You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@lenya.apache.org by "Mike M." <le...@mordent.com> on 2005/04/06 19:12:36 UTC

publish and apache mod_jk + tomcat

Hi,

We're using apache+tomcat the standard mod_jk way thru port 8009 (we aren't
using mod_proxy to redirect lenya to tomcat 8080).  Unfortunately this appears
to break the scheduler, so we can't use publish or click on the scheduler tab. 
I've asked a bunch of times, and tried for weeks to figure this out based on
some of the answers I've gotten, but I haven't been able to determine what's
wrong or how to fix this.  I'd rather not use mod_proxy because we eventually
(once in production) want to turn off access to port 8080 (we don't want people
getting at tomcat directly).

Any ideas?

Thanks!
-Mike



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Andreas Hartmann <an...@apache.org>.

Mike M. wrote:

[...]

> Is 1.4 stable enough to use for production yet?  The last time I tried it I
> couldn't get it to work at all...

It was quite stable some weeks ago, but still lacked important internals
like locking, checkin/checkout of sitetree objects, and ACID transactions.
Now these features are being added, but this means that a lot of refactoring
and testing has to be done. Maybe a quite stable state is reached in 1-2 weeks
again.

-- Andreas

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Mike M. wrote:

>>    
>>
>
>Unfortunately, we're doing virtual hosting so we can't use localhost 8080 for
>apache/tomcat mod_proxy.
>
>Is 1.4 stable enough to use for production yet?  The last time I tried it I
>couldn't get it to work at all...
>  
>

it worked this afternoon (CET) ;-) but seriously I wouldn't recommend to use
it for production, not because it might be not good, but rather because
things are still changing and one cannot assume that it will stay 
backwards compatible within it itself.

Michi

>Thanks!
>-Mike
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
>For additional commands, e-mail: user-help@lenya.apache.org
>
>
>  
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Gregor J. Rothfuss" <gr...@apache.org>.

Mike M. wrote:

> Is 1.4 stable enough to use for production yet?  The last time I tried it I
> couldn't get it to work at all...

it's making big strides currently, but is not as well-tested as 1.2 
obviously. depending on your needs, it may already be stable enough. 
certainly worth a try.

-gregor

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Mike M." <le...@mordent.com>.

Gregor J. Rothfuss <gregor <at> apache.org> writes:

> this is broken because the (old) lenya scheduler makes internal http 
> calls to the scheduler servlet, and hardcodes the port number.
> 
> you have these options:
> 
> * figuring out a way to make the scheduler work with mod_jk
> * using mod_proxy and configuring tomcat to only allow access from 
> localhost (to avoid direct hits against 8080)
> * looking into using lenya 1.4 (where the scheduler has been revamped)
> 
> the mod_proxy route seems easiest to me.
> 
> -gregor
> 

Unfortunately, we're doing virtual hosting so we can't use localhost 8080 for
apache/tomcat mod_proxy.

Is 1.4 stable enough to use for production yet?  The last time I tried it I
couldn't get it to work at all...

Thanks!
-Mike



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Mike M. wrote

>
>I've been messing around with ProxyGenerator a bit.  It appears to not work at
>all with https.  I've tried a lot of different fixes including one to make
>createURL return a url using req.getScheme() instead of the hardcoded "http://"
>string.  Then I had to go mess with the generate() method because it was
>ignoring all that anyway.  I finally got it to a point where I thought it would
>work but now I get an unsupported protocol error.  I'm still working on it and
>will post a patch if I get it working.  If I can't get it working, I'm going to
>try the configuration hack recommended in another reply.
>  
>

I really don't think the problem lies within the ProxyGenerator, but
I am looking forward to your findings anyway :-)

Thanks

Michi

>Thanks,
>-Mike
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
>For additional commands, e-mail: user-help@lenya.apache.org
>
>
>  
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Mike M." <le...@mordent.com>.

Gregor J. Rothfuss <gregor <at> apache.org> writes:

> 
> Michael Wechner wrote:
> 
> > IIRC the Port is not hardcoded. The scheduler is connecting through
> 
> it is hardcoded to the port the request was coming in on, which is the 
> wrong thing to do for jk
> 
> > But I can't imagine why the scheduler shouldn't work because of mod_jk, but
> > yes surprising things can happen sometimes.
> 
> see above
> 

I've been messing around with ProxyGenerator a bit.  It appears to not work at
all with https.  I've tried a lot of different fixes including one to make
createURL return a url using req.getScheme() instead of the hardcoded "http://"
string.  Then I had to go mess with the generate() method because it was
ignoring all that anyway.  I finally got it to a point where I thought it would
work but now I get an unsupported protocol error.  I'm still working on it and
will post a patch if I get it working.  If I can't get it working, I'm going to
try the configuration hack recommended in another reply.

