Re: How to set apache load balancer for send request to 6 tomcat server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Giancarlo,

On 12/30/19 12:11, Giancarlo Celli wrote:
> Hi Chris, to avoid any kind of overload, I would like every single
> request to be forwarded to a backend server.

Session stickiness only determines WHICH backend server your request
will be routed to. If your session gets mapped to a server which has
failed, that request will fail-over to another server.

The advantage to sticky-sessions is two-fold:

1. When not clustering and user-sessions are required (i.e. for
login), then sticky-sessions are REQUIRED

2. When clustering sessions, sticky-sessions are also REQUIRED to
ensure that the same session object is being used for all requests,
limiting the possibility of race-conditions. There is no cross-cluster
synchronization to prevent simultaneous access to the same session on
two different nodes.

I can't really see a use-case for NOT using sticky-sessions unless you
have HUGE, bursty-load and the contents of the session aren't very
important. (Or you are using a non-standard session-manager.)

> I attach the files again hoping you can view them correctly. I
> await your suggestions.

A few thoughts:

> worker.node1.ping_mode=P

This will cause a ping to be sent for every request, but no periodic
checks will be made. It probably doesn't matter much, but you may want
to start with ping_mode=A and reduce the frequency if you observe any
performance problems.

> worker.node1.ping_timeout=1

10s is a long time. Do you want to wait 10s for a request to fail-over
to another server?

> worker.node1.lbfactor=1 worker.node1.socket_timeout=30

Same here: 30s is a long time. You may wait 30 seconds for a back-end
server to fail to respond to a request. Or maybe you have some
requests you expect to take as much as 30 seconds?

> worker.node1.connection_pool_timeout=20 
> worker.node1.recover_time=5

>  connectionTimeout="2" redirectPort="8443" />

Good: connectionTimeout == connection_pool_timeout

Everything looks okay to me. Are you having any specific problems, or
are you just asking if everything looks reasonable?

- -chris

> -- Messaggio originale -- Da: "Christopher Schultz"
>  > A: users@tomcat.apache.org
>  Inviato: 27/12/2019 16:29:28 
> Oggetto: Re: How to set apache load balancer for send request to 6 
> tomcat server
> 
>> Firma ha problemi -BEGIN PGP SIGNED MESSAGE-Hash:
>> SHA256Giancarlo,On 12/23/19 12:45,
>> Giancarlo Celli wrote:> Hi, I need to configure a load
>> balancer with apache connector on a> jelastic server
>> that redirects requests to 6 server workers with> tomcat
>> 7 installed. Atteched you can find extract from httpd.conf> />> and workers.properties. I need to send single request to
>> tomcat> server individually, so I set sticky_session to
>> 0.So you want your clients to switch servers even
>> when they don't have to?> Could you tell me if
>> parameters are configured correctly? Is the> collector 
>> able to handle all requests? Could you give me some>
>> further advice?> > Each tomcat server is
>> configured with the following parameters:> >
>>  />> connectionTimeout="2" redirectPort="8443" />> />> > The balancer has the following configuration:
>> Server version:> Apache/2.4.39 (codeit) Server built:
>> Apr 3 2019 18:54:14 > Architecture: 64-bit Server MPM:
>> event threaded: yes> (fixed thread count) forked: yes
>> (variable process count)Your attachments were
>> stripped. Can you please post an example workerand your
>> JkMounts from httpd.conf? We don't need the whole httpd.conf.> />- -chris-BEGIN PGP SIGNATURE-Comment:
>> Using GnuPG with Thunderbird - https://www.enigmail.net/> />> />iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GI1cACgkQHPApP6U8>
>> 
/>pFjHPhAAyDpqNcDm5AIe+QcsF/dB0rEfWSrfXY3DFZUjvJVTLfeqhUxS+gKNbHBf> />iXhbxnXiFVMkHqgWxcMlrsQMGK5wWL00HCOrlijGbJYa52QCn2aLFJ6buf5kU+Cy>
>> 
/>SAXOIBbpz4x12QEU6x2LJGAEXa8fMx96xyTXl0SAiWQqQ/EtVw/0y+b5h97Zpej5> />kxR04IyOMDfqyEMVeKUVQNr46yZmscHE3r9Bo49mVqmLjD8a/tzHZybTuFVeW6xj>
>> 
/>lILNuPwBL+cMz5ImqfW3qQUKyKLC6Bo9gdeamIXYg4z/66XwFmBUTP/mcTf0Up67> />rbaJWgg8Si2exZhRJeB5z51hZiEXGWldkBljvwUjevZcjo9dEqvFCY7KtxdkuA/b>
>> 
/>ZWAyxaTJkRvzusJrRItdV6m66q5aLUKehPTeIe5zm0V10Ttfc6qOpncfULQh0d1N> />Ic719F1UKYOecqZXVqJJ+mDHhdMsulvWlV18if29riQe2mu+VUGlkjFYuxgm7TCp>
>> 
/>zKGzdDAI3v/9b5lLtKYqCDaIFjH0MnBjGo+x9gTvpvQRIrdC4OGPTiw8W3Urveln> />ZycUWihsb26vqaog7jJn6SLMJ/N8nVyw64Uc/slN3tCAIwHvzpu6dTVBEoXI6Jsx>
>> 
/>29Nqyx6B1tSXrSYXDN0PO7PmpBffS7LDEd1luYXqAtcUilgsb4Q==KK92> />-END PGP SIGNATURE-
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>  For additional
>> commands, e-mail: users-h...@tomcat.apache.org 
>> 
>> 
> 
> 
> 
> --

