from:"smith"

TC 7.0.54 / RHEL 6

I have two physical servers, each running an instance of TC. The servers
are behind a hardware loadbalancer. IPTables is routing request on 80 to
8080. Tomcat runs under a non-root user. All good.

I needed to protect an area of our webapp under SSL. Went ahead and
installed the cert on each server. I can go directly to each server by IP
under SSL and get the cert (with the expected IP doesn't match FQDN
warning).

But when I go through the loadbalancer I can't access anything under port
8443. I redirected 443 to 8443 on each TC server using IPTables, but still
no luck.

Is there anything I'm missing? I understand I can install the cert on the
loadbalancer instead, or use httpd as a proxy, but I'd rather just leave it
the way it is if there's any other option.

TIA,
John

Re: SSL redirect problems


  TC 7.0.54 / RHEL 6
 
  I have two physical servers, each running an instance of TC. The servers
  are behind a hardware loadbalancer. IPTables is routing request on 80 to
  8080.


 This seems unnecessary.  If you have a hardware load balancer in front of
 Tomcat, it is the only thing that would ever talk to Tomcat.  Thus if you
 just configure it to go to port 8080 you don't need the iptables rule.  I
 can't imagine it's hurting anything, but just thought I'd mention it.


Not at all, it would seem like a better choice than an OS level redirect
like iptables.



  Tomcat runs under a non-root user. All good.
 
  I needed to protect an area of our webapp under SSL. Went ahead and
  installed the cert on each server. I can go directly to each server by IP
  under SSL and get the cert (with the expected IP doesn't match FQDN
  warning).
 

 You probably want the SSL certificate installed on your hardware load
 balancer.  End client's browsers are going to connect to the hardware load
 balancer, not Tomcat.  Thus you'd want the certificate there so your end
 users can benefit from it.

 Ex:  browser - HTTPS - load balancer - HTTP or HTTPS - Tomcat

 If you put an SSL certificate on your Tomcat servers, that would allow you
 to secure the connection between your load balancer and Tomcat.  Depending
 on your network and security requirements this may or may not be necessary.
  I'd say most people don't do this because terminating SSL on the load
 balancer is sufficient.  It just depends on your requirements though.


Ok, that makes sense. I think just on the loadbalancer will work. In our
configuration, unencrypted traffic between the LB and the servers is
subject to minimal risk, and our security requirements aren't critical.



  But when I go through the loadbalancer I can't access anything under port
  8443. I redirected 443 to 8443 on each TC server using IPTables, but
 still
  no luck.
 
  Is there anything I'm missing?


 The load balancer is almost certainly listening on port 80 and 443.  To
 test, you'd want to connect to the load balancer on one of those ports.
  The load balancer would then connect to one of your backend nodes and
 proxy the request on your behalf.  Your browser will not connect directly
 to the backend nodes (see my point above about not needing the iptables
 rule), unless you specifically point it to the ip address of one of the
 backend nodes.



Sorry, I'm a bit unclear on this. What method of connecting would let me
test?


 I think you'd want it on the load balancer.  Possibly with additional certs
 on your backend nodes, if you want HTTPS communication between the load
 balancer and the Tomcat nodes.

 Dan


Thanks so much for the detailed and quick reply.
John

Re: SSL redirect problems

 Not contradicting anything Daniel is saying, but maybe something to add,
 and maybe that's the missing part of the original puzzle :

 If Tomcat is expecting HTTPS requests on port 8443, then any re-direct or
 response that it is sending back is going to include that port number after
 the hostname.
 (even inside the pages, if you use absolute URL links there).
 So the browser who ultimately receives this, is going to try to talk to
 port 8443.
 But that will not work, if your front-end is expecting further requests on
 port 443, and blocks 8443.
 Unless in all your Tomcat responses, you arrange to replace any reference
 to port 8443, by 443, before they reach the browser again.

 Maybe using a browser plugin like HttpFox, LiveHttpHeaders or Fiddler2
 would allow you to see more clearly what is going on there.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Well, that's the part that seems confusing. Left as default, I would have
thought connecting through the LB on 8443 would have worked. Actually I'm
still not clear on which part of the chain is having a problem. Originally,
I had no iptable redirect - I just added it in the great tradition of
programming - try everything and anything until it works. I don't care if
the user has to have 8443 in the URL. Just to be clear, you are suggesting
that then problem would be the iptables redirect?

Re: SSL redirect problems

On Fri, Aug 1, 2014 at 11:54 AM, Mark Thomas ma...@apache.org wrote:

 On 01/08/2014 16:30, Daniel Mikusa wrote:
  You probably want the SSL certificate installed on your hardware load
  balancer.  End client's browsers are going to connect to the hardware
 load
  balancer, not Tomcat.  Thus you'd want the certificate there so your end
  users can benefit from it.

 That depends on whether the load-balancer is operating at layer 4 or
 layer 7.

 Mark


Mark, I have to check which layer it's operating at, but does that mean
that, depending on the layer, the cert should *not* be on the LB?

Re: SSL redirect problems



 No, I am not really going that far.  I am suggesting that that may be
 the kind of thing that is happening, and that you may want to investigate
 with a browser plugin, that the requests/responses are really what you are
 expecting.
 Your initial explanation was a bit confusing and lacking in precise
 details, as to what the load balancer really does, where IPtables does
 what, and how your tomcats are configured (re Connectors, and possibly
 IPtables too).  So we're all kind of guessing here, and just trying to give
 you some tips, to either simplify your setup, or to figure out better what
 is happening.



Well, lets remove the IP tables. I know the certs work because as I said I
can access them directly by going to either server on 8443 directly. The
connectors are configured correctly. There's no security info in web.xml.
The entire site should be available over SSL.

Using Charles, with LB:8443 I get connection refused - without any other
particularly useful info in the response.

Re: SSL redirect problems



 As your testing keep this process in mind.  If you encounter a problem just
 try to break down the flow from your browser to the server and back.  If
 you look at the request at each hop through this process, you can often
 find where things went wrong.  For example, did the request hit the LB?  If
 not, maybe we have a firewall issue or ports are configured right.  If so,
 did it hit one of the backend servers?  If not, maybe there's a config
 issue in the lb.  If it did, what response did it get?  A 4xx / 5xx error,
 ok something went wrong on the backend, need to investigate the logs there
 for more details.

 Hope that helps to clarify.

 Dan


Dan,

It did. It was one of those cases where the simplest answer was assumed but
not tested. The loadbalancer was not listening on 443 or 8443. I was able
to have it redirect 443 to 8443 successfully. I also took your advice and
redirected 80 to 8080 instead of using iptables.

Thanks for your help. So many knowledgeable people on here.

