You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Aurélien Terrestris <at...@gmail.com> on 2015/07/30 18:13:48 UTC
Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Hi,
in your server.xml, add this before your acces log valve :
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
It's working for our hosting behind F5
2015-07-30 18:09 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lew,
>
> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>> I am new to Tomcat.
>
> Welcome to the community.
>
>> I'm still struggling with many of the concepts. That said here we
>> go:
>>
>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>
> If possible, upgrade to 8.0.latest.
>
>> Client is using VIP to connect to an F5 via HTTPS (port 443)
>
> Sorry... what's "VIP"?
>
>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>
>> Our F5 team indicates that they are sure they have configured the
>> F5 properly (they do it all the time for HTTP Server and Jboss
>> Application Server installations. They have not done this with
>> Tomcat before)
>
> If everyone is speaking HTTP, it should be the same.
>
>> I have created an access log valve at the engine level to see what
>> the request looks like. <Valve
>> className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>> pattern="%h %H %l %u %t "%r" %s %b" />
>>
>> I see requests that are direct connected to the Tomcat host
>> directly, either from a client accessing the web application
>> hosted on the tomcat server (via HTTP) or from the F5 for
>> healthcheck purposes in the log (also via HTTP). I do not see any
>> client requests that use the VIP showing up in the log.
>
> So the F5 can get to you (healthcheck) but client requests don't make
> it through? Sounds like a problem mapping the actual incoming requests
> to Tomcat.
>
>> So my first question is: Why do I not see the VIP driven requests
>> in the log? Am I not logging correctly? Does not seeing the
>> requests in the log mean they are not making it to the Tomcat
>> server?
>
> The log looks properly configured. If they aren't in the log, they
> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
> see if any traffic is coming over. Try something like tcpdump or
> Wireshark to see if anything is coming in.
>
>> Thinking that this might be a proxy problem I tried this which
>> didn't work
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>
>> I've recently begun reading about the proxy support valve but am
>> still digesting the information. At this point I am not even sure
>> how I might use it.
>
> Tomcat treats proxies just like any other HTTP client, so it shouldn't
> require much study (until you want to get the client's REAL ip
> address, for instance).
>
> How is the F5 set up to route requests to Tomcat? Is it done by URL
> pattern or something? Or anything that comes-in for a specific IP goes
> to Tomcat?
>
> Can you confirm if the F5 is even getting the requests?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVukxDAAoJEBzwKT+lPKRY0zwP/0VZOjQDkISaYP0Ru1t3lkeQ
> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
> KzR1B84xsFJx3TKedH1vOTGLM54+KLX/aFiPAdUsZJQVVJmZ61OPEDR1KiHu3O/F
> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
> rHT6P/DUjhJcIT6DTRjc
> =PNJY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aurélien,
On 7/31/15 5:44 AM, Aurélien Terrestris wrote:
> You're wellcome Lewis.
>
> Chris, it looks like you had another understanding of the question,
> which was : "So my first question is: Why do I not see the VIP
> driven requests in the log?"
>
> The requests were in the log, but with another client IP.
Aah. I took "requests aren't in my log" to mean "logs don't contain
anything" rather than "when I grep my logs for the client IP, I don't
see anything."
Precision counts. Only Pid has a crystal ball, and he's been MIA for
quite a while, now.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVu5JAAAoJEBzwKT+lPKRYkPMQAI4gumQkUCioWs/go3SNym74
WdVcPjAL9taSS3GDE9lTT+zGQokWbKZyM+kTshOTDFad67m8W/y6u7Q8yHoeNQdH
Znz0F9vwGhiQdx8yKqXO7Vji3peWs1TybViK2vMHmW1uKUbzU2WCNlw7K6GkPLgn
0LZSaRlj3Me8m94oDcjjHZ+G9WYZ8aHq0B9+lYbIVMEDvHaoFpNeDv+Z5EsOvg75
Yg0E42p89Nm6+40NmdZHQ4r9gyH9vS1Rk8KBbEjAQQNWWVJiO2fu/KyhfA9epD42
Z4jn46lC9H2r679ZmCSJBh1WYE2jXZ7gu81KBpK+XhZhBe3IQgoskSJDkotiUfWR
jA2XlGUrLPlBBKWC6f5E5+9djTwgmJKHSETYmvuTWnRt6fn88gnY4Xq2ydDtZZIy
wCMZGixQFqhIp+Yzfnup5gB2ssT8JMBc4F6d0UGLLEHhD/ccvlbb1G79HEMlO46l
FZtlD/shbimyUWmo8swd59Rma2yP2/aoGjSNdPcHipsOj6E6XpmP7fsL/i7wpnsn
kPjz6nj5QUTxD5GBJKuU5Ved0jV/Z/5ogNtx/mVMxeqqURcBp5mb3fXUxXoRhj2o
+O3ciYlBQGpKM1a8GWD48JWDmMq05HI2cBHJuNtEm2QAhP4jH747/+tUjppWxTJQ
bZKgdwuOWxgQNas6R9cJ
=/S+O
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Posted by Aurélien Terrestris <at...@gmail.com>.
