You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jess Holle <je...@ptc.com> on 2015/01/23 20:38:35 UTC
AJP connector address vs. IPv4/6
I'd like to set the "address" attribute on the AJP connector when
deploying Tomcat to only allow loopback connections.
But I want to do so in a general way that works for:
* IPv4
* IPv4 + IPv6 mixed/dual stack
* IPv6 (pure)
Is there any such option? The documentation speaks of setting
127.0.0.1, yet I see indications that this won't fly in a pure IPv6
world. If a single value won't work, is there any good way to detect
which stacks are available via Java APIs during deployment?
--
Jess Holle
Re: AJP connector address vs. IPv4/6
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 1/23/2015 3:05 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 1/23/15 3:35 PM, André Warnier wrote:
>> Jess Holle wrote:
>>> It seems that
>>> java.net.InetAddress.getLoopbackAddress().getHostAddress() should
>>> give the right answer -- if one is running with Java 7.
>>>
>>> That said, is there a value that can be used for AJP's "address"
>>> attribute that simply does the right thing here?
>>>
>>> On 1/23/2015 1:38 PM, Jess Holle wrote:
>>>> I'd like to set the "address" attribute on the AJP connector
>>>> when deploying Tomcat to only allow loopback connections.
>>>>
>>>> But I want to do so in a general way that works for:
>>>>
>>>> * IPv4 * IPv4 + IPv6 mixed/dual stack * IPv6 (pure)
>>>>
>>>> Is there any such option? The documentation speaks of setting
>>>> 127.0.0.1, yet I see indications that this won't fly in a pure
>>>> IPv6 world. If a single value won't work, is there any good
>>>> way to detect which stacks are available via Java APIs during
>>>> deployment?
>>>>
>> If only one address per Connector can be specified, can you not
>> just use 2 <Connector>s, one for each ? They should not conflict.
> That should definitely work (address="127.0.0.1" and address="::") but
> one connector might be nice.
>
> Maybe Tomcat could detect some magic value that is invalid for an
> address (like "loopback") and then use
> InetAddress.getLoopbackAddress() instead of a traditional address
> lookup/resolution.
>
> - -chris
>
localhost might be a good choice.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJP connector address vs. IPv4/6
Posted by Jess Holle <je...@ptc.com>.
We use an Ant script to configure Tomcat during installation, so I ended
up just using a <groovy> task to set the address used to
InetAddress.getLoopbackAddress().getHostAddress() by default.
On 1/23/2015 3:05 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 1/23/15 3:35 PM, André Warnier wrote:
>> Jess Holle wrote:
>>> It seems that
>>> java.net.InetAddress.getLoopbackAddress().getHostAddress() should
>>> give the right answer -- if one is running with Java 7.
>>>
>>> That said, is there a value that can be used for AJP's "address"
>>> attribute that simply does the right thing here?
>>>
>>> On 1/23/2015 1:38 PM, Jess Holle wrote:
>>>> I'd like to set the "address" attribute on the AJP connector
>>>> when deploying Tomcat to only allow loopback connections.
>>>>
>>>> But I want to do so in a general way that works for:
>>>>
>>>> * IPv4 * IPv4 + IPv6 mixed/dual stack * IPv6 (pure)
>>>>
>>>> Is there any such option? The documentation speaks of setting
>>>> 127.0.0.1, yet I see indications that this won't fly in a pure
>>>> IPv6 world. If a single value won't work, is there any good
>>>> way to detect which stacks are available via Java APIs during
>>>> deployment?
>>>>
>> If only one address per Connector can be specified, can you not
>> just use 2 <Connector>s, one for each ? They should not conflict.
> That should definitely work (address="127.0.0.1" and address="::") but
> one connector might be nice.
