JBossWiki : UsingMod_jk1.2WithAFirewall
Wiki Home: UsingMod_jk1.2WithAFirewall [EN]
[Permalink]
[Recent Changes]
[History]
[RSS Feed][RDF Feed][Atom Feed][Print]
Your trail: UsingMod_jk1.2WithAFirewall

Setting up mod_jk with a firewall:

Configuring workers.properties:

# Define list of workers that will be used
# for mapping requests
# The configuration directives are valid
# for the mod_jk version 1.2.18 and later
#
worker.list=loadbalancer,status

# Define Node1
# modify the host as your host IP or DNS name.
worker.node1.port=8009
#Using an IP prevents a DNS lookup
worker.node1.host=192.168.1.2
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.connect_timeout=10000
worker.node1.prepost_timeout=10000
worker.node1.socket_keepalive=True

# Define Node2
# modify the host as your host IP or DNS name.
worker.node2.port=8009
worker.node2.host=192.168.1.3
worker.node2.type=ajp13
worker.node2.lbfactor=1
worker.node2.connect_timeout=10000
worker.node2.prepost_timeout=10000
worker.node2.socket_keepalive=True

# Load-balancing behaviour
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2

# Status worker for managing load balancer
worker.status.type=status

socket_keepalive=true is the most important setting. connect_timeout and prepost_timeout are to "work-around" firewalls that ignore keepalives or close the connection for unknown reasons.

Configuring server.xml:

The main concern with server.xml is setting the connectionTimeout which sets the SO_TIMEOUT of the underlying socket. So when a connection in Tomcat hasn't had a request in the amount of time specified by connectionTimeout, then the connection dies off. Why is this a good thing?...because if the connection hasn't been used for a certain period of time then there is the chance that it is half-close on the mod_jk end. If the connection isn't closed there will be an inflation of threads which can over time hit the maxThreads count in Tomcat then Tomcat will not be able to accept any new connections.

When setting connectionTimeout in Tomcat, mod_jk should also have connect_timeout/prepost_timeout set, which allows detection that the Tomcat connection has been closed and preventing a retry request. 

<Connector port="8009"
           address="${jboss.bind.address}"
           emptySessionPath="true"
           enableLookups="false"
           redirectPort="8443"
           protocol="AJP/1.3"
           maxThreads="200"
           connectionTimeout="60000"/>

Configuring Apache

Make note that maxThreads for the AJP connection should coincide with the MaxClients? set in Apache's httpd.conf. MaxClients? needs to be set in the correct module in Apache.

This can be determined by running httpd -V: 

# httpd -V

Server version: Apache/2.2.3
Server built:   Sep 11 2006 09:43:05
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.8
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Which tells me the Server MPM is Prefork

httpd.conf: 

<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
MaxClients       200
MaxRequestsPerChild  0
</IfModule>


Or if Apache is using worker, it is
<IfModule worker.c>
StartServers         2
MaxClients         200
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>

MaxRequestsPerChild? is 0, this is the recommended value when using mod_jk as mod_jk keeps open persistent connections. The key values in the above configuration are MaxClients? and MaxRequestsPerChild?, the rest of the values are left as default. Note that MaxRequestsPerChild? is recommended to be 0 however the value may need to be greater than 0 depending on if Apache is used for other modules also, especially in the case of resource leakage.


Referenced by:
UsingMod_jk1.2WithJBoss
UsingMod_jk1.2WithJBossAndIIS7

Other languages:

Log in to make links between pages
The page last changed on Thu Aug 02 20:28:30 EDT 2007 by smendenh@redhat.com

Red Hat.com  |  JBoss.com  |  Contact Us  |  Careers

Hosted on JBoss Labs. Powered by JBoss Portal, JBoss AS and Shotoku.

Experiencing a problem or have a suggestion to make jboss.org better?