You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rahman Akhlaqur <ak...@yahoo.co.uk> on 2009/04/30 17:35:10 UTC
Tomcat 5.5.23 stops listening to requests on SSL port
Hi
I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
The Tomcat connector is configured as below
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" redirectPort="8443"
acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
proxyPort="443"/>
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
The issue is that Tomcat stops listening on port 8443 after a while of running.
This means no HTML is returned to end users browsers.
I know this as I am getting a HTTP error code 502 from the apache 2.2.4
webserver that is proxying the request to Tomcat.
The setup I have is that SSL is terminated at a load balancer and forwards the
request to port 8443 to apache, which then proxy passes the request to Tomcat
to port 8443 and then Tomcat passes this request to the content server on port
443 (as this is a secure request).
One theory is that end users are abruptly terminating their session with Tomcat
(by cancelling their secure requests or closing their browsers) and Tomcat is
not closing the thread when this happens. Therefore running out of threads. I
am not sure about this and need some way to prove it.
Akik Rahman
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by André Warnier <aw...@ice-sa.com>.
Rahman Akhlaqur wrote:
> Hi P
>
> The SSL is terminated at the load balancers, so the request is then a http request on port 8443 to our apache webserver (we use this to resolve multiple hostnames to just a few virtual hosts) which then just proxys the http request to Tomcat. At which point we want the request to be passed on to the content server as a secure request on port 443 - to match content hosts set up on port 443. It seems to work okay as the reverse path is fine, from the content server back to the end user.
>
> There is nothing in the Tomcat logs, the request is not even logged in the localhost access log - this points to Tomcat not even listening properly on port 8443. The other port (8080) is working okay though.
>
At the moment when this happens, what does "netstat -pan" show on the
Tomcat host ?
(assuming you are under some kind of Unix/Linux)
(it may be useful to also do a "ps -ef" to see the relationship between
process-id and programs)
> ----- Original Message ----
> From: Pid <p...@pidster.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Thursday, 30 April, 2009 16:59:25
> Subject: Re: Tomcat 5.5.23 stops listening to requests on SSL port
>
> Rahman Akhlaqur wrote:
>> Hi
>>
>> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>>
>> The Tomcat connector is configured as below
>>
>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
>> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>>
>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
>> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
>> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
>> proxyPort="443"/>
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
>> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>>
>> The issue is that Tomcat stops listening on port 8443 after a while of running.
>> This means no HTML is returned to end users browsers.
>>
>> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
>> webserver that is proxying the request to Tomcat.
>>
>> The setup I have is that SSL is terminated at a load balancer and forwards the
>> request to port 8443 to apache, which then proxy passes the request to Tomcat
>> to port 8443 and then Tomcat passes this request to the content server on port
>> 443 (as this is a secure request).
>
> So you're sending SSL at each stage via 2 proxies?
>
> ssl-> LB:8443 ssl-> HTTPD:8443 ssl-> Tomcat:8443 ssl-> ContentSrv
>
>
>> One theory is that end users are abruptly terminating their session with Tomcat
>> (by cancelling their secure requests or closing their browsers) and Tomcat is
>> not closing the thread when this happens. Therefore running out of threads. I
>> am not sure about this and need some way to prove it.
>
> What do the Tomcat logs say when this occurs?
>
> p
>
>> Akik Rahman
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Pid <p...@pidster.com>.
Also, can you upgrade to the latest version of Tomcat (5.5.27) and
Apache HTTPD?
p
Pid wrote:
> Do not reply to all. Just to the list please.
>
> OK. So you're doing the following:
>
> ssl-> LB:8443 http-> HTTPD:8443 http-> Tomcat:8443 https?-> ContentSrv
>
> What are the content servers, virtual hosts in Tomcat?
> Or do you have some kind of proxy application running inside Tomcat?
>
> If you are *not* using the http connector on 8080, comment it and the
> AJP one out of your config please.
>
>
> Rahman Akhlaqur wrote:
>> Hi P
>>
>> The SSL is terminated at the load balancers, so the request is then a http request on port 8443 to our apache webserver (we use this to resolve multiple hostnames to just a few virtual hosts) which then just proxys the http request to Tomcat. At which point we want the request to be passed on to the content server as a secure request on port 443 - to match content hosts set up on port 443. It seems to work okay as the reverse path is fine, from the content server back to the end user.
>>
>> There is nothing in the Tomcat logs, the request is not even logged in the localhost access log - this points to Tomcat not even listening properly on port 8443. The other port (8080) is working okay though.
>
> If there's nothing in the Tomcat logs, how do you know that the request
> is being sent at all?
>
> What method are you using to connect HTTPD to Tomcat? mod_jk or
> mod_proxy (or something else)?