Thanks,
-Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Mark Lundquist <ml...@comcast.net>.

On Apr 7, 2005, at 12:06 AM, Michael Wechner wrote:

> well, I think the thread was actually twofold:
>
> 1) Blocking the "Tomcat port" from the outside
>   (as you are saying this is rather system-level concern)
>
> 2) Make the scheduler work with mod_jk
>   (this is a Lenya concern, whereas the ProxyGenerator does the right 
> thing, because it has nothing to do with the scheduler,  but the 
> scheduler should be configurable
> within 1.2 by adding the Apache httpd port or the Tomcat http port (if 
> available))

Yes.

Cheers,
—ml—


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Mark Lundquist wrote:

>
> On Apr 6, 2005, at 3:39 PM, Michael Wechner wrote:
>
>> But as a sidenote, I guess the mod_jk port (e.g. 8009) is also open 
>> to the outside
>> world if not actually blocked or is it just allowing connections from 
>> localhost?
>
>
> I would presume so... but FWIW, it would be talking Ajpv13, not HTTP, 
> right?
>
> Anyway, it's certainly true that whatever would suffice to secure port 
> 8009 would also secure 8080, and whatever is necessary to secure 8080 
> is also necessary for securing 8009 — whether at the Tomcat level or 
> the system level.  In my view this is a system-level concern and 
> shouldn't involve the Tomcat/Apache configurations...


well, I think the thread was actually twofold:

1) Blocking the "Tomcat port" from the outside
   (as you are saying this is rather system-level concern)

2) Make the scheduler work with mod_jk
   (this is a Lenya concern, whereas the ProxyGenerator does the right 
thing, because it has nothing to do with the scheduler,  but the 
scheduler should be configurable
within 1.2 by adding the Apache httpd port or the Tomcat http port (if 
available))

Thanks

Michi

>
>
> cheers,
> —ml—
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
> For additional commands, e-mail: user-help@lenya.apache.org
>
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Mark Lundquist <ml...@comcast.net>.

On Apr 6, 2005, at 3:39 PM, Michael Wechner wrote:

> But as a sidenote, I guess the mod_jk port (e.g. 8009) is also open to 
> the outside
> world if not actually blocked or is it just allowing connections from 
> localhost?

I would presume so... but FWIW, it would be talking Ajpv13, not HTTP, 
right?

Anyway, it's certainly true that whatever would suffice to secure port 
8009 would also secure 8080, and whatever is necessary to secure 8080 
is also necessary for securing 8009 — whether at the Tomcat level or 
the system level.  In my view this is a system-level concern and 
shouldn't involve the Tomcat/Apache configurations...

cheers,
—ml—

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Gregor J. Rothfuss wrote:

> Michael Wechner wrote:
>
>> Re an actual fix, is there anything within the servlet API to figure 
>> out what's the HTTP port of the servlet container?
>
>
> with jk, the whole point is that there is none.

Not necessarily. I think it's mainly to reduce the overhead which is 
normally created by mod_proxy, but not about getting rid of the HTTP port.

But yes I forgot that Mike also wanted
to get rid of the HTTP port (e.g. 8080), but then Mike probably has just 
to use
the Apache HTTP port within the scheduler.xmap, which means Lenya will 
connect to
the Scheduler through Apache (basically the same workaround as I 
suggested, but just another port)

But as a sidenote, I guess the mod_jk port (e.g. 8009) is also open to 
the outside
world if not actually blocked or is it just allowing connections from 
localhost?

Michi

-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Gregor J. Rothfuss" <gr...@apache.org>.

Michael Wechner wrote:

> Re an actual fix, is there anything within the servlet API to figure out 
> what's the HTTP port of the servlet container?

with jk, the whole point is that there is none.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Gregor J. Rothfuss wrote:

> Michael Wechner wrote:
>
>> IIRC the Port is not hardcoded. The scheduler is connecting through
>
>
> it is hardcoded to the port the request was coming in on, which is the 
> wrong thing to do for jk
>
>> But I can't imagine why the scheduler shouldn't work because of 
>> mod_jk, but
>> yes surprising things can happen sometimes.
>
>
> see above


I wouldn't call this hardcoded, but I understand the problem now.

@Mike: As temporary workaround try patching

src/webapp/lenya/scheduler.xmap

whereas you "hardcode" the scheduler request, e.g.

<!-- create the current job snapshot -->
<map:match pattern="servlet">
  <map:generate 
src="http://127.0.0.1:PORT/lenya/servlet/QuartzSchedulerServlet" 
type="servletproxy"/>
  <!--<map:generate 
src="{request:contextPath}/servlet/QuartzSchedulerServlet" 
type="servletproxy"/>-->
  <map:transform src="xslt/scheduler/sort.xsl"/>
  <map:serialize type="xml"/>
</map:match>

where PORT (e.g. 8080) is the actual port your server is accepting HTTP 
request
(and not 8009 which mod_jk is connecting through)

Please let us know if this helped.