You're wellcome Lewis.
Chris, it looks like you had another understanding of the question, which was :
"So my first question is: Why do I not see the VIP driven requests in the log?"
The requests were in the log, but with another client IP. At least
Tomcat provides this valve when most of other software don't.
A.T.
2015-07-30 19:00 GMT+02:00 Kramer, Lewis <le...@uhc.com>:
> Sorry. I mean thanks Aurelien.
>
> Hi,
>
> in your server.xml, add this before your acces log valve :
>
> <Valve className="org.apache.catalina.valves.RemoteIpValve" />
>
> It's working for our hosting behind F5
>
> 2015-07-30 18:09 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Lew,
>>
>> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>>> I am new to Tomcat.
>>
>> Welcome to the community.
>>
>>> I'm still struggling with many of the concepts. That said here we
>>> go:
>>>
>>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>>
>> If possible, upgrade to 8.0.latest.
>>
>>> Client is using VIP to connect to an F5 via HTTPS (port 443)
>>
>> Sorry... what's "VIP"?
>>
>>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>>
>>> Our F5 team indicates that they are sure they have configured the
>>> F5 properly (they do it all the time for HTTP Server and Jboss
>>> Application Server installations. They have not done this with Tomcat
>>> before)
>>
>> If everyone is speaking HTTP, it should be the same.
>>
>>> I have created an access log valve at the engine level to see what
>>> the request looks like. <Valve
>>> className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>>> pattern="%h %H %l %u %t "%r" %s %b" />
>>>
>>> I see requests that are direct connected to the Tomcat host directly,
>>> either from a client accessing the web application hosted on the
>>> tomcat server (via HTTP) or from the F5 for healthcheck purposes in
>>> the log (also via HTTP). I do not see any client requests that use
>>> the VIP showing up in the log.
>>
>> So the F5 can get to you (healthcheck) but client requests don't make
>> it through? Sounds like a problem mapping the actual incoming requests
>> to Tomcat.
>>
>>> So my first question is: Why do I not see the VIP driven requests in
>>> the log? Am I not logging correctly? Does not seeing the requests in
>>> the log mean they are not making it to the Tomcat server?
>>
>> The log looks properly configured. If they aren't in the log, they
>> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
>> see if any traffic is coming over. Try something like tcpdump or
>> Wireshark to see if anything is coming in.
>>
>>> Thinking that this might be a proxy problem I tried this which didn't
>>> work
>>>
>>> <Connector port="8080" protocol="HTTP/1.1"
>>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>>
>>> I've recently begun reading about the proxy support valve but am
>>> still digesting the information. At this point I am not even sure how
>>> I might use it.
>>
>> Tomcat treats proxies just like any other HTTP client, so it shouldn't
>> require much study (until you want to get the client's REAL ip
>> address, for instance).
>>
>> How is the F5 set up to route requests to Tomcat? Is it done by URL
>> pattern or something? Or anything that comes-in for a specific IP goes
>> to Tomcat?
>>
>> Can you confirm if the F5 is even getting the requests?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVukxDAAoJEBzwKT+lPKRY0zwP/0VZOjQDkISaYP0Ru1t3lkeQ
>> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
>> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
>> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
>> KzR1B84xsFJx3TKedH1vOTGLM54+KLX/aFiPAdUsZJQVVJmZ61OPEDR1KiHu3O/F
>> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
>> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
>> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
>> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
>> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
>> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
>> rHT6P/DUjhJcIT6DTRjc
>> =PNJY
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lew,
On 7/30/15 1:00 PM, Kramer, Lewis wrote:
> Sorry. I mean thanks Aurelien.