>
> Can you enable logs and a status worker to check on what happens when
> the connection dies?
>
>
> p
>
>
>
>
>
>> ----- Original Message ----
>> From: Pid <p...@pidster.com>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Sent: Thursday, 30 April, 2009 16:59:25
>> Subject: Re: Tomcat 5.5.23 stops listening to requests on SSL port
>>
>> Rahman Akhlaqur wrote:
>>> Hi
>>>
>>> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>>>
>>> The Tomcat connector is configured as below
>>>
>>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
>>> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
>>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>>> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>>>
>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
>>> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
>>> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
>>> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
>>> proxyPort="443"/>
>>>
>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
>>> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>>>
>>> The issue is that Tomcat stops listening on port 8443 after a while of running.
>>> This means no HTML is returned to end users browsers.
>>>
>>> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
>>> webserver that is proxying the request to Tomcat.
>>>
>>> The setup I have is that SSL is terminated at a load balancer and forwards the
>>> request to port 8443 to apache, which then proxy passes the request to Tomcat
>>> to port 8443 and then Tomcat passes this request to the content server on port
>>> 443 (as this is a secure request).
>> So you're sending SSL at each stage via 2 proxies?
>>
>> ssl-> LB:8443 ssl-> HTTPD:8443 ssl-> Tomcat:8443 ssl-> ContentSrv
>>
>>
>>> One theory is that end users are abruptly terminating their session with Tomcat
>>> (by cancelling their secure requests or closing their browsers) and Tomcat is
>>> not closing the thread when this happens. Therefore running out of threads. I
>>> am not sure about this and need some way to prove it.
>> What do the Tomcat logs say when this occurs?
>>
>> p
>>
>>> Akik Rahman
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Pid <p...@pidster.com>.
Do not reply to all. Just to the list please.
OK. So you're doing the following:
ssl-> LB:8443 http-> HTTPD:8443 http-> Tomcat:8443 https?-> ContentSrv
What are the content servers, virtual hosts in Tomcat?
Or do you have some kind of proxy application running inside Tomcat?
If you are *not* using the http connector on 8080, comment it and the
AJP one out of your config please.
Rahman Akhlaqur wrote:
> Hi P
>
> The SSL is terminated at the load balancers, so the request is then a http request on port 8443 to our apache webserver (we use this to resolve multiple hostnames to just a few virtual hosts) which then just proxys the http request to Tomcat. At which point we want the request to be passed on to the content server as a secure request on port 443 - to match content hosts set up on port 443. It seems to work okay as the reverse path is fine, from the content server back to the end user.
>
> There is nothing in the Tomcat logs, the request is not even logged in the localhost access log - this points to Tomcat not even listening properly on port 8443. The other port (8080) is working okay though.
If there's nothing in the Tomcat logs, how do you know that the request
is being sent at all?
What method are you using to connect HTTPD to Tomcat? mod_jk or
mod_proxy (or something else)?
Can you enable logs and a status worker to check on what happens when
the connection dies?
p
> ----- Original Message ----
> From: Pid <p...@pidster.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Thursday, 30 April, 2009 16:59:25
> Subject: Re: Tomcat 5.5.23 stops listening to requests on SSL port
>
> Rahman Akhlaqur wrote:
>> Hi
>>
>> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>>
>> The Tomcat connector is configured as below
>>
>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
>> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>>
>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
>> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
>> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
>> proxyPort="443"/>
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
>> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>>
>> The issue is that Tomcat stops listening on port 8443 after a while of running.
>> This means no HTML is returned to end users browsers.
>>
>> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
>> webserver that is proxying the request to Tomcat.
>>
>> The setup I have is that SSL is terminated at a load balancer and forwards the
>> request to port 8443 to apache, which then proxy passes the request to Tomcat
>> to port 8443 and then Tomcat passes this request to the content server on port
>> 443 (as this is a secure request).
>
> So you're sending SSL at each stage via 2 proxies?
>
> ssl-> LB:8443 ssl-> HTTPD:8443 ssl-> Tomcat:8443 ssl-> ContentSrv
>
>
>> One theory is that end users are abruptly terminating their session with Tomcat
>> (by cancelling their secure requests or closing their browsers) and Tomcat is
>> not closing the thread when this happens. Therefore running out of threads. I
>> am not sure about this and need some way to prove it.
>
> What do the Tomcat logs say when this occurs?
>
> p
>
>> Akik Rahman
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Rahman Akhlaqur <ak...@yahoo.co.uk>.
Thanks for the suggestion of taking a thread dump... I think I have some instructions on how to do this on a windows server.
The apache httpd server is on a different machine to Tomcat, thats how they can both listen on port 8443.
