2009/5/12 André Warnier <a...@ice-sa.com>: > Michael Biebl wrote: >> >> 2009/5/12 André Warnier <a...@ice-sa.com>: >>> >>> Michael Biebl wrote: >>>> >>>> Hi, >>>> >>>> first of all, I'd like to say hi, as I'm new to the list. >>>> >>>> I hope you can help me with the following problem I have. >>>> I run a stock Debian lenny installation with apache 2.2.9 and tomcat >>>> 6.0.18 >>>> I'm using mod_proxy to forward the request to tomcat using ajp. The >>>> apache vhost configuration looks like this: >>>> >>>> <VirtualHost *:80> >>>> >>>> ... >>>> ProxyRequests Off >>>> ProxyVia On >>>> ProxyPass /t/ ajp://localhost:8009/barcooServer/t/ >>>> ProxyPass /ws/ ajp://localhost:8009/barcooServer/ws/ >>>> ProxyPass /reports/ ajp://localhost:8009/barcooServer/reports/ >>>> ProxyPass / ajp://localhost:8009/barcooWebsite/ >>>> ProxyPassReverse / ajp://localhost:8009/barcooWebsite/ >>>> ProxyPassReverseCookiePath /barcooWebsite / >>>> ... >>>> >>>> </VirtualHost> >>>> >>>> The apache mpm prefork modules is used with the following configuration. >>>> <IfModule mpm_prefork_module> >>>> StartServers 5 >>>> MinSpareServers 5 >>>> MaxSpareServers 10 >>>> MaxClients 200 >>>> MaxRequestsPerChild 0 >>>> </IfModule> >>>> >>>> The tomcat ajp connector configuration is as simple as >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> >>>> >>>> >>>> Now, when I get a lot of users access, the http connection via apache >>>> slows down to a crawl >>>> and I get a lot of the following messages in the kernel log: >>>> >>>> [2350915.113736] __ratelimit: 11 messages suppressed >>>> [2350915.113742] TCPv6: Possible SYN flooding on port 8009. Dropping >>>> request. >>>> >>>> apache and tomcat itself seem to be idling along, and the load is not >>>> that high on the machine. >>>> >>>> Has anyone an idea what's going on there? >>>> >>> It seems to be something entorely outside of Apache and Tomcat. >>> I'm no specialist, but a few names come to mind : iptables, denyhosts, >>> SELinux ? >> >> No selinux enabled, no iptables rules loaded, no denyhosts installed. >> >> My guess somehow is, that apache is opening too many ajp connections >> to tomcat... >> > Apart from the answer given by Rainer, > > "too many" for whom ? or, compared to what ? > > Ok, granted, too many for something on your system, since the error messages > were : >>>> [2350915.113736] __ratelimit: 11 messages suppressed >>>> [2350915.113742] TCPv6: Possible SYN flooding on port 8009. Dropping >>>> request. > > Let's take these messages at face value. > A "SYN" is the first packet that a client sends to a server, to establish a > connection. > a "SYN flood" is a type of attack, whereby some nefarious agent will flood > the server with SYN requests for new connections, trying to bring it down. > The "_ratelimit" part seems to indicate that there is some rate limit to new > connections set up in your system. That is usually a parameter defining how > many new connections can be accepted per minute on some port. > > The Apache part of the connector indeed needs to establish connections to > the back-end Tomcat, in your case to port 8009. If the configuration is very > deficient, it may need to establish more connections than strictly > necessary, but not I believe enough to justify a real "SYN flood" suspicion. > > As far as I know also - referring to the "too many" bit - Tomcat will > happily accept hundreds of connections on port 8009, and depending on what > you run this on, can support hundreds of simultaneous threads processing > requests.
As you can see, I have 4 ProxyPass directives. Does that mean that I will get 4 ajp connections from apache to tomcat per user request, ie. if say 200 users are online I have 800 connections open? Is it correct, that apache uses ipv6 for the ajp connection (as the log is talking about tcpv6)? > And it is not Tomcat complaining, it is some other system component that > writes to kernel.log. I know, it's the kernel that is dropping the connections. I'm wondering if there is a limit of open ajp connections? > Would you by any chance have something mentioning port 8009 anywhere in > /etc/network/* ? No. > Other than that, is there any log facility available in mod_proxy_ajp, which > you could set to "debug" for a while to see what is really going on from > that side ? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
