Honestly, thank you for your replies and helping me step through this. I was at my wits end with no known place to go. I appreciate it, truly.
I have to leave now to be somewhere in like 15 minutes, so I cant really get in to all this now, but I read it. and I will dedicate time to it tomorrow at work. Yes: A works B works C does not work I am waiting on the vendor BMC Software to get back to me on this. I should add also that I have another application which is not Tomcat, but I do the same F5 -> Apache HTTP Server (2.2.31) -> App Server, which HTTPS termination on Apache HTTP Server, and it works perfectly. I asked the Network Folks to compare the configs and they say the config is good. I will also escalate here at my company and perhaps when I have even more ammo (logs per your request and such) to get F5 support involved. I suspect they'll probably try to point the finger elsewhere, which will make this an even bigger hassle. On Tue, Feb 21, 2017 at 3:39 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 21.02.2017 23:28, Aaron Gray wrote: > >> Antonio: The Tomcat server has no knowledge of the F5, or that it is >> being >> fronted by an Apache HTTP Server. I do SSL termination in Apache HTTP >> Server, and clear-text from HTTP to Tomcat. >> My redirect port for the normal HTTP listen in Tomcat is commented out. >> <Connector port="18080" protocol="HTTP/1.1" >> connectionTimeout="20000" /> >> <!-- A "Connector" using the shared thread pool--> >> <!-- >> <Connector executor="tomcatThreadPool" >> port="8080" protocol="HTTP/1.1" >> connectionTimeout="20000" >> redirectPort="8443" /> >> --> >> >> Andre: >> The URL I am using is https://loadbalancer.domain.com >> It is listening on port 80 and 443, if you hit 80, internally it redirects >> you to 443. No SSL cert on the F5 load balancer. It simply sends the >> traffic to one of the two HTTP servers (round-robin, also tried >> persistence, no difference). The HTTP server is listening only for HTTPS >> on 23270/tcp. >> >> Hitting https://loadbalancer.domain.com >> I see my "Hello world!" which is all that is in index.html. This is the >> DocumentRoot of HTTP, and *not* proxied over at this time. >> > > So in this case, there is no delay, and you get the Apache httpd-hosted > "index.html" containing "Hello World. Right ? > > Only > >> /SelfService and /static are proxied >> /static just being my test of static content, but still served up by >> Tomcat.. >> >> It's exactly 30 seconds before the page cannot be loaded when trying >> anything proxied to Tomcat, but also accessed via the F5 load balancer. >> Not sure where the 30 seconds comes from; perhaps a load balancer time >> out, >> as I dont see a "30" in my httpd configurations or my tomcat server.xml >> >> > You can certainly look at the Apache httpd logs, and the tomcat logs, to > see if you get a request or not. > In Apache httpd, you can set the loglevel individually for mod_proxy (if > you are running v 2.4), and it should show something if it gets this > request and forwards it to tomcat. > In tomcat, you can either enable an access log (which will show if it > receives this request), or you could temporarily remove/rename the /static > webapp. This way, it should trigger an error "not found" which you would > also see in the error log. > > There should be nothing between them to hinder it. We have many load >> balancers and this one specifically you dont need to open any firewall >> requests for the specific networks the HTTP servers are on. I did have to >> get the firewall opened up to allow me to hit >> https://loadbalancer.domain.com because the VIP for " >> loadbalancer.domain.com" >> is in the DMZ, and my Desktop & VPN networks cannot hit it on 80/443 >> without opening holes. But beyond that, any connection from the F5 to the >> HTTP Server should be 100% open bi-directional, since same subnet. >> >> > But something isn't working, otherwise you would not be asking. > So, > > a) hitting the tomcat webapps through httpd seems to be working fine > (browser -> httpd:23270 -> tomcat:18080 -> webapp or