----- Original Message ----
From: Christopher Schultz <ch...@christopherschultz.net>
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: p@pidster.com
Sent: Friday, 1 May, 2009 18:07:42
Subject: Re: Tomcat 5.5.23 stops listening to requests on SSL port
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rahman,
On 5/1/2009 9:24 AM, Rahman Akhlaqur wrote:
> The SSL is terminated at the load balancers, so the request is then a
> http request on port 8443 to our apache webserver (we use this to
> resolve multiple hostnames to just a few virtual hosts) which then
> just proxys the http request to Tomcat. At which point we want the
> request to be passed on to the content server as a secure request on
> port 443 - to match content hosts set up on port 443. It seems to
> work okay as the reverse path is fine, from the content server back
> to the end user.
This sounds fishy. You terminate SSL at your lb, so there's no SSL
anymore, right? Tomcat is listening on 8443 (as per your <Connector>
configuration) so how can your lb send the request to Apache httpd on
port 8443? Maybe you just reversed the ports in your post. It sounds
like you are doing this:
client [HTTPS] -> lb:443 [HTTP] -> httpd (port?) -> Tomcat:8443
(If you are expecting a previously-encrypted connection coming to
Tomcat, why not set secure="true" in your <Connector>?)
> There is nothing in the Tomcat logs, the request is not even logged
> in the localhost access log - this points to Tomcat not even
> listening properly on port 8443. The other port (8080) is working
> okay though.
Have you taken a thread dump to see what is happening?
Since you are running 3 connectors, you might want to use a shared
"executor" to manage threads, though the result with no further changes
will be that /all/ threads will likely be tied-up, rather than only
those servicing port 8443.
I highly recommend a thread dump to see what all your threads are doing.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkn7LF4ACgkQ9CaO5/Lv0PCG5ACfcuG/xvslTxhXzvfp25inr/at
InMAoKOvUg5QSxowVKUhwBxk8kSft96z
=VMmX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rahman,
On 5/1/2009 9:24 AM, Rahman Akhlaqur wrote:
> The SSL is terminated at the load balancers, so the request is then a
> http request on port 8443 to our apache webserver (we use this to
> resolve multiple hostnames to just a few virtual hosts) which then
> just proxys the http request to Tomcat. At which point we want the
> request to be passed on to the content server as a secure request on
> port 443 - to match content hosts set up on port 443. It seems to
> work okay as the reverse path is fine, from the content server back
> to the end user.
This sounds fishy. You terminate SSL at your lb, so there's no SSL
anymore, right? Tomcat is listening on 8443 (as per your <Connector>
configuration) so how can your lb send the request to Apache httpd on
port 8443? Maybe you just reversed the ports in your post. It sounds
like you are doing this:
client [HTTPS] -> lb:443 [HTTP] -> httpd (port?) -> Tomcat:8443
(If you are expecting a previously-encrypted connection coming to
Tomcat, why not set secure="true" in your <Connector>?)
> There is nothing in the Tomcat logs, the request is not even logged
> in the localhost access log - this points to Tomcat not even
> listening properly on port 8443. The other port (8080) is working
> okay though.
Have you taken a thread dump to see what is happening?
Since you are running 3 connectors, you might want to use a shared
"executor" to manage threads, though the result with no further changes
will be that /all/ threads will likely be tied-up, rather than only
those servicing port 8443.
I highly recommend a thread dump to see what all your threads are doing.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkn7LF4ACgkQ9CaO5/Lv0PCG5ACfcuG/xvslTxhXzvfp25inr/at
InMAoKOvUg5QSxowVKUhwBxk8kSft96z
=VMmX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Rahman Akhlaqur <ak...@yahoo.co.uk>.
Hi P
The SSL is terminated at the load balancers, so the request is then a http request on port 8443 to our apache webserver (we use this to resolve multiple hostnames to just a few virtual hosts) which then just proxys the http request to Tomcat. At which point we want the request to be passed on to the content server as a secure request on port 443 - to match content hosts set up on port 443. It seems to work okay as the reverse path is fine, from the content server back to the end user.
There is nothing in the Tomcat logs, the request is not even logged in the localhost access log - this points to Tomcat not even listening properly on port 8443. The other port (8080) is working okay though.
----- Original Message ----
From: Pid <p...@pidster.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Thursday, 30 April, 2009 16:59:25
Subject: Re: Tomcat 5.5.23 stops listening to requests on SSL port
Rahman Akhlaqur wrote:
> Hi
>
> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>
> The Tomcat connector is configured as below
>
> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
> proxyPort="443"/>
>
> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>
> The issue is that Tomcat stops listening on port 8443 after a while of running.
> This means no HTML is returned to end users browsers.