>
> Maybe Tomcat could detect some magic value that is invalid for an
> address (like "loopback") and then use
> InetAddress.getLoopbackAddress() instead of a traditional address
> lookup/resolution.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUwrefAAoJEBzwKT+lPKRYrmoP/Rl+a1nzD6VpaeRZYDG42CNf
> eCErhQ5doqsJTumtinerG5z/JW1hnPNI1sIwH5thrKpbz6NYxYFa2YUi+PFHUUqU
> A1ThddQfV3RbfIiNkXIAFM0havvHYGAF0tvWtq69BpR+F3/ltdvDZqScvDsHL8N6
> 9EDcHV1GoERur0viGQIUi9wq4YUx1vcgXq9WEubW5G1Moh7epQEsLXw+Bk42Qad1
> spazWUP5Eb3se88z6MJKvSGT65w1NvVBibWUmfisoMsaN0Xwewg+JLLlOk1P7v7z
> rQOTrXHtdrdkYTl8bx6ytxfbqwPb7HGyvPu8Q/1N5GzJhZtomnpqy9pAlIqj7DU5
> pRikc6c5jWZRu5zO2GLJXFv8dxmi7NWI1ie6rb+pvArE+4wqpB1U4giSlgWpe6Ls
> sLZQ5lFuE/mbfiirop4GZ2mdflClDArLUxFCtz+y/hJedPv7ugD7Oz9WT4syz4vI
> GIyfLrZGXg2lbLEwVGNrSoWMDjNh+Qfrb3G3D/2AMMf/g/DRyTojcQbfRKDZtJ+u
> 18j0IvqswfmZFOzk8v5OjKkmXowzOhHNwOOEjjYojscgsZDZ8Pjq5MpEJxFpsYlg
> NjgZ30d8R7szqkonYHuiCLLDDNGZz3FB+ObsWw5Dh7wuZ+PrdMdUv3G4vtYZwrfO
> acNhTJrqhLtCHEwPInjl
> =IaiB
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> .
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: AJP connector address vs. IPv4/6
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Wang, Andy [mailto:awang@ptc.com]
> Subject: Re: AJP connector address vs. IPv4/6
> The two connectors idea is an interesting one, but that has the
> unfortunate aspect of now maintaining 2 separate thread pools
Not true - use an <Executor>: http://tomcat.apache.org/tomcat-8.0-doc/config/executor.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJP connector address vs. IPv4/6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andy,
On 1/28/15 3:21 PM, Wang, Andy wrote:
> On Fri, 2015-01-23 at 16:05 -0500, Christopher Schultz wrote:
>
>>>
>>> If only one address per Connector can be specified, can you
>>> not just use 2 <Connector>s, one for each ? They should not
>>> conflict.
>>
>> That should definitely work (address="127.0.0.1" and
>> address="::") but one connector might be nice.
>>
>> Maybe Tomcat could detect some magic value that is invalid for
>> an address (like "loopback") and then use
>> InetAddress.getLoopbackAddress() instead of a traditional
>> address lookup/resolution.
>>
>
> Just thought I'd provided a bit more details for completeness
> sake.
>
> Even InetAddress.getLoopbackAddress isn't perfect. What Jess left
> out of his original description is that we really ideally wanted to
> simply leave mod_jk configured to use localhost instead of an IP
> address. We incorrectly assumed localhost = 127.0.0.1. I forgot
> that localhost can also resolve to ::1 (for some reason I had it in
> my head that localhost6 would be used for ::1)
>
> So really, without using an IP address on both mod_jk and tomcat
> side, there's no good way to synchronize the two configurations.
So it seems like configuration that supports "localhost" ->
InetAddress.getLoopbackAddress() won't help, because you might still
not get what you expect (or want). Better to force the user to be
explicit.
> The two connectors idea is an interesting one, but that has the
> unfortunate aspect of now maintaining 2 separate thread pools
> complicating performance tuning a little bit especially if you
> can't predict exactly which connector the mod_jk side might be
> using if we rely on an "ambiguous" localhost value.