John

Re: SSL redirect problems




 Is your LB configured to listen on 8443, or on 443?  It won't pick up the
 port it's supposed to listen on from the TC instances; you have to specify
 it.


Nailed it. Simplest solution, I didn't even consider it.

Thanks,
John

Re: SSL redirect problems



  There is no response, since you are not even able to connect to that
 IP:port.
 If you are using the IP of the LB, then the LB is not accepting
 connections on port 8443.
 You won't get much further, unless you solve that first.
 But I thought that you wanted your users to access via port 443 ?


Thanks, This was the problem. So simple I should have looked there first.
Facepalms. I was able to redirect 443 to 8443 on the LB with success.

Restricting SSL access within webapp

In my webapp there's a directory '/admin' that's protected under SSL. Users
are forced to use SSL via a security constraint in web.xml. It works great.

As mentioned in the docs and other places, it would be good to prevent SSL
everywhere else on the site, but I searched around and couldn't find
anything that works.I tried adding another security constraint with
transport guarantee set to NONE for url-pattern '/*' but it didn't prevent
https access to the site as a whole.

What's the correct way to selectively restrict https to only one area of a
webapp?

TIA,
John

Re: SSL redirect problems



 Thanks for letting us know what the issue was; many people never come back
 and tell us what fixed it.

 My pleasure. This list is awesome.

Re: SSL redirect problems




 TLS is layer 5 so if the LB is operating at layer 4 it can't host the
 cert. Some LBs can operate at layer 5 so it will depend on your LB
 and/or its configuration.

 Mark


I see. That's good to know. The LB is at 7.

Re: Restricting SSL access within webapp

On Fri, Aug 1, 2014 at 4:34 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: John Smith [mailto:tomcat.ran...@gmail.com]
  Subject: Restricting SSL access within webapp

  What's the correct way to selectively restrict https to only one area of
 a webapp?

 Why would you want to do that?  Other than a few extra server CPU cycles,
 what's the harm in allowing SSL anywhere at the client's discretion?

  - Chuck

From the docs:

Also, while the SSL protocol was designed to be as efficient as securely
possible, encryption/decryption is a computationally expensive process from
a performance standpoint. It is not strictly necessary to run an entire web
application over SSL, and indeed a developer can pick and choose which
pages require a secure connection and which do not. For a reasonably busy
site, it is customary to only run certain pages under SSL, namely those
pages where sensitive information could possibly be exchanged.

Unfortunately how to do this isn't explained. I might use a filter. Our
site handles 500,000 visitors a day on two TC instances. Believe me, I need
to consider performance costs.

Re: TC7 and SSL Questions

2014-07-28 Thread John Smith

On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic 
ognjen.d.blagoje...@gmail.com wrote:

 John,


 On 24.7.2014 21:11, John Smith wrote:

 1. Can I specify /admin/* as a security constraint url pattern so that
 only
 that directory runs under SSL?


 Yes, you can.



  2. The NIO connector is accepted for JSSE, since I'm using it already, is
 there any point in not using it as my SSL connector?


 If /admin has low traffic, then I would say, there is no need to use
 anything else. For high traffic TLS/SSL applications you may want to do
 some performance measurements of different Tomcat connectors, simulating
 your traffic patterns.



  3. Any known issues with routing 443 to 8443 in Iptables?


 I recommend using JSVC instead of iptables redirect. I had issues with
 redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support
 redirect, either.



  4. The admin tools share underlying classes with the rest of the web
 application, which is why it makes sense to have it just as a subdirectory
 in the same webapp. But would I be better off migrating the admin tools to
 their own webapp for the purposes of SSL?


 Yes, I think so. From the security standpoint, that is way better. It will
 be much easier to apply IP address filtering, move it to another port /
 server, to isolate admin and user privileges, and so on.

 -Ognjen

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Thanks for the info.

Best,
John

TC7 and SSL Questions

2014-07-24 Thread John Smith

TC 7.0.54 / JDK 1.7.0_60 / RHEL 6

My webapp is the only one on my TC install. It's in webapps/ROOT. Iptables
routes 80 to 8080 and I'm using the NIO connector. There are two physical
servers with that same webapp, using session replication. Everything works
great.

There's a subdirectory /admin in the webapp that has some admin tools
that we've been using behind our firewall and under BASIC authentication. I
want to put just the /admin directory under SSL and have a user/hashed-pass
in the database do the login and authentication instead of having them in
tomcat-users.xml.

Questions:

1. Can I specify /admin/* as a security constraint url pattern so that only
that directory runs under SSL?

2. The NIO connector is accepted for JSSE, since I'm using it already, is
there any point in not using it as my SSL connector?

3. Any known issues with routing 443 to 8443 in Iptables?

4. The admin tools share underlying classes with the rest of the web
application, which is why it makes sense to have it just as a subdirectory
in the same webapp. But would I be better off migrating the admin tools to
their own webapp for the purposes of SSL?

Apologies if I've missed any of this in the docs. Any additional
info/advice appreciated.

Thanks in Advance,
John

Silent failure to deploy or run from configuration descriptor

2014-07-02 Thread Gulliver Smith

Apache Tomcat/7.0.28, Debian

I have two configuration descriptors in /etc/tomcat7/Catalina/localhost/

One, solr.xml deploys correctly and fills catalina.out with lots of
useful messages.


The other fails silently to start (see below).

I see the message INFO: Deploying configuration descriptor in
catalina.out; then there is nothing else in catalina.out.

Is there any way to cause Tomcat to output more debug information? I
haven't been able to narrow an internet search to get useful answers
for this problem.

The most annoying thing is that this has worked fine for at least one
Tomcat 6 installation.

The deployment descriptor is

Context docBase=/opt/myApp/MyApp.war
 crossContext=true 
  Resource
  name=jdbc/LockDB
  auth=Container
  type=javax.sql.DataSource
  maxActive=100
  maxIdle=30
  maxWait=1
  removeAbandoned=true
  testWhileIdle=true
  timeBetweenEvictionRunsMillis=6
  driverClassName=com.mysql.jdbc.Driver
  username=myApp
  password=xx
  url=jdbc:mysql://127.0.0.1/myApp /
   Loader
className=org.apache.catalina.loader.VirtualWebappLoader
virtualClasspath=/opt/myApp/ext/*.jar;/opt/myApp/resources/ /
/Context


Thanks for any guidance

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Getting 405 status from local Tomcat on Windows

2014-05-30 Thread Dave Smith

I am running Tomcat 7.0.41 on a Windows laptop (8.1 Pro). I know, I know - I
get what I deserve in such a configuration.

 

Actually, it was running fine until about a month ago. Something went
horribly wrong that required I re-install Windows and, basically, start from
scratch. My reason for running Tomcat here? I have a Windows client app,
written in Java, that talks to the Tomcat/JSP server via HTTP. 