>
> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
> webserver that is proxying the request to Tomcat.
>
> The setup I have is that SSL is terminated at a load balancer and forwards the
> request to port 8443 to apache, which then proxy passes the request to Tomcat
> to port 8443 and then Tomcat passes this request to the content server on port
> 443 (as this is a secure request).
So you're sending SSL at each stage via 2 proxies?
ssl-> LB:8443 ssl-> HTTPD:8443 ssl-> Tomcat:8443 ssl-> ContentSrv
> One theory is that end users are abruptly terminating their session with Tomcat
> (by cancelling their secure requests or closing their browsers) and Tomcat is
> not closing the thread when this happens. Therefore running out of threads. I
> am not sure about this and need some way to prove it.
What do the Tomcat logs say when this occurs?
p
> Akik Rahman
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by Pid <p...@pidster.com>.
Rahman Akhlaqur wrote:
> Hi
>
> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>
> The Tomcat connector is configured as below
>
> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
> proxyPort="443"/>
>
> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>
> The issue is that Tomcat stops listening on port 8443 after a while of running.
> This means no HTML is returned to end users browsers.
>
> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
> webserver that is proxying the request to Tomcat.
>
> The setup I have is that SSL is terminated at a load balancer and forwards the
> request to port 8443 to apache, which then proxy passes the request to Tomcat
> to port 8443 and then Tomcat passes this request to the content server on port
> 443 (as this is a secure request).
So you're sending SSL at each stage via 2 proxies?
ssl-> LB:8443 ssl-> HTTPD:8443 ssl-> Tomcat:8443 ssl-> ContentSrv
> One theory is that end users are abruptly terminating their session with Tomcat
> (by cancelling their secure requests or closing their browsers) and Tomcat is
> not closing the thread when this happens. Therefore running out of threads. I
> am not sure about this and need some way to prove it.
What do the Tomcat logs say when this occurs?
p
> Akik Rahman
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23 stops listening to requests on SSL port
Posted by André Warnier <aw...@ice-sa.com>.
Rahman Akhlaqur wrote:
> Hi
>
> I am having an issue with my Tomcat server not responding on the SSL port. I reported this as a possible bug but this was rejected as a config issue. More info as below:
>
> The Tomcat connector is configured as below
>
> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector
> port="8080" maxHttpHeaderSize="8192" maxThreads="350" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
> acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443"
> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
> connectionTimeout="20000" acceptCount="100" scheme="https" secure="false"
> proxyPort="443"/>
>
> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>
> The issue is that Tomcat stops listening on port 8443 after a while of running.
> This means no HTML is returned to end users browsers.
>
> I know this as I am getting a HTTP error code 502 from the apache 2.2.4
> webserver that is proxying the request to Tomcat.
>
> The setup I have is that SSL is terminated at a load balancer and forwards the
> request to port 8443 to apache, which then proxy passes the request to Tomcat
> to port 8443 and then Tomcat passes this request to the content server on port
> 443 (as this is a secure request).
>
> One theory is that end users are abruptly terminating their session with Tomcat
> (by cancelling their secure requests or closing their browsers) and Tomcat is
> not closing the thread when this happens. Therefore running out of threads. I
> am not sure about this and need some way to prove it.
>
This is a subjective comment from a person not really qualified in SSL
matters.
First, the configuration you describe above sounds quite complex and
relatively inefficient. Do you really need to have SSL end-to-end ? I
mean, each step in the chain needs to set up an SSL channel and
encrypt/decrypt everything, which is quite costly. If the hops after
the load-balancer are all in some internal network, you might gain quite
a bit of efficiency by doing this non-SSL-wise.
Then, you are not really saying what kind of port the port 8443 on
Apache is.
Then, how does Apache pass the request to Tomcat ? via which kind of
connector (mod_proxy_http, mod_proxy_ajp, mod_jk ?) ?
(The reason I am asking is because if it was mod_jk, it can produce logs
that are relatively detailed to diagnose this kind of problem).
Why is Apache even there, come to think of it ?
And then how does the request go from Tomcat to the content server ?
What is that content server ? Could it be it that "stops responding" ?
Next, you mention a 502 response received by Apache.
That code means "invalid response from the upstream server".
It does not really mean "the upstream server is not responding" (that
would be a code 503). So what makes you think that Tomcat is not
responding to requests ?
Are there any kind of error messages in the Tomcat logs ?
When "Tomcat stops responding", can you make requests directly to Tomcat
(without going through the load-balancer and Apache), and what happens
then ?
And finally, considering the configuration, there are quite a few things
that /could/ go wrong, with 4 hops involved. I believe you are going to
have to do much more investigation (and more systematic) to at least
point out where something happens.
And show some log messages.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org