Re: [OT] Re: How to set apache load balancer for send request to 6 tomcat server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Zahid,

On 12/27/19 10:33, Zahid Rahman wrote:
> Good,  please expand

Please ask a separate wquestion on the list so we don't hijack this
thread.

- -chris

> On Fri, 27 Dec 2019, 15:27 Christopher Schultz, < 
> ch...@christopherschultz.net> wrote:
> 
> Zahid,
> 
> On 12/23/19 15:19, Zahid Rahman wrote:
 If your backend tomcat servers are running on different
 physical machines therefore with different ip addresses then
 there is nothing wrong with each backend  tomcat server
 listening on same port (80) of each machine. Further to
 mod_jk worker properties file redirection.
 
 It is pointless in having multiple tomcat instances running
 on same machine , because the kernel will slice and share
 resources as per priority level setting of OS.
> 
> I disagree. There are use-cases for running multiple Tomcat
> instances on the same machine.
> 
 If you don't have heavy user activity expectations   then
 this excercise is pointless.
> 
> ?
> 
> -chris
> 
 On Mon, 23 Dec 2019, 17:45 Giancarlo Celli, 
  wrote:
 
> Hi, I need to configure a load balancer with apache
> connector on a jelastic server that redirects requests to 6
> server workers with tomcat 7 installed. Atteched you can
> find extract from httpd.conf and workers.properties. I need
> to send single request to tomcat server individually, so I
> set sticky_session to 0. Could you tell me if parameters
> are configured correctly? Is the collector able to handle
> all requests? Could you give me some further advice?
> 
> Each tomcat server is configured with the following
> parameters:
> 
>  connectionTimeout="2" redirectPort="8443" />
> 
> The balancer has the following configuration: Server
> version: Apache/2.4.39 (codeit) Server built:   Apr  3 2019
> 18:54:14 Architecture:   64-bit Server MPM: event
> threaded: yes (fixed thread count) forked: yes
> (variable process count)
> 
> 
> Thanks. Best regards.
> 
> 
> --
- ---
>
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4LaYgACgkQHPApP6U8
pFgQ/g//VkvlaYWhD0j7sUfHaPFgClm/cShsvALKF5m833uaMpv/MEyRlNw7338Z
rYzn5XxLTEKA65JmpNEtGK8XxmnH8bq+o/p3a43JO7SeEqVuat34G5DFTm95PHy5
18lI1g4iRdskAINn12t2OB+hgeKyUZmm8wtQl+2IxVd2PJlmz0jQXfAQk/L+410w
Tj0E6NHZ8YIVr7euKLah8S44bbPKIMpmEkU0B+iGXQ3V7D2h6NiTDE6EWpUMcwg3
lbfsGM88UQsaAQYHSZkYCZeMbBEQTL6GP10VtcsYNa/BDo1X2QbX3C5SH7ffKP0z
ZQEBanFmM8qIYjTMwf47AjIwboXKxA/Y5bMvcB1l7sshKYLZOsuPNUH5caCYL9Lc