 

Since re-installing tomcat and my server application, it runs fine when I
connect to it from a web browser. However, when I tell my desktop client app
to connect to the server, it fails on the initial connection with a 405
status. I am running the server is debug, from Eclipse, and have put
breakpoints in the doGet, doPost, and doPut methods of my ControllerServlet
class that extends the java.servlet.http.HttpServlet. None of these
breakpoints fire before the client gets back the 405 status. (the client
works fine if connecting to the real server running tomcat 6 on an Ubuntu
server.)

 

I can find no place locally where verb filtering is being configured.

 

Any idea will be greatly appreciated.

 

Dave Smith

Brindle Waye, Ltd.

866-522-9839 ext 823

Design-a-Course

The Easiest Way to Train Anyone. Anywhere!

 

Like us on  http://www.facebook.com/brindleadmin Facebook and follow us on
http://www.linkedin.com/company/915700 LinkedIn!

Re: SSL on one subdirectory only.

2014-05-29 Thread John Smith

On Tue, May 27, 2014 at 2:21 PM, Mark Thomas ma...@apache.org wrote:

 On 27/05/2014 17:31, John Smith wrote:
  Tomcat 7.0.42,  RHEL6, JDK1.7.0_25, Standalone TC configuration. IPTABLES
  route port 80 to 8080
 
  I've got a subdirectory like 'www.mysite.com/admin' that I want to put
  under FORM based authentication. That's clear enough, and I've got the
 java
  keytool cert working well enough on my dev box until I get one from a CA.
 
  Couple of questions:
 
  1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes
 for
  TC SSL certs? It's preferable to not have my end users needing port
  numbers. The cert doesn't care about the port, IIRC.

 Should be fine.

  2. With the SSL connector enabled, https://* is globally respected on
 the
  entire webapp. Do I need to manually check the URL/protocol to deny or
  redirect https to http outside of '/admin'? Is there any built in TC
  mechanism or suggested best practice to handle this? or should I not
 care?

 Nothing to automatically handle https - http. Unless it causes an
 issue, I'd just leave it.

 Mark

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Mark, Thanks and appreciated, as always.

Re: SSL on one subdirectory only.

2014-05-29 Thread John Smith




 2. With the SSL connector enabled, https://* is globally respected on the
 entire webapp. Do I need to manually check the URL/protocol to deny or
 redirect https to http outside of '/admin'? Is there any built in TC
 mechanism or suggested best practice to handle this? or should I not care?


 We use two-factor authentification with SSL - but I think in your case
 this can be helpful too - not a big difference.
 Try look at this:

 http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite



Arseny, thank you. I wasn't aware of the user-data-constraint
and transport-guarantee elements. I'll give them a try.

SSL on one subdirectory only.

2014-05-27 Thread John Smith

Tomcat 7.0.42,  RHEL6, JDK1.7.0_25, Standalone TC configuration. IPTABLES
route port 80 to 8080

I've got a subdirectory like 'www.mysite.com/admin' that I want to put
under FORM based authentication. That's clear enough, and I've got the java
keytool cert working well enough on my dev box until I get one from a CA.

Couple of questions:

1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes for
TC SSL certs? It's preferable to not have my end users needing port
numbers. The cert doesn't care about the port, IIRC.

2. With the SSL connector enabled, https://* is globally respected on the
entire webapp. Do I need to manually check the URL/protocol to deny or
redirect https to http outside of '/admin'? Is there any built in TC
mechanism or suggested best practice to handle this? or should I not care?

Best,
John

Re: RES: Configuring limits of requests/sessions/threads in Tomcat

2014-04-01 Thread Howard W. Smith, Jr.

On Tue, Apr 1, 2014 at 9:30 PM, Frederik Nosi frederik.n...@postecom.itwrote:

 If so, just put an nginx or such in front of you'r Tomcat, you dont need
 an application server for that, it's just like using a tank to shoot a
 mosquito :P


Wow, LOL!

Re: [OT] timeout

2014-03-31 Thread Howard W. Smith, Jr.

On Mar 31, 2014 3:48 AM, André Warnier a...@ice-sa.com wrote:

 Howard W. Smith, Jr. wrote:

 On Sun, Mar 30, 2014 at 9:54 PM, Caldarale, Charles R 
 chuck.caldar...@unisys.com wrote:

 From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
 Subject: Re: timeout

 - and if that is not the reason, then find the person responsible for

 the

 in-between equipment and ask them why their junk closes the connection
 before your application has a chance to respond

 'junk'? please clarify the usage of the word 'junk', here. :)

 I think the definition something of poor quality would fit in this
case,
 if the poor quality were a result of configuring equipment without
regard
 to the requirements of the network users.

  - Chuck

 understood, thanks Chuck. :)

 Yes, what I meant precisely was thus : if after receiving numerous
complaints from your users and your boss that your application is
misbehaving; after an in-depth review of the Apache httpd and tomcat
on-line documentation; after a level-headed discussion of the issue with a
group of independent experts; after a thorough witnessed interview of a
significant sample of the users to ascertain their professional behaviour
in front of a browser and the absence of any problem with their mouse
buttons; after a careful and time-consuming examination of all the
evidence, including the access logs of both tomcat and httpd; if after all
that thus you would come to the inescapable conclusion that it is the
intermediate firewall/gateway that is the cause of all the trouble, then
when you talk to the people responsible for that equipment, the word that
might come to mind then, to qualify this equipment and its settings seen as
a whole, is junk.

 Thank you for offering me the opportunity to clarify this section of my
previous post.

You're welcome, the pleasure was [almost] all mine, and thank you for the
clarification. :-)

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Request for better deployment usability: should be able to specify context root inside war

2014-03-31 Thread Howard W. Smith, Jr.

On Mon, Mar 31, 2014 at 1:27 PM, Mark Eggers its_toas...@yahoo.com wrote:

 As far as Glassfish versus Apache Tomcat goes, they address different use
 cases. Glassfish is a J2EE application server. Apache Tomcat is a servlet
 container. While you can convince Apache Tomcat to do a lot of things, at
 some point it's better to run an application server if your requirements
 dictate it. Apache TomEE is a good choice.


+1 TomEE is a good choice, and it makes you a Tomcat user, too. :)



 BTW, I like Glassfish and Apache TomEE. It just depends on my use case.


As one that migrated from Glassfish to TomEE, my recommendation is TomEE.


 Concerning string concatenation, I think you would be surprised. Since
 strings are immutable, concatenating strings is very expensive if you're
 doing more than a few. I believe I read somewhere that concatenating 'n'
 strings is proportional to the quadratic of n. In short, ouch. Are there
 better places to spend time on optimization? Probably, but this depends on
 your application. Is concatenating 100 strings using the concatenation
 operator needlessly expensive? Most probably.


