5

Disclaimier: Not a server admin

I've been scratching my head over this for weeks now (not consistently mind you, as that would be maddening). I've been trying to connect my apache2 server to my tomcat server to the point where if someone encounters *.jsp or any servelet in navigating my web directory, it's handed over to tomcat.

I have both Apache2.0 (port 9099) and Tomcat6 (9089) running on Debian lenny on the same box.

Currently, mod_jk is enabled with mod_jk.conf in $apacheHOME/mods-enabled/ with content:

    # Where to find workers.properties
JkWorkersFile /etc/apache2/workers.properties
    # Where to put jk shared memory
JkShmFile     /var/log/at_jk/mod_jk.shm
    # Where to put jk logs
JkLogFile     /var/log/at_jk/mod_jk.log
    # Set the jk log level [debug/error/info]
JkLogLevel    info
    # Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
    # Send servlet for context /examples to worker named worker1
JkMount  /*/servlet/* worker1
    # Send JSPs  for context /examples to worker named worker1
JkMount  /*.jsp worker1

my workers.properties located in $apacheHOME/ with content:

workers.tomcat_home=/var/lib/tomcat6
workers.java_home=/usr/lib/jdk1.6.0_23/db/
worker.list=worker1
ps=/

worker.worker1.port=9081
worker.worker1.host=localhost
worker.worker1.type=ajp13

my web.xml in $tomcatHOME/conf has the following servlets enabled

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-cla$
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>


<servlet>
    <servlet-name>jsp</servlet-name>
    <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
    <init-param>
        <param-name>fork</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>xpoweredBy</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>3</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>jsp</servlet-name>
    <url-pattern>*.jsp</url-pattern>
</servlet-mapping>

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

server.xml :

--> -->

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="9081" protocol="AJP/1.3" redirectPort="9088" />

mod_jk.log :

[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] jk_open_socket::jk_connect.c (566): connect to 127.0.0.1:9081 failed (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] ajp_connect_to_endpoint::jk_ajp_common.c (869): Failed opening socket to (127.0.0.1:9081) (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [error] ajp_send_request::jk_ajp_common.c (1359): (worker1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] ajp_service::jk_ajp_common.c (2194): (worker1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] jk_open_socket::jk_connect.c (566): connect to 127.0.0.1:9081 failed (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] ajp_connect_to_endpoint::jk_ajp_common.c (869): Failed opening socket to (127.0.0.1:9081) (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [error] ajp_send_request::jk_ajp_common.c (1359): (worker1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] ajp_service::jk_ajp_common.c (2194): (worker1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [error] ajp_service::jk_ajp_common.c (2212): (worker1) Connecting to tomcat failed. Tomcat is probably not started or is listening on the wrong port
[Mon Feb 21 13:49:35 2011] [2921:3075307264] [info] jk_handler::mod_jk.c (2364): Service error=-3 for worker=worker1

There appears to be an issue with port 9081, no process is using it, so I would suppose it's configured incorrectly. Though my tomcat port works fine.

 ickronia:/var/log/at_jk# telnet localhost 9081
 Trying ::1...
 Trying 127.0.0.1...
 telnet: Unable to connect to remote host: Connection refused
 ickronia:/var/log/at_jk#

From what I can tell, there's no funny buisness as both the apache2, tomcat, and mod_jk logs show green; yet whenever I navigate to a jsp, it simply displays the javascript.

I'm unsure what the problem is exactly despite pouring over the logs and documentation for aid. I'm quite a greenhorn in the servelet world.

StudentKen
  • 207
  • 1
  • 3
  • 10

3 Answers3

1

You don't say if you've performed a JKMountCopy in a virtual host or not.

On my ubuntu box in /etc/apache2/sites-enabled/000-default-ssl

<VitualHost _default_:443>
  JkMountCopy On

  blah 
  blah

</VirtualHost>

From http://tomcat.apache.org/connectors-doc/reference/apache.html If you go find the Directive description of JkMount You'll see that global directives are not inherited by the VirtualHosts. You need to respecify, or if you want to pull in everything you need use JkMountCopy On.

Also make sure the port you are connecting to has an AJP connector set up in the server.xml. Redirect port refers to the ssl port.

From the sample included with Tomcat...