+6/VJ8eYlhcM1hJAIQ6qMM0fvhfaaNR4HJTsOEQIPSzrT1ctAiyrmxLQKih1qY01
WAaZ0UE/gACYeqmRjGaTPrznBQI6cHKvDoZEdX9kW7pm3MrKaMZ/WeWJpFZiwVUb
QhG/NDqRjHs3hi8X0qqxNWGWhW1KX9YPV5xBacvURdrbeoYysZKsf+qWyFy+vtSI
pefwbzYWZCWiBQ4/RYP+QDkC23iy1k28i0n8X9//s0xbgQBQrjX7fv/Jt7EGbmcX
cd8sR2mr6JUZkb/GSZjhUsFPuelTgskPhKFxy23iz+QtMLv3UqI=
=gVmH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] secureRandom... using [SHA1PRNG] ..took (up to) 20 minutes

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Vince,

On 12/29/19 23:01, Vince Stewart wrote:
> I started recently using my my java app with embedded Tomcat /
> 8.0.28 on a debian VPS (DigitalOcean).
> 
> Unfortunately, it can take up to 20 minutes to launch into action
> from the time you start execution. The issue relates to "Creation
> of SecureRandom instance ... using SHA1PRNG".  Slowness has been
> described and explained in Stackoverflow.
> 
> My tomcat has otherwise been so reliable that I have had no
> motivation to keep it upgraded.  Can anyone advise if some change
> will apply if I upgrade to the latest version 8.

You'll probably find that a later Tomcat is less buggy/more
reliable/secure, and faster. I have no specific metrics, but Tomcat
8.0 -> 8.5 removed a lot of cruft necessary to support the BIO
connectors. The later versions have simpler code which will be less
prone to bugs, edge cases, and also of course less code running per
request, therefore better performance. Links to security reports can
be found on the Tomcat home page. Comparing fixes in 8.5 versus those
not mentioned AT ALL in the 8.90 changelog are likely to be (mild)
vulnerabilities in your version of Tomcat.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4LaU4ACgkQHPApP6U8
pFikNg/8DvwSDVC07hd4t3mARIw2EqOZRmUV923mOnaOs6hh6GzgXM2wNc55HdWb
c7hktUKj0bKyy8nGDUa5jGaDEvVv8l3LPE5aqEUXc/dJsAKFXCJbHwFXUwGWRQRx
DK/TmpsQx5HQr8z4kSWNOsjs3tGSndOXF0Cth/E6HeyyAoYEZ9IdZ2PrH7aIULk4
U+kJfKzRavRsOYnXOs48D52A4QpVRge0LfbOEaHVmfeEz3p/xbO25ftamM1wtJnY
I101FENv2LuSB5BLRjNnvniF0X71341aBEMJgaTRcyBx/KcA/CFsZBwtD2MGQz98
oA3TeWBvzMlKdyWCXs5Vb8oYmwKRyIYdDFUVJwyL9IBGspRrEF2GqLUWY093BulF
NjShFaOdOa+/FgYCqdxJJute/4o4MDB/9WkFe/zGYlRHTw9zPz9qTpxTIWrbksdM
n017DhLzUvcxRgkNjIzwsiFtlTTU7H702z8QiYAH7//QqRzFyha3snqSn64Zf96F
ZRLif9eTShtfrQtBJc4wSZGu4nd1lCfjRcBjKDyR4SB4FjbjnoOuCioATt2GL1tW
bICAsVexCrVi4725RaUc7ignfF96oRwR/tuXFf2wqD9YPod6cQR2e5ophLvzyDng
Fju3Xdw6mn0fkXEwbwyCiHGIolcDNnvSpa35ztR5ETvEAm4vEK8=
=dZFM
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: secureRandom... using [SHA1PRNG] ..took (up to) 20 minutes