In the past, i worked on a contract where I moved some string-processing
Powerbuilder logic from PowerBuilder/client to database stored proc.
Previously, the Powerbuilder client-side string-processing code took 1.5
hours to complete; after i moved the logic to database stored proc, it took
2 to 10 seconds to complete. :)

Re: timeout

2014-03-30 Thread Howard W. Smith, Jr.

On Sun, Mar 30, 2014 at 6:30 PM, André Warnier a...@ice-sa.com wrote:

 - and if that is not the reason, then find the person responsible for the
 in-between equipment and ask them why their junk closes the connection
 before your application has a chance to respond


'junk'? please clarify the usage of the word 'junk', here. :)

Re: timeout

2014-03-30 Thread Howard W. Smith, Jr.

On Sun, Mar 30, 2014 at 9:54 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
  Subject: Re: timeout

   - and if that is not the reason, then find the person responsible for
 the
   in-between equipment and ask them why their junk closes the connection
   before your application has a chance to respond

  'junk'? please clarify the usage of the word 'junk', here. :)

 I think the definition something of poor quality would fit in this case,
 if the poor quality were a result of configuring equipment without regard
 to the requirements of the network users.

  - Chuck

understood, thanks Chuck. :)

Re: PooledConnection.getConnection - Tomcat JDBC Pool

  If that is the case the tomcat jdbc
 pooling library handling the call incorrectly and its a bug.


I'd be suspect of this. Are you actually using *org.apache.tomcat.jdbc.pool*?
Since it's a Tomcat module it seems an odd choice to use outside of Tomcat.

http://docs.oracle.com/javase/7/docs/api/javax/sql/PooledConnection.html



*The connection pool manager, typically the application server, maintains a
pool of PooledConnection objects. If there is a PooledConnection object
available in the pool, the connection pool manager returns a Connection
object that is a handle to that physical connection. If no PooledConnection
object is available, the connection pool manager calls the
ConnectionPoolDataSource method getPoolConnection to create a new physical
connection. The JDBC driver implementing ConnectionPoolDataSource creates a
new PooledConnection object and returns a handle to it. *
My emphasis there. Just using the tomcat jdbc classes doesn't guarantee you
have a pool. It does guarantee you'll get a connection, however it won't be
pooled if there isn't one. Am I misunderstanding that outside of Tomcat
means you're running Tomcat, but have some non-webapp application that's
trying to use the JNDI datasource? Or are you not running Tomcat at all?

Best,
John

Re: Concurrency - Servlet created instances accessing static classes


 If the method is thread-safe - no issue. If it isn't thread-safe then
 you have a problem.

 Mark


Thanks Mark - Clearly and succinctly explained.

Best,
John

Re: Concurrency - Servlet created instances accessing static classes

 First terminology problem: class X isn't instantiated here, an object of
 type class X is instantiated.


As Matisse once said, exactitude is not truth. This sort of hair splitting
isn't helpful. Say Class X is instantiated to a thousand programmers and
they'll understand that it means an instance of Class X.


 Second terminology problem: classes don't make calls, threads do.


Again, google class calls another class. Even the java docs use this
terminology. The last sentence of your answer was helpful, but don't waste
people's time being otherwise pedantic.

Re: Concurrency - Servlet created instances accessing static classes

 You must have been fun to have as a student.


Student is a vague term. Student of which grade, which subject? Student of
a trade? Student of life?

Unfortunately your lack of exactness means I can't understand your joke :)

(I was an even worse employee)

- John

Re: PooledConnection.getConnection - Tomcat JDBC Pool

On Tue, Mar 25, 2014 at 9:54 AM, Filip Hanik fi...@hanik.com wrote:

 Please open a bug, and we will get this taken care of. I do have one
 question,Aries library, on which call does it expect to return the
 connection to the pool? XAConnection.close() or
 XAConnection.getConnection().close(); ?


Jonathan, Filip,

If it is a bug then my answer is way off the mark. I'm sorry. If it's not a
problem, could you explain, in this case, what acts as the connection pool
manager when the Tomcat jdbc pool library is used outside of Tomcat?

Best,
John

Re: Can we increase the logging in localhost_access.log

 We see 404 error in localhost_access so this the place from where we can
 dig into.
 Is there any way we can enhance the logging/information in
 localhost_access_log.
 Or then how can debug what happens between user requests and 404 response,?


Outside of performance monitoring tools, you might try a custom 404 error
that points to a servlet. Within that servlet you can capture information
and log to a separate 404 log file (say, using LogBack). There are a few
pages on the web that describe this process. Here's one:

http://www.journaldev.com/1973/servlet-exception-and-error-handling-example-tutorial

Best,
John

Concurrency - Servlet created instances accessing static classes

2014-03-24 Thread John Smith

I should know this, but I want to confirm with smarter people on the board.

Assume the following:
1. Servlet receives an HTTP POST request. doPost(...) is called.
2. doPost(..) instantiates class X with each request
3. Class X calls a static method of class Y

Assuming I have no synchronization in the method signature or body of Y,
there is a danger of concurrency issues or thread safety issues. Many
instances of X can call Y's static method at the same time, causing BAD
THINGS to happen.

True? I swear I used to know this but I've worked on so much stuff for this
project in the last few months it simply fell out of my brain :). I'm also
aware that the answer to this is often it depends but I'm looking for the
general case answer.

TIA
John

Re: Detecting out-of-memory condition

2014-03-24 Thread Howard W. Smith, Jr.

On Mon, Mar 24, 2014 at 1:57 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: James H. H. Lampert [mailto:jam...@touchtonecorp.com]
  Subject: Detecting out-of-memory condition

  We have noticed that after a certain amount of continuous uptime, Tomcat
  eventually runs out of memory.

 Your app has a memory leak.

I agree. My app runs well after/during continuous uptime, but about a month
ago, a certain part of the app was used for annual reporting. Keep-alive
session is available when accessing/using that part of the app, and there
is a heck of amount of data being selected from database and/or stored in
@SessionScoped beans. A memory leak was exposed in that part of the app.
it's on my to-do list to review and refactor that part of the app to
avoid/fix the memory leak in the future.