See Chuck's response: he's right.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUylLKAAoJEBzwKT+lPKRYghoQAI+/5DoAKRtai4f9W0EXEwGU
kWeFbXpWAcONeVvDIExJQxmwf/F9VPcy70VG2xJ480/85Cm596aUA6tl6BmzdstI
HkWURVPjBpzTyeZZ8bsAmtJhePcrJ1nVdjV5EiYHOKcxL33GnVwS6AO0Iyszs5QJ
CfRHsajHM7AKVG3qO9rZtbBGP9KJ4Yga3X44tdpsZD0lTLdgdimllqF7iSGTLFN2
my3yZisgiQUp3BCO+Cx910NGsGCI5tGhCJPVNhxMCqHA28iKJ+oGhwynXgtvCcKY
n01kiFY+a7apTP+OTh6CWYblLDFIfZ6rWD58IByjNAYq0mGE0r5cHUXY1ptoilOn
DumnFn3v9gaQxAAplkz761RCBEuZd03IfupCvo6MfQkH+0A+31y9Ni2tEP5W3Rxy
wetjWFQifuUYl5r5KrHGbpax0N4PDhJ9n5VU6zmuRoc8YkHQSq7Lvzp/fhPwGbj+
rQbRCedgj8eLNqk3ECCP1cr4gcFtFwkHBjwl5pkhZ24jkUmRgyAnjXlA/mn3t5Xt
44QXuwyf0kLEvAscRmr5Ll4+ZMsFqiypIO9bTOyRAxUnwC8+5PhbVUPXa1IleUsp
0MbG7bjdgxmClxyNmblA/rM1gi47cWMsklcHVwBJpmWIDPcraQHBrQhvom3/O41m
sLrSbwKKwrZC2S96kc2U
=br0p
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJP connector address vs. IPv4/6
Posted by "Wang, Andy" <aw...@ptc.com>.
On Fri, 2015-01-23 at 16:05 -0500, Christopher Schultz wrote:
> >
> > If only one address per Connector can be specified, can you not
> > just use 2 <Connector>s, one for each ? They should not conflict.
>
> That should definitely work (address="127.0.0.1" and address="::") but
> one connector might be nice.
>
> Maybe Tomcat could detect some magic value that is invalid for an
> address (like "loopback") and then use
> InetAddress.getLoopbackAddress() instead of a traditional address
> lookup/resolution.
>
Just thought I'd provided a bit more details for completeness sake.
Even InetAddress.getLoopbackAddress isn't perfect. What Jess left out
of his original description is that we really ideally wanted to simply
leave mod_jk configured to use localhost instead of an IP address. We
incorrectly assumed localhost = 127.0.0.1. I forgot that localhost can
also resolve to ::1 (for some reason I had it in my head that localhost6
would be used for ::1)
So really, without using an IP address on both mod_jk and tomcat side,
there's no good way to synchronize the two configurations.
It appears a proper getAddrInfo implementation uses RFC 6724 to declare
preference which means it prefers ipv6 addresses.
Java however by default for backward compatibility prefers ipv4:
http://docs.oracle.com/javase/8/docs/technotes/guides/net/ipv6_guide/#ipv6-related
So localhost to apache+mod_jk on a ipv4/ipv6 system = ::1
and localhost (or InetAddress.getLoopbackAddress) on a Java VM by
default is 127.0.0.1.
Without either tweaking gai.conf (on Linux, who knows what it is on the
other unix platforms) or setting -Djava.net.preferIPv6Addresses=true on
java, native code and java code unfortunately will have differing
opinions on what ip address is localhost/loopback.
The two connectors idea is an interesting one, but that has the
unfortunate aspect of now maintaining 2 separate thread pools
complicating performance tuning a little bit especially if you can't
predict exactly which connector the mod_jk side might be using if we
rely on an "ambiguous" localhost value.
Be nice if Java simply implemented RFC 6724 properly.
Andy
Re: AJP connector address vs. IPv4/6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 1/23/15 3:35 PM, André Warnier wrote:
> Jess Holle wrote:
>> It seems that
>> java.net.InetAddress.getLoopbackAddress().getHostAddress() should
>> give the right answer -- if one is running with Java 7.
>>
>> That said, is there a value that can be used for AJP's "address"
>> attribute that simply does the right thing here?
>>
>> On 1/23/2015 1:38 PM, Jess Holle wrote:
>>> I'd like to set the "address" attribute on the AJP connector
>>> when deploying Tomcat to only allow loopback connections.
>>>
>>> But I want to do so in a general way that works for:
>>>
>>> * IPv4 * IPv4 + IPv6 mixed/dual stack * IPv6 (pure)
>>>
>>> Is there any such option? The documentation speaks of setting
>>> 127.0.0.1, yet I see indications that this won't fly in a pure
>>> IPv6 world. If a single value won't work, is there any good
>>> way to detect which stacks are available via Java APIs during
>>> deployment?
