[Deploying Sakai] Can't log in with clustering

Kusnetz, Jeremy JKusnetz at APUS.EDU
Thu Apr 8 14:07:40 PDT 2010 

All was working well with apache 2.2.3 (the version that RHEL5) uses.  I
was having some weird issues with the proxy having communications
problems through our DMZ

 

[Thu Apr 08 09:09:23 2010] [error] (70007)The timeout specified has
expired: ajp_ilink_receive() can't receive header

[Thu Apr 08 09:09:23 2010] [error] ajp_read_header: ajp_ilink_receive
failed

[Thu Apr 08 09:09:23 2010] [error] (120006)APR does not understand this
error code: proxy: read response failed from 10.0.45.100:41009
(10.0.45.100)

 

Looking up this error everyone said you should upgrade to the latest 2.2
apache.  Not easy to do with RHEL, but I managed to grab the Fedora
source RPM and rebuild it for RHEL5

 

I got it up and running, but not only did it not seem to fix this
problem above, but now I'm back to having the same kind of problems
logging in, like the route statement isn't working.

 

I also have apache on the local tomcat server installed, and I'm having
the same problem with them there too.  If it connects to the local
tomcat all works, but if the apache talks to a tomcat on a different
server I can't log in.  I can see in the tomcat logs that my LDAP is
authenticating a user, I also see the JSESSIONID cookie getting set, and
it's appending the correct serverID name to the session token.  I don't
see any errors in the apache or tomcat logs to give me any hint on
what's happening.

 

I'll probably try to downgrade back to the official apache the RHEL5
comes with, but what I read is there are a lot of improvements to
mod_proxy_ajp since 2.2.3, all Red Hat does is supply security patches,
not actual improvements to the code for 2.2.3

 

Any thoughts?

 

 

From: production-bounces at collab.sakaiproject.org
[mailto:production-bounces at collab.sakaiproject.org] On Behalf Of
Kusnetz, Jeremy
Sent: Thursday, March 18, 2010 9:10 AM
To: Martin B. Smith
Cc: production at collab.sakaiproject.org
Subject: Re: [Deploying Sakai] Can't log in with clustering

 

This works!  I also did not touch jvmRoutes in the tomcat config as
suggested.

 

Should this be added to the documentation?  It doesn't mention using
route=serverId under:

 

http://confluence.sakaiproject.org/display/DOC/Sakai+Admin+Guide+-+Advan
ced+Tomcat++%28and+Apache%29+Configuration

 

Configuring mod_proxy_ajp

AJP, or the The Apache Jserv protocol is the protocol by which tomcat
and some other proxying service (Apache or a dedicated hardware load
balancer) communicate. If you intend to use apache to provide other
static content or to handle SSL, you may want to configure Tomcat to
listen for AJP requests, and the have Apache proxy requests for tomcat
using AJP rather than HTTP or HTTPS. To do this, you will need to do the
following:

1.	enable the AJP connector for one or more tomcat installations by
editing TOMCAT_HOME/conf/server.xml and uncommenting the AJP connector
included with the default distribution:

<Connector enableLookups="false" port="8009" protocol="AJP/1.3"
redirectPort="8443"/>




 

If you are load balancing multiple tomcat instances on the same server,
you will need to ensure that each one listens for AJP requests on a
different IP address and/or port.

2.	You can load balance requests between tomcat instances by adding
something like the following to your Apache httpd.conf: 
	
3.	ProxyPass / balancer://sakaiCluster/ stickysession=JSESSIONID
nofailover=On
4.	<Proxy balancer://sakaiCluster>
5.	BalancerMember ajp://localhost:8009
6.	BalancerMember ajp://localhost:8019
7.	BalancerMember ajp://localhost:8029

</Proxy>






You must have mod_proxy, mod_proxy_ajp, and mod_balancer enabled to use
the above configuration options. It has also been noted that versions of
mod_proxy_balancer prior to 2.2.4 have errors with this configuration.

 

 

-----Original Message-----
From: Martin B. Smith [mailto:smithmb at ufl.edu] 
Sent: Wednesday, March 17, 2010 11:10 PM
To: Kusnetz, Jeremy
Cc: production at collab.sakaiproject.org
Subject: Re: [Deploying Sakai] Can't log in with clustering

 

On 3/17/2010 8:41 PM, Kusnetz, Jeremy wrote:

> I think that is what the problem is, I won't be able to try it out
until the morning, fingers crossed!

> 

> I googled jvmroute and balancermember and came up with this thread,
this is exactly what I'm seeing:

> 

>
http://collab.sakaiproject.org/pipermail/sakai-dev/2009-August/003271.ht
ml

> 

> I'll let you know if this works.

> 

> 

 

Hi Jeremy,

 

FWIW, I discovered that if I set serverId in sakai.properties, I could

omit jvmroute -- it appeared to be the same as the serverId property. I

did test using jvmroute, but the JSESSIONID cookie didn't look any

different.

 

If it helps for you to follow conventions, our convention is using the

FQDN for each application server as the route, and setting serverId to

the same value. It also helps users and support staff see which node

they're on by putting that name in the footer of every page.

 

Keep us posted,

-- 

Martin B. Smith

smithmb at ufl.edu - (352) 273-1374

CNS/Open Systems Group

University of Florida

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20100408/e0857396/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 569 bytes
Desc: image001.gif
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20100408/e0857396/attachment.gif

More information about the production mailing list