Re: Effects of turning off sendFile in the NIO connector

2014-03-23 Thread John Smith



 MGwhen you enable sendfile support with request attr
  org.apache.tomcat.sendfile.support = true
 MGYou will need to set these 3 header attributes

 org.apache.tomcat.sendfile.filename: Canonical filename of the file which
 will be sent as a String
 org.apache.tomcat.sendfile.start: Start offset as a Long
 org.apache.tomcat.sendfile.end: End offset as a Long
 MGhtitps://tomcat.apache.org/tomcat-6.0-doc/aio.html

 MGCompression:
 MGset compression=on @ Connector
 MGhttps://tomcat.apache.org/tomcat-7.0-doc/config/http.html

 MGI did not read that TC cannot use sendfile with any compressed Stream?
 MGcan you show us the URL?
 MGThanks

  We also only really need compression on XML data, the site has minimal
  HTML, SWF's don't really benefit from gzip and some binary data we send
  back and forth is already compressed. I could manually implement
  compression on XML at the application level and within the SWF, if
 turning
  off sendFile will have negative consequences.
 
  Tomcat 7.0.42
  RHEL6
  ~4T outbound traffic/day
 
  Best,
  John



Your first link refers to using sendFile for asynchronous writes from a
servlet. Any servlet can instruct Tomcat to perform a sendfile call by
setting the appropriate request attributes. Your answer is not accurate. I
don't need to do anything explicitly with the headers. You should look at
the documentation regarding the HTTP NIO Connector - which you already have
as the second link in your reply. It discusses sendFile and compression,
and how you cannot use both the NIO connector and compression if sendFile
is on (on is the default).

Re: Effects of turning off sendFile in the NIO connector

2014-03-23 Thread John Smith


 John

 The consequences for disabling sendFile are extremely hard to quantify
 as there are so many variables. I would normally expect there to be more
 CPU load but how much more? No idea. It might be impossible to detect,
 it might leaver your CPUs pegged at 100%.

 The only way you will know for sure for your application is to test it
 with your application.

 Mark

 P.S. As you've probably figured out having been Martined, the best
 location for any response from Martin Gainty is /dev/null. I keep
 debating dropping him from the list as he causes far more harm than
 good. A topic for a separate thread I think.



Mark,

Thanks for the answer. As suggested, I'll test it and see what
happens...kind of figured I'd have to do that :)

Appreciate the heads-up on MG. I was wondering why the answer seemed
off.

Best,
Alec

Effects of turning off sendFile in the NIO connector

2014-03-22 Thread John Smith

What effect would setting useSendfile=false have on a web application using
the NIO connector? I'm asking because I may want to use gzip compression in
the connector. The docs state:

*There is a tradeoff between using compression (saving your bandwidth) and
using the sendfile feature (saving your CPU cycles). If the connector
supports the sendfile feature, e.g. the NIO connector, using sendfile will
take precedence over compression. The symptoms will be that static files
greater that 48 Kb will be sent uncompressed.*

It's trivial that adding compression uses CPU cycles, but does that imply
that turning sendFile off even without enabling compression would increase
CPU cycles? It's worth mentioning that the site serves a large (8mg) SWF
file. I believe that was one of the pluses of NIO/sendFile, that it was
good with sending large files under heavy traffic?

We also only really need compression on XML data, the site has minimal
HTML, SWF's don't really benefit from gzip and some binary data we send
back and forth is already compressed. I could manually implement
compression on XML at the application level and within the SWF, if turning
off sendFile will have negative consequences.

Tomcat 7.0.42
RHEL6
~4T outbound traffic/day

Best,
John

Re: Site down for maintenance senario

 Deploy a ROOT web application whose 404 page says Down for
 maintenance. You could even customize this kind of thing to only
 respond to certain URL-prefixes (like [ROOT]/mywebapp/*).

 What will you do while Tomcat is restarting, though, if you have to
 restart?


Restarts take about a second or two, it's an acceptable downtime. Custom
404's are a good idea -- the only content I need in the directory is the
404 maintenance page itself. I can just swap the names of the actual webapp
and 'maintenence' webapp directories (they're exploded).

Thanks to everyone for the other good suggestions.

Hosting recommendations

We're getting killed by our hosting provider (RS) over bandwidth issues. I
swear we scoped this out but somehow were over our agreement by an alarming
amount.

Our daily bandwidth looks like this:
http://s17.postimg.org/btl0sj3jz/rs_traffic.png

That's ~4T/day in bandwidth.

I know it's a little outside the scope of this group, but there's a lot of
smart people on here and I am using Tomcat on the two webservers.

Can anyone suggest a managed hosting company they like. Preferential to
iron, but if a cloud has worked for you please let me know. My boss is
going to stab me.

Thanks,
John

Re: tomcat-native libraries



 Installing the native library will make a difference. Whether the
 difference is large enough to notice depends very much on your
 application. If you want to improve your application's performance I
 suspect your time would be better spent with a profiler to see where the
 bottlenecks are in your application.

 Mark


+1
I had the native APR installed and ended up removing it in favor of keeping
things simple. The NIO connector often recommended by Chris S. and others
works very well.

Re: Hosting recommendations

On Mon, Mar 17, 2014 at 9:55 AM, Mark Thomas ma...@apache.org wrote:

 On 17/03/2014 13:41, John Smith wrote:
  We're getting killed by our hosting provider (RS) over bandwidth issues.
 I
  swear we scoped this out but somehow were over our agreement by an
 alarming
  amount.
 
  Our daily bandwidth looks like this:
  http://s17.postimg.org/btl0sj3jz/rs_traffic.png
 
  That's ~4T/day in bandwidth.

 That looks odd.

 1. Is that volume of traffic reasonable for your site?

 2. Are those figures consistent with your access logs?

 3. I'd expect incoming to be a lot less than outgoing for a typical site.

  I know it's a little outside the scope of this group, but there's a lot
 of
  smart people on here and I am using Tomcat on the two webservers.
 
  Can anyone suggest a managed hosting company they like. Preferential to
  iron, but if a cloud has worked for you please let me know. My boss is
  going to stab me.

 That sort of traffic level is going to cost $$$ pretty much anywhere.
 For example, the bandwidth alone is going to cost upwards of $70k/month
 with Amazon EC2.

 I know it isn't the question you asked but I'd be looking hard at the
 traffic to see if a) those numbers are correct and b) someone didn't do
 something REALLY silly that is causing excessive traffic.

 Mark


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



Mark,

1. Yes, we have ~500,000 visitors per day, and the site is based around a
very popular game that is very data intensive (users creating, browsing and
loading levels and replays).
2. Yes
3. I agree. I'm not clear on the MRTG graphs. The one I posted is the
firewall. The loadbalancer shows equal amounts of in/out, and the web
servers show same incoming as the firewall, and slightly higher outgoing.
It's seems unlikely, but it *may* reflect level saving. I would also think
out would be higher than in though.

All that said, I think the numbers are correct, especially since they look
the same as the MRTG graphs from the old host.

 I'd at least like to get a quote from another hosting company. Any recs at
all?