>>>
>
> If only one address per Connector can be specified, can you not
> just use 2 <Connector>s, one for each ? They should not conflict.
That should definitely work (address="127.0.0.1" and address="::") but
one connector might be nice.
Maybe Tomcat could detect some magic value that is invalid for an
address (like "loopback") and then use
InetAddress.getLoopbackAddress() instead of a traditional address
lookup/resolution.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUwrefAAoJEBzwKT+lPKRYrmoP/Rl+a1nzD6VpaeRZYDG42CNf
eCErhQ5doqsJTumtinerG5z/JW1hnPNI1sIwH5thrKpbz6NYxYFa2YUi+PFHUUqU
A1ThddQfV3RbfIiNkXIAFM0havvHYGAF0tvWtq69BpR+F3/ltdvDZqScvDsHL8N6
9EDcHV1GoERur0viGQIUi9wq4YUx1vcgXq9WEubW5G1Moh7epQEsLXw+Bk42Qad1
spazWUP5Eb3se88z6MJKvSGT65w1NvVBibWUmfisoMsaN0Xwewg+JLLlOk1P7v7z
rQOTrXHtdrdkYTl8bx6ytxfbqwPb7HGyvPu8Q/1N5GzJhZtomnpqy9pAlIqj7DU5
pRikc6c5jWZRu5zO2GLJXFv8dxmi7NWI1ie6rb+pvArE+4wqpB1U4giSlgWpe6Ls
sLZQ5lFuE/mbfiirop4GZ2mdflClDArLUxFCtz+y/hJedPv7ugD7Oz9WT4syz4vI
GIyfLrZGXg2lbLEwVGNrSoWMDjNh+Qfrb3G3D/2AMMf/g/DRyTojcQbfRKDZtJ+u
18j0IvqswfmZFOzk8v5OjKkmXowzOhHNwOOEjjYojscgsZDZ8Pjq5MpEJxFpsYlg
NjgZ30d8R7szqkonYHuiCLLDDNGZz3FB+ObsWw5Dh7wuZ+PrdMdUv3G4vtYZwrfO
acNhTJrqhLtCHEwPInjl
=IaiB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJP connector address vs. IPv4/6
Posted by André Warnier <aw...@ice-sa.com>.
Jess Holle wrote:
> It seems that java.net.InetAddress.getLoopbackAddress().getHostAddress()
> should give the right answer -- if one is running with Java 7.
>
> That said, is there a value that can be used for AJP's "address"
> attribute that simply does the right thing here?
>
> On 1/23/2015 1:38 PM, Jess Holle wrote:
>> I'd like to set the "address" attribute on the AJP connector when
>> deploying Tomcat to only allow loopback connections.
>>
>> But I want to do so in a general way that works for:
>>
>> * IPv4
>> * IPv4 + IPv6 mixed/dual stack
>> * IPv6 (pure)
>>
>> Is there any such option? The documentation speaks of setting
>> 127.0.0.1, yet I see indications that this won't fly in a pure IPv6
>> world. If a single value won't work, is there any good way to detect
>> which stacks are available via Java APIs during deployment?
>>
If only one address per Connector can be specified, can you not just use 2 <Connector>s,
one for each ? They should not conflict.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJP connector address vs. IPv4/6
Posted by Jess Holle <je...@ptc.com>.
It seems that java.net.InetAddress.getLoopbackAddress().getHostAddress()
should give the right answer -- if one is running with Java 7.
That said, is there a value that can be used for AJP's "address"
attribute that simply does the right thing here?
On 1/23/2015 1:38 PM, Jess Holle wrote:
> I'd like to set the "address" attribute on the AJP connector when
> deploying Tomcat to only allow loopback connections.
>
> But I want to do so in a general way that works for:
>
> * IPv4
> * IPv4 + IPv6 mixed/dual stack
> * IPv6 (pure)
>
> Is there any such option? The documentation speaks of setting
> 127.0.0.1, yet I see indications that this won't fly in a pure IPv6
> world. If a single value won't work, is there any good way to detect
> which stacks are available via Java APIs during deployment?
>
> --
> Jess Holle
>