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Markus,

On 12/30/19 05:27, i...@flyingfischer.ch wrote:
> apt-get install haveged update-rc.d haveged defaults
> 
> Increases entropy pool and there for reduces start up time for
> Tomcat.

I would argue that haveged reduces your security because it makes
/dev/random (a supposedly-secure source of entropy) behave like
/dev/urandom which is supposed to be sufficiently-random yet not
secure for things like generating keys.

You should use the right tool for the right job: use /dev/random for
keys (and let it take 20 minute if necessary) and /dev/urandom for
other uses.

- -chris

> Am 30.12.19 um 11:22 schrieb Rainer Jung:
>> It depends a bit on the major Java version you are using, but
>> have a look at this page:
>> 
>> https://cwiki.apache.org/confluence/display/TOMCAT/HowTo+FasterStartU
p#HowToFasterStartUp-EntropySource
>>
>>
>>
>> 
Regards,
>> 
>> Rainer
>> 
>> Am 30.12.2019 um 05:01 schrieb Vince Stewart:
>>> I started recently using my my java app with embedded Tomcat /
>>> 8.0.28 on a debian VPS (DigitalOcean).
>>> 
>>> Unfortunately, it can take up to 20 minutes to launch into
>>> action from the time you start execution. The issue relates to
>>> "Creation of SecureRandom instance ... using SHA1PRNG".
>>> Slowness has been described and explained in Stackoverflow.
>>> 
>>> My tomcat has otherwise been so reliable that I have had no 
>>> motivation to keep it upgraded.  Can anyone advise if some
>>> change will apply if I upgrade to the latest version 8.
>>> 
>>> Otherwise, is there a configuration change I could employ.
>>> 
>>> Many thanks,
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4LaJIACgkQHPApP6U8
pFjeVA//QXVvuJUvLOIfTqWXsQvgwh1w4IIqDOZcRgCy3fbpdEWgv2oRkz6B0vNO
WwjQXR2PNyfTLjIq8pjiGQMH9AihX6rGal9IUJ6qGFVXBr2xqb0c+8XMy3nEKYlI
++YKoe4OuVX3xG0a+iozPY1fnHSTt05xGZo1WdTgPE1gmkWmF+J76OOeA5Gb8Yx6
57O+ok6yhmBj9sBD2QwKa4L4UZNAoObJS7fzYYrzdkhcRn545NISdYMV4hE5Va5K
8vfq2fO3eLMcRebYra5nAmaLovv4M3zJalpTHE4nOhJ+6HqcDV41TiS7HaHe/2+e
34bMjQlA0FIE7J1InfJCTamVPEw5F357WetYS0eLlhR26rFG1zz3ra5W9d3JNbW7
PNTQZhfJmE7ZarmN1WsUUSmkRPD0SNQYWcHJ3zgdUMl2AJoMDB9Eo/bn+mw4Ht23
vha4dUk1ePjsWD1eaAGBWYUswjvZ+wfUjkXOCTtFadO2LHzOdfRASg4UpYeKFOL9
KgazuTx9xssHrc5UfSlojoSSVohLFievhS1cGGzN8IEHWN1ZYcAoLUpGAE0sC8yf
NPyBaqiQfv+vYkiODXSnE80ivWr1m1McJAamNL469yJnqc6qPPGm3cOr4DMAVJWh
ktpDai+wXpS3YEciXkLIH9Dn7KNLzNr43M/uXFs5gLdm6LnKvSE=
=jdiM
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org