Re an actual fix, is there anything within the servlet API to figure out 
what's the HTTP port of the servlet container?

Michi

-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Gregor J. Rothfuss" <gr...@apache.org>.

Michael Wechner wrote:

> IIRC the Port is not hardcoded. The scheduler is connecting through

it is hardcoded to the port the request was coming in on, which is the 
wrong thing to do for jk

> But I can't imagine why the scheduler shouldn't work because of mod_jk, but
> yes surprising things can happen sometimes.

see above


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Mark Lundquist <ml...@comcast.net>.

On Apr 6, 2005, at 12:41 PM, Michael Wechner wrote:

> yes, you might want to block 8080 by a "firewall" from the outside

right... note, this could be ipfilter or ipfw running on the local 
machine  —ml—


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Michael Wechner <mi...@wyona.com>.

Gregor J. Rothfuss wrote:

> Mike M. wrote:
>
>> Hi,
>>
>> We're using apache+tomcat the standard mod_jk way thru port 8009 (we 
>> aren't
>> using mod_proxy to redirect lenya to tomcat 8080).  Unfortunately 
>> this appears
>> to break the scheduler, so we can't use publish or click on the 
>> scheduler tab. I've asked a bunch of times, and tried for weeks to 
>> figure this out based on
>> some of the answers I've gotten, but I haven't been able to determine 
>> what's
>> wrong or how to fix this.  I'd rather not use mod_proxy because we 
>> eventually
>> (once in production) want to turn off access to port 8080 (we don't 
>> want people
>> getting at tomcat directly).
>
>
> this is broken because the (old) lenya scheduler makes internal http 
> calls to the scheduler servlet, and hardcodes the port number.


IIRC the Port is not hardcoded. The scheduler is connecting through

src/java/org/apache/lenya/cms/cocoon/generation/ProxyGenerator.java

resp.

url = new URL("http://" + request.getServerName() + ":" + 
request.getServerPort() + this.source);

>
>
> you have these options:
>
> * figuring out a way to make the scheduler work with mod_jk


I recently played around with mod_jk in order to have a "cheap" loadbalancer
solution and it seemed to work very well, but I didn't test the 
scheduler. Maybe I should give it another try.

But I can't imagine why the scheduler shouldn't work because of mod_jk, but
yes surprising things can happen sometimes.

Normally people had problems with the sheduler because they had 
"strange" hosts
configuration.

> * using mod_proxy and configuring tomcat to only allow access from 
> localhost (to avoid direct hits against 8080)


yes, you might want to block 8080 by a "firewall" from the outside


HTH

Michi

> * looking into using lenya 1.4 (where the scheduler has been revamped)
>
> the mod_proxy route seems easiest to me.
>
> -gregor
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
> For additional commands, e-mail: user-help@lenya.apache.org
>
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by Mark Lundquist <ml...@comcast.net>.

On Apr 6, 2005, at 11:09 AM, Gregor J. Rothfuss wrote:

> you have these options:
>
> * figuring out a way to make the scheduler work with mod_jk
> * using mod_proxy and configuring tomcat to only allow access from 
> localhost (to avoid direct hits against 8080)
> * looking into using lenya 1.4 (where the scheduler has been revamped)

* just use mod_proxy, and close off access to port 8080 at your 
firewall.

—ml—


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: publish and apache mod_jk + tomcat

Posted by "Gregor J. Rothfuss" <gr...@apache.org>.

Mike M. wrote:
> Hi,
> 
> We're using apache+tomcat the standard mod_jk way thru port 8009 (we aren't
> using mod_proxy to redirect lenya to tomcat 8080).  Unfortunately this appears
> to break the scheduler, so we can't use publish or click on the scheduler tab. 
> I've asked a bunch of times, and tried for weeks to figure this out based on
> some of the answers I've gotten, but I haven't been able to determine what's
> wrong or how to fix this.  I'd rather not use mod_proxy because we eventually
> (once in production) want to turn off access to port 8080 (we don't want people
> getting at tomcat directly).

this is broken because the (old) lenya scheduler makes internal http 
calls to the scheduler servlet, and hardcodes the port number.

you have these options:

* figuring out a way to make the scheduler work with mod_jk
* using mod_proxy and configuring tomcat to only allow access from 
localhost (to avoid direct hits against 8080)
* looking into using lenya 1.4 (where the scheduler has been revamped)

the mod_proxy route seems easiest to me.

-gregor

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org