, port 80 is fine, but connections to port 443 are always timeout. It looks from the log the Http11BaseProtocol was not used on port 443. The log looks like: [...] I've just tried to configure a Connector which uses the Http11BaseProtocol by setting the attribute class=org.apache.coyote.http11.Http11BaseProtocol on It should actually be: protocol=org.apache.coyote.http11.Http11Protocol -- x Rémy Maucherat Developer Consultant JBoss Inc x - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Remy Maucherat wrote: On 6/22/06, Markus Schönhaber [EMAIL PROTECTED] wrote: I've just tried to configure a Connector which uses the Http11BaseProtocol by setting the attribute class=org.apache.coyote.http11.Http11BaseProtocol on It should actually be: protocol=org.apache.coyote.http11.Http11Protocol Yep, that works. Thanks Rémy. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Thanks Rémy,it works. And thanks Markus, you help me go through all the discussion and make it work. :) Regards, Jeff Markus Schönhaber wrote: Remy Maucherat wrote: On 6/22/06, Markus Schönhaber [EMAIL PROTECTED] wrote: I've just tried to configure a Connector which uses the Http11BaseProtocol by setting the attribute class=org.apache.coyote.http11.Http11BaseProtocol on It should actually be: protocol=org.apache.coyote.http11.Http11Protocol Yep, that works. Thanks Rémy. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Jeff Chuang wrote: I could reproduce this problem on ALL my dual core AMD Opteron servers running FC5-x86_64. Not sure it is OS porting problem? JVM problem? native jni problem? or combination? Is it possible to configure Tomcat to use APR on port 80, but disable APR on port 443 to use regular java keystore PKCS12 format? I have tried to build jni connectors using --without-ssl option and configure connector on 443 with PKCS12 keystoreType and certificate(which works without APR) in server.xml. However, port 80 works fine, but port 443 does not(still use Http11AprProtocol, NOT Http11BaseProtocol). Any work around suggestion? thanks. Since I'm not too familiar with Tomcat's code I can't give an authorative answer, but I doubt that's possible to mix Base and APR Connectors. AFAICT Tomcat uses APR if tcnative can be loaded and is usable, and it does so for all configured Connectors. Maybe someone of the devs chimes in and proves me right or wrong. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Markus Schönhaber wrote: Maybe someone of the devs chimes in and proves me right or wrong. Use class=org.apache.coyote.http11.Http11BaseProtocol inside Connector ... Regards, Mladen. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Mladen Turk wrote: Markus Schönhaber wrote: Maybe someone of the devs chimes in and proves me right or wrong. Use class=org.apache.coyote.http11.Http11BaseProtocol inside Connector ... Thanks for proving me wrong ;-) Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Jeff Chuang wrote: Thanks for responses. If I put connector ajp-8009 configuration block BEFORE connector http-443 in server.xml, the log looks like Jun 19, 2006 5:33:11 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 19, 2006 5:33:11 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 7:43:48 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 19, 2006 7:43:48 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 7840211 ms So I believe ports 80 and 8009 are ok, the initialization problem is only on port 443 I start tomcat by jsvc as root, and use openssl to generate self-signed certificate. After 2+ hours initialization, everything works fine and the ssl connector performance is excellent. Is it possible that any share library of openssl caused this initialization problem(delay)? I have also seen this with one of my Tomcats. But since for me the HTTPS APR Connector needs only 30 sec - 2 min to come up and not hours, it hasn't bothered me enough to dig deeper into it. The first time I saw this was with a Tomcat running on UML in a chroot. I thought I solved the problem by bind-mounting /dev/random in the chroot. But it seems it was only an accident that it worked after that and not because the underlying problem was solved. So, I can't give any help, I just can confirm that you're not the only one seeing this. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Stephen Souness wrote: Could it be related to some problems that Java has had on some Linux distributions with obtaining entropy for its random number generation for encryption? In the past (a few years back admittedly) we encountered a problem when trying to connect our application to an https site. Changing the securerandom.source entry in ${JAVA_HOME}/jre/lib/security/java.security to file:/dev/urandom solved it for us. On the machine I've seen this phenomenon securerandom.source is already set to file:/dev/urandom. Since I didn't change the java.security file it seems to be the standard on 1.5 JVMs. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Http11AprProtocol took 2 hr to init on http-443
