You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bob Myers <bo...@nextfort.com> on 2012/12/19 01:08:29 UTC
jvmRoute with multiple AJP Connectors for one Engine
I have more than one AJP connector for my Engine - one for HTTP, and one for HTTPS:
<Connector executor="tomcatThreadPool" port="8009" protocol="AJP/1.3" redirectPort="443" />
<Connector executor="tomcatThreadPool" port="8019" protocol="AJP/1.3" scheme="https" secure="true" />
I had two workers, tomcat and tomcatssl, using the two different port numbers, one for Apache HTTP and one for HTTPS connections. They use a common Engine and Executor thread pool.
So far, so good - until I tried to put in a second Tomcat server with load balancing. The jvmRoute is supposed to match the worker name, but now I have 2 connectors for a single Engine! The 2 workers can't have the same name, though they need to go to the same Engine.
It seems to me that something is wrong here - the jvmRoute needs to be set on the connector, not on the Engine.
There seems to be no alternative to using 2 separate Engines and not just 2 Connectors, and that also means separate Services, and a non-common Executor pool.
Is there any way around this? Why is the jvmRoute set on the Engine instead of the Connector?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jvmRoute with multiple AJP Connectors for one Engine
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Bob,
On 12/18/12 8:48 PM, Bob Myers wrote:
> Some particular apps require HTTPS, so we use (in the web.xml for
> that webapp)
>
> <transport-guarantee>confidential</transport-guarantee>
>
> Then if the app is accessed by HTTP (Apache port 80), and is
> routed (AJP) to the insecure Tomcat app on 8009, it is redirected
> to port 443 (redirectPort=443) for HTTPS instead, and Apache passes
> 443/HTTPS traffic to Tomcat port 8019. Tomcat handles this well
> with the Connectors using redirectPort and the
> secure=true/scheme=https parameters.
>
> What do you mean, why bother?
I mean that AJP propagates SSL information from the reverse proxy, so
there is no need to have separate AJP connectors: a single connector
will handle both HTTPS and HTTP connections via Apache httpd.
The AJP connector sets the appropriate flags in the request, etc. so
that your application can see if the (original) request is secure or not.
(Of course, unless you have made arrangements for secure AJP
communication, all AJP communication is insecure regardless of the
original protocol used between the client and the reverse proxy).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDTQ3QACgkQ9CaO5/Lv0PDoHgCfbE0eAfDzczXZohIHdE1T+XRT
rioAn0QK9PdfMrqEtVRilytYV1+NmEuK
=hcgJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jvmRoute with multiple AJP Connectors for one Engine
Posted by Bob Myers <bo...@nextfort.com>.
Some particular apps require HTTPS, so we use (in the web.xml for that webapp)
<transport-guarantee>confidential</transport-guarantee>
Then if the app is accessed by HTTP (Apache port 80), and is routed (AJP) to the insecure Tomcat app on 8009, it is redirected to port 443 (redirectPort=443) for HTTPS instead, and Apache passes 443/HTTPS traffic to Tomcat port 8019. Tomcat handles this well with the Connectors using redirectPort and the secure=true/scheme=https parameters.
What do you mean, why bother?
Some apps need HTTPS, some don't. We can define which is which in the web.xml files, so our content developers control that themselves.
On Dec 18, 2012, at 5:29 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Bob,
>
> On 12/18/12 7:08 PM, Bob Myers wrote:
>> I have more than one AJP connector for my Engine - one for HTTP,
>> and one for HTTPS:
>>
>> <Connector executor="tomcatThreadPool" port="8009"
>> protocol="AJP/1.3" redirectPort="443" /> <Connector
>> executor="tomcatThreadPool" port="8019" protocol="AJP/1.3"
>> scheme="https" secure="true" />
>
> Why bother?
>
>> I had two workers, tomcat and tomcatssl, using the two different
>> port numbers, one for Apache HTTP and one for HTTPS connections.
>> They use a common Engine and Executor thread pool.
>>
>> So far, so good - until I tried to put in a second Tomcat server
>> with load balancing. The jvmRoute is supposed to match the worker
>> name, but now I have 2 connectors for a single Engine! The 2
>> workers can't have the same name, though they need to go to the
>> same Engine.
>>
>> It seems to me that something is wrong here - the jvmRoute needs to
>> be set on the connector, not on the Engine.
>>
>> There seems to be no alternative to using 2 separate Engines and
>> not just 2 Connectors, and that also means separate Services, and a
>> non-common Executor pool.
>>
>> Is there any way around this? Why is the jvmRoute set on the Engine
>> instead of the Connector?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDRGGMACgkQ9CaO5/Lv0PAT5ACeKZrg5A0oRMQdxDJrjaJE4ctm
> JAoAn04/IXEKbg0pfpoHD5XWhgNUUsmS
> =VsS+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jvmRoute with multiple AJP Connectors for one Engine
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Bob,
On 12/18/12 7:08 PM, Bob Myers wrote:
> I have more than one AJP connector for my Engine - one for HTTP,
> and one for HTTPS:
>
> <Connector executor="tomcatThreadPool" port="8009"
> protocol="AJP/1.3" redirectPort="443" /> <Connector
> executor="tomcatThreadPool" port="8019" protocol="AJP/1.3"
> scheme="https" secure="true" />
Why bother?
> I had two workers, tomcat and tomcatssl, using the two different
> port numbers, one for Apache HTTP and one for HTTPS connections.
> They use a common Engine and Executor thread pool.
>
> So far, so good - until I tried to put in a second Tomcat server
> with load balancing. The jvmRoute is supposed to match the worker
> name, but now I have 2 connectors for a single Engine! The 2
> workers can't have the same name, though they need to go to the
> same Engine.
>
> It seems to me that something is wrong here - the jvmRoute needs to
> be set on the connector, not on the Engine.
>
> There seems to be no alternative to using 2 separate Engines and
> not just 2 Connectors, and that also means separate Services, and a
> non-common Executor pool.
>
> Is there any way around this? Why is the jvmRoute set on the Engine
> instead of the Connector?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDRGGMACgkQ9CaO5/Lv0PAT5ACeKZrg5A0oRMQdxDJrjaJE4ctm
JAoAn04/IXEKbg0pfpoHD5XWhgNUUsmS
=VsS+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org