static) > > b) hitting a non-proxied-to-tomcat resource of httpd seems to work fine > too, even through the F5 > (browser -> F5:443 -> httpd:23270 -> html page) > > c) it is only when you do : > (browser -> F5:443 -> httpd:23270 -> tomcat:18080 -> webapp or static) > that you see this issue > > It would really help if you looked in the logs of both httpd and tomcat, > and checked for differences betweens cases a, b and c above. > > I believe that the F5 message with the port 23270 is a minor issue, of > information disclosure by the F5, that it should not disclose. > > But the reason why it returns this error is obviously that in that case, > it does not get a response from his request to httpd. > The reason for this response not coming back to the F5 (in case c only), > can be due to either httpd or tomcat. But F5 doesn't know about tomcat. So > for the F5, it is httpd which is not responding. Thus, > - either httpd is never getting the request from the F5 (unlikely, because > in b above it gets it and responds) > - or httpd is getting the request from the F5, but not forwarding it to > tomcat, but also not returning an immediate error response to F5 (which > seems also unlikely, because of a and b) > - or httpd is getting the request, forwarding it to tomcat, but not > getting a response from tomcat. So > - either tomcat is never getting the request from httpd (but in a, it > gets it) > - or tomcat is getting the request from httpd, but not responding (but > in a, it does) > - or tomcat is getting the request and responding, but the response > never gets back to httpd (but in a, it does) > > So if a and b and c are all accurate, there is something apparently > illogical happening. > This would lead to the conclusion that a and b and c cannot all be > accurate. > > The logs.. ? > > > > On Tue, Feb 21, 2017 at 2:05 PM, Antonio S. Cofino <cofi...@gmail.com> >> wrote: >> >> Aaron, on tomcat instances change the redirectPort attributte on the http >>> conectó to the loabbalancer's port 443 >>> >>> My guess is that your webapp has restriction rule requesting SSL con >>> fidntial channel. Therefore the non-confidential to the 18080 port from >>> the >>> balancer are redirected to the 23270 port, but it should be 443. >>> >>> Antonio >>> >>> >>> >>> El 21/2/2017 19:46, "Aaron Gray" <aaronmg...@gmail.com> escribió: >>> >>> I have an application server from a vendor that comes bundled with an >>> additional Apache Tomcat server. The webapp SelfService.war is vendor >>> supplied too. >>> >>> Here's my problem (IP's replaced to protect the innocent): >>> >>> networks: >>> DMZ=172.x.x.x >>> INTERNAL=10.x.x.x >>> >>> server1 https listen = 172.1.1.1:23270 >>> server2 https listen = 172.1.1.2:23270 >>> F5 load balancer hostname = loadbalancer.domain.com:443 >>> backend tomcat server = 10.1.1.1:18080 >>> >>> mod_proxy configuration: >>> ProxyPass /SelfService http://10.1.1.1:18080/SelfService >>> ProxyPassReverse /SelfService http://10.1.1.1:18080/SelfService >>> >>> When I access these DMZ webservers which mod_proxy back to Apache Tomcat >>> as: >>> https://172.1.1.1:23270/SelfService >>> and >>> https://172.1.1.2:23270/SelfService <https://172.1.1.1:23270/SelfService >>> > >>> They load properly. Perfectly, every time! >>> >>> When I access these DMZ webservers via the F5 load balancer (to which I >>> dont have access to, but the network folks configure for me), it hangs. >>> Eventually returns: >>> https://loadbalancer.domain.com:23270/SelfService >>> cant load. >>> >>> No idea why the URL is being re-written with the ":23270". >>> I added static content to the server.xml on 10.1.1.1 (Tomcat) to test: >>> <Context docBase="/path/to/tomcat/static" path="/static" /> >>> Then put a simple index.html in there. Accessing via the Apache Web >>> Servers works fine, but if you hit it with the Load Balancer it once >>> again >>> adds the https://loadbalancer.domain.com:23270/static >>> >>> Do you have any thoughts? Thanks so much, I have been working with this >>> for weeks now with no success >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