Best,
John

Re: Hosting recommendations

On Mon, Mar 17, 2014 at 10:25 AM, Mikolaj Rydzewski m...@ceti.pl wrote:

 On 17.03.2014 15:15, John Smith wrote:

  1. Yes, we have ~500,000 visitors per day, and the site is based around a
 very popular game that is very data intensive (users creating, browsing
 and
 loading levels and replays).


 Just a rough idea: maybe differential level load/save will help? In other
 words: to download/upload only changed entities


Like a diff? That's a good idea. It's not that there aren't optimizations
for the data going back and forth, it's just there's got to be something
comparable to RS that's not as expensive.

Re: Possible Tomcat 8.0.3 issue

2014-03-17 Thread Howard W. Smith, Jr.

On Mon, Mar 17, 2014 at 4:14 PM, Felipe Jaekel fkjae...@gmail.com wrote:

 My Tomcat 7 was running fine with this script, but last friday morning I
 started Tomcat 8 setting only this:
 *-Xms2048m -Xmx2048m -XX:MaxPermSize=1024m
 -Dorg.apache.el.parser.COERCE_TO_ZERO=false*
 and the applications crashed too.

 So I'd say that the problem is not my JVM config, but I'm interested on
 improving it. What arguments do you recommend to tune GC?

 Last friday afternoon I created a new Amazon EC2 instance with Tomcat 7 to
 check, and the problem is still there, so It was a damn coincidence that
 this problem started after I migrate to Tomcat 8. As I had a connection
 pool leak with Tomcat 8 it contributed for me to think that it could be


Was the following in your Tomcat7 config before 'and' after migrating to
tomcat8?

-Dorg.apache.el.parser.COERCE_TO_ZERO=false*

Re: Possible Tomcat 8.0.3 issue

2014-03-13 Thread Howard W. Smith, Jr.

On Thu, Mar 13, 2014 at 9:33 AM, burghard.britzke 
b...@charmides.in-berlin.de wrote:

 may be restarting the context would even be sufficient? May be the
 FacesServlet has an issue which implementation are you using? which
 version? which version of PrimeFaces?


earlier, in the thread, he provided the following:

Chrome console output:

 Resource interpreted as Stylesheet but transferred with MIME type
 text/plain: 

http://spdata-apps.net/cliente/javax.faces.resource/theme.css.jsf?ln=primefaces-redmond
.
 login.jsf:3
 Resource interpreted as Script but transferred with MIME type text/plain:


http://spdata-apps.net/cliente/javax.faces.resource/primefaces.js.jsf?ln=primefacesv=4.0.9
.
 login.jsf:3
 Resource interpreted as Image but transferred with MIME type text/plain: 

http://spdata-apps.net/cliente/javax.faces.resource/loading26.gif.jsf?ln=image
.
 login.jsf:22
 GET

http://spdata-apps.net/cliente/javax.faces.resource/primefaces.css.jsf?ln=primefacesv=4.0.9net::ERR_INVALID_CHUNKED_ENCODING
 login.jsf:3

primefacesv=4.0.9

PrimeFaces Elite 4.0.9

Since I usually scour PrimeFaces forum topics, this is the first person
that I have heard/seen using tomcat 8.0.x with PrimeFaces.

Re: Possible Tomcat 8.0.3 issue

2014-03-13 Thread Howard W. Smith, Jr.

On Thu, Mar 13, 2014 at 11:47 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Felipe,

 On 3/13/14, 10:57 AM, Felipe Jaekel wrote:
  There are lots of this in catalina log: *12-Mar-2014 08:41:43.828
  WARNING [http-nio-80-exec-28]
  com.sun.faces.application.resource.ResourceHandlerImpl.logMissingResource
 
 
 JSF1064: Unable to find or serve resource, primefaces.js, from library,
  primefaces.* *12-Mar-2014 08:41:43.829 WARNING
  [http-nio-80-exec-28]
  com.sun.faces.application.resource.ResourceHandlerImpl.logMissingResource
  * * org.apache.catalina.connector.ClientAbortException:
  java.io.IOException: Connection reset by peer*
 
  But these always appeared in my logs, I guess it happens when the
  client cancel the page load.


Felipe,  why would a user cancel the page load? is this quite common that
user cancels page load? are there pages in your app that would
provoke/motivate user(s) to cancel page load? this/some page(s) take a long
time to load?


 
  I did found something strange in the access log. Applications
  crashed around 2:20PM. I checked for primefaces.js at this time in
  the access log and its all 200 status, but I noticed some very
  small response sizes in some requests, which explains the
  JavaScripts errors on Chrome console.
 
  Here are the log files and some print-screens:
  https://dl.dropboxusercontent.com/u/66737052/logs-12-03-2014.tar.bz2
 
 
 
  Nothing changed in the system. I started to use Tomcat 8.0.3 in
  production on February 28th and the server is restarted daily to
  recycle PermGen space.

 I'm curious about this: what eats-up your PermGen space?


if this behavior did not occur in tomcat7, why would it (start to) occur
when using tomcat8?



  I'm using Mojarra 2.2.5.


Mojarra 2.2.5 + tomcat8, hmmm

Felipe, which servlet in your web.xml? servlet 2.5, 3.0, 3.1?

Felipe, did you look at tomcat 8 migration guide (URL below)?

https://tomcat.apache.org/migration-8.html



 
  This issue started to manifest at 10AM after a parallel deploy. At
  first only the icons disappeared from the new deployed version, but
  it was functional. Although new and old deployed versions had
  PrimeFaces 4.0.9, I started to think that might be something wrong
  with it, so I deployed a new version using 4.0.10. Problem was
  solved for some hours, but when it returned the status was what I
  mentioned above. Tried to parallel deploy with 4.0.8 but no
  success. After I restarted problem was solved, but in case it's
  relevant, there was only one version of each application running.

 My guess is still OOME: immediately after a parallel-deployment (which
 roughly doubles the non-session resident footprint of your web
 application, which you already say has PermGen issues) things start
 going wonky, and a JVM restart fixes things? My money is on an OOME.
 Note that they don't always have stack-traces along with them, so they
 are easy to miss when eyeballing log files.


Felipe, can you share your java settings, similar to what I shared below?

