Re: Fwd: Reverse proxy and SSL redirect
On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas wrote: > > On 22/04/2020 00:11, rugman66 . wrote: > > > > >Tomcat log (I'm trying to get more debug level logging) > > 2020-04-21 13:39:33 INFO app.CompletionRestController > > Unsupported Media Type in Header > > > > Postman > >415 Unsupported Media Type > > > > GET URL > > http://server.com/app/api/completions.json?username=foo > > > > Both Tomcat and Apache are running SSL because all internal endpoints > > are required to be secure. > > Looks like the app is generating the error. That moves us forwards. > > Try enabling the RequestDumperFilter. That should dump the full set of > request headers received which will hopefully help explain what is going on. > > Mark Hi Mark, Was on unplanned leave for the past few months, but back. I did try to enable RequestDumperFilter, however the file was created but no log entries created. I did find something interesting. When I test in Postman with HTTP it does redirect to HTTPD but throws the error. However when I change the URL in Postman using HTTPD I get the expected reply and see the proxy is indeed working. It's only throwing the error when the redirect occurs. Seems to me the issue lies there, but I still can't find a resolution. Any suggestions would be appreciated. Regards -John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem with JarScanFilter, maybe a bug?
Hello, I am trying to configure Tomcat in a way that it makes SCI scan only in jars I explicitly specify to. I followed instructions from https://tomcat.apache.org/tomcat-8.5-doc/config/jar-scan-filter.htm, in both Tomcat 8 and 9, but with no success. I posted a question on stackoverflow that explains more in detail what I did: https://stackoverflow.com/questions/62602550/how-to-specify-which-classes-and-jars-gets-scanned-for-servlet-annotations-in-to And I also found other unanswered questions pointing to the same problem, here is one example: https://stackoverflow.com/questions/52876216/tomcat-too-slow-scanning-for-annotations . The thing is that it is looking like an error to me because logs tells that scanning is done as configured — if I add a jar for scanning in JarScanFilter, the log show it is scanned, if I remove it, the log stop reporting it's scanning — but after that, no matter what configuration I made with JarScanFilter, the WebappServiceLoader loads servlet annotated classes, such as @WebListener. Any leads? Ideas? Anyone can confirm if that is an error or if I am using the functionality wrongly or if I understand it wrongly. Regards, Vitor
Re: Tomcat Large Payload Truncated
On 30/06/2020 03:12, Bhavesh Mistry wrote: > Hi Mark, > > Thank you for responding. I have one more question. This is spring-boot 2 > application REST API server and it does not accept Cookie or session > (timeout is set to zero).Auth happens through Authorized header. We > have set 10mb for maxPostSize. Does maxSavePostSize takes precedence over > maxPostSize ? No. They are different settings. > I will set maxSavePostSize to -1 to disable it. That is a DoS risk. > Also, I have another question. When Payload is as large as 10mb (json > post), does payload body in JVM MEMORY or offloaded to FileInputStream ? Where POST data is saved for authentication is, it is always in memory. For other POSTs, it will depend on the application configuration and/or code. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat session replication
On 29/06/2020 21:41, Christopher Schultz wrote: > Mark, > > On 6/27/20 05:29, Mark Thomas wrote: >> On 27/06/2020 10:19, Thomas Meyer wrote: >>> Hi, >>> >>> A few questions regarding tomcat session replication: > >> load-balancing and session replication are two separate parts of >> an overall clustering solution. > >>> 1) is the jvmRoute attribute on Engine object necessary for >>> session replication to work correctly? > >> No, but if you don't use it it places a number of restrictions on >> the web application behaviour and on the configuration of session >> replication. > >> The limitations are: - you need to use the DeltaManager (which >> doesn't scale as well as the BackupManager); - any requests made by >> the client that depend on the session MUST be issued in series, not >> in parallel; and > > This is only true of requests that would modify the session-state in a > way that needed to be deterministic, right? A bunch of GET requests > that don't change the session ought to be okay in parallel (as long as > any prior state-changing requests have completed _ those changes > replicated). Yes. You don't want state changes in parallel on different nodes. Any request that depends on a previous change in state can't be issued until the state changing request has completed and the changes replicated. >> - the session Manager must be configured to update all the other >> nodes in the cluster BEFORE the current request returns to the >> client. > > Same (negative) caveat here, right? Yes. Essentially you want channelSendOptions="6". Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org