>
> Hi,
>
> in your server.xml, add this before your acces log valve :
>
> <Valve className="org.apache.catalina.valves.RemoteIpValve" />
>
> It's working for our hosting behind F5
I don't understand how adding a <Valve> made everything work. I
suspect you changed something else.
RemoteIPValve is used to take the client's real IP from the headers
and re-wire Tomcat's view of the world so that log files contain that
real data instead of insisting everything is coming from the
load-balancer (which is useless information: of course it's all coming
from thelb).
Enabling RemoteIPValve will just get you better logs.. it won't
"allow" communication from the F5.
So.. what else changed to make it work?
- -chris
> 2015-07-30 18:09 GMT+02:00 Christopher Schultz
> <ch...@christopherschultz.net>: Lew,
>
> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>>>> I am new to Tomcat.
>
> Welcome to the community.
>
>>>> I'm still struggling with many of the concepts. That said
>>>> here we go:
>>>>
>>>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>
> If possible, upgrade to 8.0.latest.
>
>>>> Client is using VIP to connect to an F5 via HTTPS (port
>>>> 443)
>
> Sorry... what's "VIP"?
>
>>>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>>>
>>>> Our F5 team indicates that they are sure they have configured
>>>> the F5 properly (they do it all the time for HTTP Server and
>>>> Jboss Application Server installations. They have not done
>>>> this with Tomcat before)
>
> If everyone is speaking HTTP, it should be the same.
>
>>>> I have created an access log valve at the engine level to see
>>>> what the request looks like. <Valve
>>>> className="org.apache.catalina.valves.AccessLogValve"
>>>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>>>> pattern="%h %H %l %u %t "%r" %s %b" />
>>>>
>>>> I see requests that are direct connected to the Tomcat host
>>>> directly, either from a client accessing the web application
>>>> hosted on the tomcat server (via HTTP) or from the F5 for
>>>> healthcheck purposes in the log (also via HTTP). I do not see
>>>> any client requests that use the VIP showing up in the log.
>
> So the F5 can get to you (healthcheck) but client requests don't
> make it through? Sounds like a problem mapping the actual incoming
> requests to Tomcat.
>
>>>> So my first question is: Why do I not see the VIP driven
>>>> requests in the log? Am I not logging correctly? Does not
>>>> seeing the requests in the log mean they are not making it to
>>>> the Tomcat server?
>
> The log looks properly configured. If they aren't in the log, they
> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC
> to see if any traffic is coming over. Try something like tcpdump or
> Wireshark to see if anything is coming in.
>
>>>> Thinking that this might be a proxy problem I tried this
>>>> which didn't work
>>>>
>>>> <Connector port="8080" protocol="HTTP/1.1"
>>>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP
>>>> name" proxyPort="443" scheme="HTTPS"
>>>> disableUploadTimeout="true" />
>>>>
>>>> I've recently begun reading about the proxy support valve but
>>>> am still digesting the information. At this point I am not
>>>> even sure how I might use it.
>
> Tomcat treats proxies just like any other HTTP client, so it
> shouldn't require much study (until you want to get the client's
> REAL ip address, for instance).
>
> How is the F5 set up to route requests to Tomcat? Is it done by URL
> pattern or something? Or anything that comes-in for a specific IP
> goes to Tomcat?
>
> Can you confirm if the F5 is even getting the requests?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> This e-mail, including attachments, may include confidential
> and/or proprietary information, and may be used only by the person
> or entity to which it is addressed. If the reader of this e-mail is
> not the intended recipient or his or her authorized agent, the
> reader is hereby notified that any dissemination, distribution or
> copying of this e-mail is prohibited. If you have received this
> e-mail in error, please notify the sender by replying to this
> message and delete this e-mail immediately.