-Xms3G
-Xmx3G
-XX:MaxPermSize=384m
-XX:+UseTLAB
-XX:+UseConcMarkSweepGC
-XX:+CMSClassUnloadingEnabled



 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTIdMGAAoJEBzwKT+lPKRYkkkP/31gOfqH+wxtEFTKXbNRmKPx
 56anmEVQqDo36icLTGRrXS9bhlq5UWZQvdm24n/aA2SeBYJWxOYK0eIU9SnY+Q5w
 CurqA7KLQPw0UVTXXR3k85etGT8Uuivfnup28bPeJTtsifOzlQOHNC/MpyBzhMaR
 vwhc94cXR3HC+eoM5mgGMHiMG17jT1P0ty6kCGuDPPNM3DwVyXxmZE0oQQ+Pgoq9
 XGJEnW1uKJG0vmM4tNRWWCrWxxu0nypMml/a93IdAZNgCkoEUuHnRqS4Qtie9O/i
 sMjuJ/dBrc9qMpBfEvGUhLrO6whFbjnVqwfi6saXIcwvEUhs/w7h0dvOsgF9UxLa
 a8R3mR14QNmLR9Pmh+3OqdwVOx+m4bec5oXjWvitin9RsuaurdRqRDAmvXIWG4ab
 PLTDGaVmKPIx58uizN0WlQloj2haN7FPvlj18rlirb245KK23sYQHPWTRsOV/KXS
 wkzlSmzUoIePzCS6jQcCA+lKQ0Is/+JQvoTlBxOgCV1FlqtYR9LTd4qzTDzsTnuH
 wyhC1+ovscEZPDHlNBUu1RSJGvnB+YccWttcTeXQi3i25bitt+L3HqUyWE7VJbaL
 9SetiKGcsJK/gx9NzSQXEwEoPXuTK3vPmW4HVgIg6X51TKORZpPsfknX/iBd1Hml
 VFCVjzEC334YBFgULc6a
 =w3Sk
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Site down for maintenance senario

2014-03-12 Thread John Smith

Is there a straightforward way to toggle or add something in Tomcat, in the
event a webapp is intentionally taken 'offline for maintenance? The user
would receive the same single notification page saying as much, for any and
all requests.

Tomcat 7.0.42

Re: NIO connector - connections and threads

Thanks for your reply. So are the open HTTP connections that use my web
application code waiting in line to be processed by the available threads
specified in maxThreads?

Best,
John


On Sun, Mar 9, 2014 at 12:44 PM, Konstantin Kolinko
knst.koli...@gmail.comwrote:

 2014-03-09 2:08 GMT+04:00 John Smith tomcat.ran...@gmail.com:
  Sorry, forgot: Tomcat 7.0.42
 
 
  On Fri, Mar 7, 2014 at 3:59 PM, John Smith tomcat.ran...@gmail.com
 wrote:
 
  The NIO connector has two attributes from the standard HTTP Connector
  implementation, maxConnections and maxThreads with defaults of 1 and
  200, respectively.
 
  Can anyone shine some light on how these work together? If I'm allowing
 up
  to 1 connections, would that mean I only have 200 threads to process
  through them? It would seem to be a disparity between the defaults. If
 I'm
  expecting maxConnection numbers in the area of ~2000 at any given time,
  wouldn't I want to bump up my maxThreads closer to match that?
 
  Production environment is:
 
  DELL PowerEdge R720
  Single Socket Six Core Intel Xeon E5-2640 2.5GHz
  32 GB RAM
  RHEL 6
 

 Roughly speaking,

 The new APIs in java NIO and in Apache APR (and ultimately in
 underlying OS) allow to test whether there are incoming data on a
 network socket without actually reading it.

 A thread is needed when Tomcat calls your code in a web application to
 process a request.

 When request processing ends and control is returned to Tomcat, the
 request processing thread is decoupled from connection and is used to
 process other connections.  With keep-alive feature in HTTP/1.1
 protocol there may be several HTTP requests on the same HTTP
 connection,

 maxConnections = how many open HTTP connection can be hold by Tomcat
 maxThreads = how many requests are being actively processed at the same
 time.

 Best regards,
 Konstantin Kolinko

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Executor thread pool

How dumb am I being by not using an Executor with a named thread pool?
Currently I just have a Connector in server.xml:

Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol
   connectionTimeout=2
   redirectPort=8443 /

Assuming ~2000 simultaneous connections. Tomcat 7.0.42. RHEL6.

Best,
John

Re: NIO connector - connections and threads

On Mon, Mar 10, 2014 at 11:48 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: John Smith [mailto:tomcat.ran...@gmail.com]
  Subject: Re: NIO connector - connections and threads

 Don't top post.

  So are the open HTTP connections that use my web application code waiting
  in line to be processed by the available threads specified in maxThreads?

 The connections won't be waiting, but requests arriving over those
 connections may wait if all the threads are busy.

 Do you really have more than 200 simultaneous _requests_ active?

  - Chuck

 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Don't top post.

Sorry, just getting this list through gmail, normal replies are top posted.

Do you really have more than 200 simultaneous _requests_ active?

If you're implying are 200 people simultaneously, hitting the same page at
the same time, or making the same HTTP POST at the same time, the answer
is, yes, probably.

-John

Re: NIO connector - connections and threads



 Collecting some peak usage data might be interesting.  You definitely want
 your max thread limit to be a bit above the number of concurrent requests
 you're handling.  Of course, that has to be balanced against limits on
 other resources, such as memory and data base connections.

  - Chuck


Thanks, I'm in the process of implementing MoSKito, so I'm hoping to get
some good reporting there.

Re: Tomcat7w.exe

2014-03-10 Thread Howard W. Smith, Jr.

On Sun, Mar 9, 2014 at 3:53 PM, Leo Donahue donahu...@gmail.com wrote:

 On Fri, Mar 7, 2014 at 12:43 PM, Howard W. Smith, Jr. 
 smithh032...@gmail.com wrote:

 
  Actually, i hate clicking on things... I use Windows keyboard shortcuts
 as
  much as possible.
 

 Even when you run the following command, you still get a GUI.

 Tomcat7w //ES/Tomcat7


okay/true.



 Do you Ctrl + Tab your way through that dialog?


yes.



 Plus, I don't know what this is supposed to edit, but it doesn't change the
 values in the Tomcat7w.exe dialog:
 Tomcat7 //ES//Tomcat7 --Startup=Auto  (or Automatic)

 Running that command still shows Manual in the Startup type on the
 General tab.


okay. i never used/tried --Startup=..., because after creating the
Windows Service, I /simply/ use tomcat7w.exe (or Windows Start button 
Administratives Tools  Services) to change the value to 'Automatic'.

Re: Tomcat7w.exe

2014-03-10 Thread Howard W. Smith, Jr.

On Mon, Mar 10, 2014 at 10:37 AM, Jeffrey Janner 
jeffrey.jan...@polydyne.com wrote:

  -Original Message-
  From: Leo Donahue [mailto:donahu...@gmail.com]
  Sent: Friday, March 07, 2014 11:10 AM
  To: users@tomcat.apache.org
  Subject: Tomcat7w.exe

  Did I miss something in the documentation about renaming this if one is
  running multiple windows services of Tomcat?

  ex:
  #Prod port 80
  c:\apache-tomcat
  c:\apache-tomcat\apache-tomcat-7.0.52
  service install Tomcat7 (from bin directory here)

  #Dev port 8080
  c:\apache-tomcat-dev
  c:\apache-tomcat-dev\apache-tomcat-7.0.52
  service install Tomcat7dev (from bin directory here)

  If I run the Tomcat7w.exe from #Dev, all of those settings point to
  #Prod.