Thanks for responses. If I put connector ajp-8009 configuration block BEFORE connector http-443 in server.xml, the log looks like Jun 19, 2006 5:33:11 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 19, 2006 5:33:11 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 7:43:48 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 19, 2006 7:43:48 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 7840211 ms So I believe ports 80 and 8009 are ok, the initialization problem is only on port 443 I start tomcat by jsvc as root, and use openssl to generate self-signed certificate. After 2+ hours initialization, everything works fine and the ssl connector performance is excellent. Is it possible that any share library of openssl caused this initialization problem(delay)? David Smith wrote: Looks to me more like port 80 is taking 2+ hours to initialize, not 443. My guess is tomcat is waiting for something -- possibly a system service. At anyrate, I don't experience that here on any version of tomcat or JDK. --David Jeff Chuang wrote: Hi, After starting tomcat from jsvc as service, it took 7840217 ms to initialize Http11AprProtocol on http-443, during which port 80 was blocked. There was no error found in jsvc debug info, neither was catalina.out. After initialization on port 443, everything works(both ports 80 and 443). It occurs every service restart. Is anyone experiencing this problem? Any common would be appreciated. Jeff System info: Hardware platform: AMD Opteron Dual core 165 on Tyan 2865 board with 1G memory OS: Linux FC-5-x86_64 JDK: Sun 1.5.0_07-b03 Openssl:0.9.8b Apr: 1.2.7 Tomcat: 5.5.17 catalina.out: Jun 19, 2006 1:43:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 19, 2006 3:54:05 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 19, 2006 3:54:05 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 3:54:05 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 7840217 ms Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] Jun 19, 2006 3:54:10 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 19, 2006 3:54:10 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 19, 2006 3:54:10 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-80 Jun 19, 2006 3:54:10 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 Jun 19, 2006 3:54:10 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 3:54:10 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Jun 19, 2006 3:54:11 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 5291 ms SSL connector in server.xml: Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true debug=0 scheme=https secure=true acceptCount=100 SSLEngine=on SSLCertificateFile=/data/CA/mycert.crt SSLCertificateKeyFile=/data/CA/mykey.key SSLPassword=mypassword / - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
Re: Http11AprProtocol took 2 hr to init on http-443
Hi Could it be related to some problems that Java has had on some Linux distributions with obtaining entropy for its random number generation for encryption? In the past (a few years back admittedly) we encountered a problem when trying to connect our application to an https site. Changing the securerandom.source entry in ${JAVA_HOME}/jre/lib/security/java.security to file:/dev/urandom solved it for us. -- Stephen Souness Jeff Chuang wrote: Thanks for responses. If I put connector ajp-8009 configuration block BEFORE connector http-443 in server.xml, the log looks like Jun 19, 2006 5:33:11 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 19, 2006 5:33:11 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 7:43:48 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 19, 2006 7:43:48 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 7840211 ms So I believe ports 80 and 8009 are ok, the initialization problem is only on port 443 I start tomcat by jsvc as root, and use openssl to generate self-signed certificate. After 2+ hours initialization, everything works fine and the ssl connector performance is excellent. Is it possible that any share library of openssl caused this initialization problem(delay)? David Smith wrote: Looks to me more like port 80 is taking 2+ hours to initialize, not 443. My guess is tomcat is waiting for something -- possibly a system service. At anyrate, I don't experience that here on any version of tomcat or JDK. --David Jeff Chuang wrote: Hi, After starting tomcat from jsvc as service, it took 7840217 ms to initialize Http11AprProtocol on http-443, during which port 80 was blocked. There was no error found in jsvc debug info, neither was catalina.out. After initialization on port 443, everything works(both ports 80 and 443). It occurs every service restart. Is anyone experiencing this problem? Any common would be appreciated. Jeff System info: Hardware platform: AMD Opteron Dual core 165 on Tyan 2865 board with 1G memory OS: Linux FC-5-x86_64 JDK: Sun 1.5.0_07-b03 Openssl:0.9.8b Apr: 1.2.7 Tomcat: 5.5.17 catalina.out: Jun 19, 2006 1:43:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 Jun 19, 2006 3:54:05 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 19, 2006 3:54:05 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 3:54:05 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 7840217 ms Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 Jun 19, 2006 3:54:06 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 19, 2006 3:54:09 PM org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] Jun 19, 2006 3:54:10 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jun 19, 2006 3:54:10 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jun 19, 2006 3:54:10 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-80 Jun 19, 2006 3:54:10 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 Jun 19, 2006 3:54:10 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Jun 19, 2006 3:54:10 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Jun 19, 2006 3:54:11 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 5291 ms SSL connector in server.xml: Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true debug=0 scheme=https secure=true acceptCount=100 SSLEngine=on