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Decado
  • 1,949
  • 11
  • 17
  • What exactly does JkMountCopy invoke? – StudentKen Feb 16 '11 at 03:00
  • When you declare the JKMount point in mod_jk.conf all you're basically saying is "Hi this mount point is available". The virtual host actually needs to pull this in. – Decado Feb 16 '11 at 07:12
  • I've edited the answer to make a little clearer. – Decado Feb 16 '11 at 07:21
  • Upon this addition to both my http and https sites, in sites-enabled. Any visit to a .jsp produces a "Service temporarily unavailable". – StudentKen Feb 17 '11 at 00:02
  • Updated question to reflect mod_jk log – StudentKen Feb 17 '11 at 00:10
  • I now set the correct port on the workers.properties file, and it seems that apache is now communicating with tomcat, but tomcat is refusing the connection. In the end, it results in a "Bad Gateway" error. Question updated – StudentKen Feb 17 '11 at 00:28
  • Okay, you definately have a ajp connector set up for that Tomcat instance and it's listeneing on 9089, as per Christopher Evans response? Updated answer with that bit aswell. – Decado Feb 17 '11 at 06:07
  • I've updated my response, with the server.xml settings, and changed my workers.properties to match the AJP connector port. From this, my mod_jk log files show it denying service for jsp requests; is this primarily due to my tomcat SSL not being configured? – StudentKen Feb 19 '11 at 13:17
  • Shouldn't need ssl enabled. I have apache dealing with the ssl bit and a couple of instances of tomcat load balanced behind it. There is an ssl connector setup, but that's just for direct access to Tomcat. – Decado Feb 21 '11 at 06:51
  • Firstly, I'd like to thank you for being patient with my naivety on the subject. Now, given that I have `worker1` listening on 9081, and my `ajp connector` is configured at 9081 (possibly incorrectly?). I'm getting 'Service Temporarily Unavailable' I've updated the mod_jk logs and config files on the question to reflect my current situation. – StudentKen Feb 21 '11 at 19:06
1

My guess is that the server.xml in tomcat is not using the CoyoteConnector for port 9089, which is what talks the ajp protocol. I suspect that you have it talking http over that, and that if you hit http://server:9089/ it will load.

You'll want to have workers.properties use the CoyoteConnector port.

becomingwisest
  • 3,278
  • 19
  • 17
  • You found a huge blunder in my quandry, I was treating my tomcat http port as my AJP connector port. From what I see, it redirects this to my SSL port which is not active. I assumed that tomcat would use my apache SSL link. Does this mean I need to create a separate SSL cert for tomcat as well? – StudentKen Feb 19 '11 at 13:05
  • Are you still having problems? – becomingwisest Feb 22 '11 at 22:02
1

Answer two, as too many edits are happening. This is my working setup:-

mod-jk.conf:-

JkWorkersFile /etc/libapache2-mod-jk/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel info
JkMount /portal worker1
JkMount /portal/* worker1

in sites-enabled:-

<VirtualHost _default_:443>
    JkMountCopy On
    blah
    blah
</VirtualHost>

worker.properties (Usually it goes through the loadbalancer, but simplified here):-

worker.list=worker1

worker.worker1.port=9009
worker.worker1.host=host_name
worker.worker1.type=ajp13

tomcat server.xml:-

 <?xml version='1.0' encoding='utf-8'?>
<Server port="9005" shutdown="SHUTDOWN">

  <!-- cut -->

  <Service name="Catalina">
    <Connector port="9080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="9443" />

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               keystoreFile="<path_to_keystore>.ks"
               kestorePass="<password for keystore>"
               maxThreads="200" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

    <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="worker1">
      <Host name="localhost"  appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">    
      </Host>
    </Engine>
  </Service>
</Server>

So Tomcat is listening for http on 9080, https on 9443 and ajp on 9009.

Apache is listening on the https port 443. Anything that get's sent to the /portal context on that server is being sent through to mod_jk worker1 which is being forwarded onto tomcat through ajp.

Hope this helps!

Decado
  • 1,949
  • 11
  • 17
  • I can't express how appreciative I am for you helping me like this. My final question (should this all go well hopefully) is wither I need to have the /portal/ redirect under SSL as I have a self signed cert. If not, I suppose it doesn't matter about the redirect the AJP connector uses to port 8443(though I have a feeling that is never used). – StudentKen Feb 22 '11 at 18:47
  • The ajp connector will automatically redirect to the https connector (it's the point of the redirectPort argument) if it's needed. Whether it's self signed or not is only really an issue for the client. – Decado Feb 23 '11 at 06:22
  • Did this issue get resolved? – Decado Feb 28 '11 at 08:03
  • I apologize for this delayed reply, but I've been kept on my toes lately. As a hacky fix, I simply created a subdomain that directed to my tomcat server. I still wish to have this resolved hopefully though. I've made progress thanks to your tips, most critically, I was missing `jvmRoute="worker1"`. Any navigation to `
    /portal` is handed over to tomcat now, but under the url `/portal/` as opposed to simply looking in `webapps`. Thank you for your patience with my tomcat naivety and tardy correspondance.
    – StudentKen Mar 05 '11 at 23:46
  • Ah, I simply de-packaged the war into $CATALINA_HOME/webapps/porta/ . There probably is a way to do some kind of URL trickery, but this shall fare well. Thank you Decado for all the help! – StudentKen Mar 06 '11 at 03:29
  • Cool, well done! Something worth looking into is mod_rewrite to solve that one. There are lot's of examples on this site for that issue ;) – Decado Mar 07 '11 at 05:42