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVuoO/AAoJEBzwKT+lPKRYtw4P/17vLk/+LV2S9M44tXwvDMxP
ll16K/Q89FPhZ+mXO2cfrLlAkk0CXf8KemurzepM/hUv2zAWBfIMt058YzQ4jVO2
bHa0HSLwz9tONPRjHjX+lQkicXq+q/x3XdRSiipMwCPNYflJ6E6OKzAwi43h7gHe
3FuElAU8PUojLZAtiPRBw/8qNnZFHTmuy9AszjmlvoqAvhtVSQ6gVgGP7DBf73x2
9k/xmyvw0a1uvpY2AzE5+lX2BmPrpBZ42TAAOzO6LuW2GAlIqABi2zeQgWcNqnxD
grroORnZkKU7B29vrJ46/S5djBkH1s8YxvLtL1iQ9xAjBc02jAhRmgIT5NbzvqyM
w0VDiwrjjO5V7piFHvEuatF71ipJZ21pGvityNuR718VHOcmbFHBaoE/Kl1TTIHz
PLNHF/5IPwx2MInsA2bcHK9+vuYx6oZd8O060My97wqqtAXN3QGYDr8ogWURddZC
nLp1F/sOL2B3zjKWybsVcJLHtkn9ASSg72Uuf1EAXuzubQxXSiLdbvRwOfx2LKlb
4R+NsurZ4XDtXwoPLm1C5VMcxHZQaSsQeX8g4x1kKoIK6OAtdLwi4mg8iVZa+sHj
4p3ZVKAPnTUAmr9CZvo4sfusxMXoQ9OYF368nu4rd7+G//8tC+LvuqywuJ1Vy9aD
hEfnLcBK0IC97qKPgkTh
=hEQN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Posted by "Kramer, Lewis" <le...@uhc.com>.
Sorry. I mean thanks Aurelien.
Hi,
in your server.xml, add this before your acces log valve :
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
It's working for our hosting behind F5
2015-07-30 18:09 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lew,
>
> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>> I am new to Tomcat.
>
> Welcome to the community.
>
>> I'm still struggling with many of the concepts. That said here we
>> go:
>>
>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>
> If possible, upgrade to 8.0.latest.
>
>> Client is using VIP to connect to an F5 via HTTPS (port 443)
>
> Sorry... what's "VIP"?
>
>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>
>> Our F5 team indicates that they are sure they have configured the
>> F5 properly (they do it all the time for HTTP Server and Jboss
>> Application Server installations. They have not done this with Tomcat
>> before)
>
> If everyone is speaking HTTP, it should be the same.
>
>> I have created an access log valve at the engine level to see what
>> the request looks like. <Valve
>> className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>> pattern="%h %H %l %u %t "%r" %s %b" />
>>
>> I see requests that are direct connected to the Tomcat host directly,
>> either from a client accessing the web application hosted on the
>> tomcat server (via HTTP) or from the F5 for healthcheck purposes in
>> the log (also via HTTP). I do not see any client requests that use
>> the VIP showing up in the log.
>
> So the F5 can get to you (healthcheck) but client requests don't make
> it through? Sounds like a problem mapping the actual incoming requests
> to Tomcat.
>
>> So my first question is: Why do I not see the VIP driven requests in
>> the log? Am I not logging correctly? Does not seeing the requests in
>> the log mean they are not making it to the Tomcat server?
>
> The log looks properly configured. If they aren't in the log, they
> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
> see if any traffic is coming over. Try something like tcpdump or
> Wireshark to see if anything is coming in.
>
>> Thinking that this might be a proxy problem I tried this which didn't
>> work
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>
>> I've recently begun reading about the proxy support valve but am
>> still digesting the information. At this point I am not even sure how
>> I might use it.
>
> Tomcat treats proxies just like any other HTTP client, so it shouldn't
> require much study (until you want to get the client's REAL ip
> address, for instance).
>
> How is the F5 set up to route requests to Tomcat? Is it done by URL
> pattern or something? Or anything that comes-in for a specific IP goes
> to Tomcat?
>
> Can you confirm if the F5 is even getting the requests?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVukxDAAoJEBzwKT+lPKRY0zwP/0VZOjQDkISaYP0Ru1t3lkeQ
> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
> KzR1B84xsFJx3TKedH1vOTGLM54+KLX/aFiPAdUsZJQVVJmZ61OPEDR1KiHu3O/F
> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
> rHT6P/DUjhJcIT6DTRjc
> =PNJY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
RE: Client using VIP ----> protocol HTTPS--> F5 ---->protocol HTTP
----> TOMCAT - Does not work
Posted by "Kramer, Lewis" <le...@uhc.com>.
Thanks Chris. It worked!
Hi,
in your server.xml, add this before your acces log valve :
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
It's working for our hosting behind F5
2015-07-30 18:09 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lew,
>
> On 7/29/15 4:50 PM, Kramer, Lewis wrote:
>> I am new to Tomcat.
>
> Welcome to the community.
>
>> I'm still struggling with many of the concepts. That said here we
>> go:
>>
>> Tomcat Version 8.0.14 Mainly out of the box configuration.
>
> If possible, upgrade to 8.0.latest.
>
>> Client is using VIP to connect to an F5 via HTTPS (port 443)
>
> Sorry... what's "VIP"?
>
>> The F5 connects to the Tomcat host via HTTP (port 8080)
>>
>> Our F5 team indicates that they are sure they have configured the
>> F5 properly (they do it all the time for HTTP Server and Jboss
>> Application Server installations. They have not done this with Tomcat
>> before)
>
> If everyone is speaking HTTP, it should be the same.
>
>> I have created an access log valve at the engine level to see what
>> the request looks like. <Valve
>> className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" prefix="catalina_access_log" suffix=".txt"
>> pattern="%h %H %l %u %t "%r" %s %b" />
>>
>> I see requests that are direct connected to the Tomcat host directly,
>> either from a client accessing the web application hosted on the
>> tomcat server (via HTTP) or from the F5 for healthcheck purposes in
>> the log (also via HTTP). I do not see any client requests that use
>> the VIP showing up in the log.
>
> So the F5 can get to you (healthcheck) but client requests don't make
> it through? Sounds like a problem mapping the actual incoming requests
> to Tomcat.
>
>> So my first question is: Why do I not see the VIP driven requests in
>> the log? Am I not logging correctly? Does not seeing the requests in
>> the log mean they are not making it to the Tomcat server?
>
> The log looks properly configured. If they aren't in the log, they
> probably aren't reaching Tomcat. It wouldn't hurt to watch the NIC to
> see if any traffic is coming over. Try something like tcpdump or
> Wireshark to see if anything is coming in.
>
>> Thinking that this might be a proxy problem I tried this which didn't
>> work
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000" redirectPort="8443" proxyName="VIP name"
>> proxyPort="443" scheme="HTTPS" disableUploadTimeout="true" />
>>
>> I've recently begun reading about the proxy support valve but am
>> still digesting the information. At this point I am not even sure how
>> I might use it.
>
> Tomcat treats proxies just like any other HTTP client, so it shouldn't
> require much study (until you want to get the client's REAL ip
> address, for instance).
>
> How is the F5 set up to route requests to Tomcat? Is it done by URL
> pattern or something? Or anything that comes-in for a specific IP goes
> to Tomcat?
>
> Can you confirm if the F5 is even getting the requests?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVukxDAAoJEBzwKT+lPKRY0zwP/0VZOjQDkISaYP0Ru1t3lkeQ
> bM0ao6s0SpUZNgBPhrFj9a53PC4FbWPa0SjqLeKQJ4fmuc2kgbnUSOVOEQefbNMO
> wZC2Fvv6Ry8Vr4UnE5XoldJFV98NwRWW6T684fCQPZWEPeD1OEQMapG9jAzpC4eT
> rCape0UoZ6OyNzJuMdQ3yTit5iOQdx5BLUzKao+Tejk/DZHqXZoW/4+xyatoOPIo
> KzR1B84xsFJx3TKedH1vOTGLM54+KLX/aFiPAdUsZJQVVJmZ61OPEDR1KiHu3O/F
> wi58vmmaX56aspA/f1CybZ5HJDvvn4zNqPjLWivaWr2j2l1zJT1BMOgeWbBF+Mzx
> 66ARRovYoJjRY6n6SfysCnUL1IqoaphYzUWrg5HCn5EhyhzysshzKNLk1GtXFdry
> 5M0XW+sIuNd0PanHHRyN1u4LChsi80X0UhwyfxqIHTZ/FZH0oCGV0ZQ32BXtlioe
> vBbOq5Dig+jKpxbek0/iXOuIst8snrlAYqHlYImxnxQnD0tRhzIVyJjy2aXzm2+T
> pxaKzoke1weZjvmfdg4qhO4nEIJvyFtlh44o34Us5IWGayUErq7RK57ECr1uhXDb
> PCGvuIBN6WbHWE44BJKLCEq/XhcUDvRjrII0vWbf3Cwo5upeCDUd5o0Py/6meJKv
> rHT6P/DUjhJcIT6DTRjc
> =PNJY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org