  Unless I change the name of Tomcat7w.exe in #Dev to Tomcat7devw.exe,
  then everything is fine.

  Was that listed in the docs somewhere and I missed it?

 Leo,
 If you use the Windows installer that the foundation thoughtfully
 provides, you'll see that the installer actually renames the executables to
 whatever you put in the Windows Service Name field.  So, if you use it to
 install one instance with the service name Prod, then in the bin
 directory, you will have Prod.exe and Prodw.exe.  If you second instance
 uses the service name Dev, then the bin directory will have Dev.exe and
 Devw.exe.  And when you go to look for those processes using Task Manager,
 or Process Explorer, or whatever tool you use, they will actually show up
 as those names.  No more trying to figure out which Tomcat.exe is which.
 Jeff

+1 that's good to know, as I may have a need to have multiple tomcat/tomee
instances. Thanks!

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: NIO connector - connections and threads

2014-03-08 Thread John Smith

Sorry, forgot: Tomcat 7.0.42


On Fri, Mar 7, 2014 at 3:59 PM, John Smith tomcat.ran...@gmail.com wrote:

 The NIO connector has two attributes from the standard HTTP Connector
 implementation, maxConnections and maxThreads with defaults of 1 and
 200, respectively.

 Can anyone shine some light on how these work together? If I'm allowing up
 to 1 connections, would that mean I only have 200 threads to process
 through them? It would seem to be a disparity between the defaults. If I'm
 expecting maxConnection numbers in the area of ~2000 at any given time,
 wouldn't I want to bump up my maxThreads closer to match that?

 Production environment is:

 DELL PowerEdge R720
 Single Socket Six Core Intel Xeon E5-2640 2.5GHz
 32 GB RAM
 RHEL 6

 Best,
 John

Re: Tomcat7w.exe

2014-03-07 Thread Howard W. Smith, Jr.

On Fri, Mar 7, 2014 at 1:11 PM, Leo Donahue donahu...@gmail.com wrote:

  I blame my lack of command line upbringing for not catching that.


I love my MS-DOS command-line days/upbringing (dating back to my first
computer, 1986 Tandy 1000 SX, MS-DOS 5.0, maybe, and I don't remember using
Windows way back at that time).


 Windows people click on things.
 Bad habits.


Actually, i hate clicking on things... I use Windows keyboard shortcuts as
much as possible.

NIO connector - connections and threads

2014-03-07 Thread John Smith

The NIO connector has two attributes from the standard HTTP Connector
implementation, maxConnections and maxThreads with defaults of 1 and
200, respectively.

Can anyone shine some light on how these work together? If I'm allowing up
to 1 connections, would that mean I only have 200 threads to process
through them? It would seem to be a disparity between the defaults. If I'm
expecting maxConnection numbers in the area of ~2000 at any given time,
wouldn't I want to bump up my maxThreads closer to match that?

Production environment is:

DELL PowerEdge R720
Single Socket Six Core Intel Xeon E5-2640 2.5GHz
32 GB RAM
RHEL 6

Best,
John

Re: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: Assertion failed

Chris,

On Tue, Mar 4, 2014 at 4:18 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 Dmitry,

 On 3/4/14, 2:48 AM, Dmitry Batiyevskiy wrote:
  Howard, My connector config is the following (i've already posted
  that):
 
  Connector port=8443 maxHttpHeaderSize=8192 maxThreads=15000
  enableLookups=false disableUploadTimeout=true acceptCount=100
  scheme=https secure=true SSLEnabled=true compression=off
  SSLCertificateFile=/opt/tomcat/mycompany.com.crt
  SSLCertificateKeyFile=/opt/tomcat/mycompany.com.key /
 
  Also -Dhttps.protocols=TLSv1 option is passed to java machine
 
  The reason for me to use apr connector is https performance, isn't
  NIO much slower in that?

 I don't have any recent performance data, but using OpenSSL is
 apparently measurably faster than using JSSE.

 On the other hand, is the NIO connector does not crash, isn't that a
 point in its favor?


Can you please clarify your statements above? are you saying that OpenSSL
implies (or equals) NIO or APR?

I'm asking, because I only use NIO connector without SSL.

Re: Tomcat 7.0.52 NIO + Atmospere 1.0.18 damaged responses

On Wed, Mar 5, 2014 at 8:35 AM, Jan Dosoudil jan.dosou...@aura.cz wrote:

Hi,
we have application running on Tomcat 7.0.52 with Nio connector (a lot
older versions too), it uses MyFaces (2.1.12), RichFaces (4.3.5),
Atmosphere framework (1.0.18). Atmosphere framework is configured to use
long-polling with Tomcat Nio comet support.

I searched atmosphere google groups mail list, earlier, this morning, for

tomcat nio ssl

and found,

https://groups.google.com/forum/?fromgroups#!searchin/atmosphere-framework/tomcat$20nio$20ssl/atmosphere-framework/J685km4oOvM/2qZMzo4wyfAJ

that topic mentioned something similar to what you are stating here, and i
think they were using same/similar version of atmosphere (1.0.1x).

Sometimes simple request takes a long time to finish (correlates with
connectionTimeout set on Connector) and response is damaged. Here is
example of damaged response from server:

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C524EA667CA4087407A5DCDEA1712E53; Path=/app/;
HttpOnly
Location: http://192.168.1.156:8080/app/login
Content-Length: 0
Date: Tue, 28 Jan 2014 16:10:54 GMT

Response packet contains exactly this data, no more data (headers) before
0. Example contains redirect but problem appears in JSF pages too. 0 is
end of chunked encoded response.

Problem went away by switching atmosphere from long-polling to WebSockets

+1 and this was mentioned in that thread (URL above), too.

so I think there may be problem in Atmospere framework long polling and
Tomcat async support. I've found workaround using socket.bufferPool=0 but
i think it's not final solution.

I don't have simple testcase to easily reproduce this problem. I've tried
turning on Tomcat debug logs, debugging Tomcat and so on but without usable
results. My opinion is that atmosphere framework uses NioChannel which
doesn't own but I'm not able to confirm or reject it.

Can you suggest me how to debug this problem or give me some tip to find
final solution?

have you considered upgrading to latest atmosphere version, retesting your
app, and sending a mail to atmosphere list about these issues?

also, is it a requirement or preference to use long-polling instead of
websocket? usually, i think it is default or recommended to upgrade to
websocket, and fallback to long-polling. is long-polling to support target
multiple-servers/platforms and/or clients?

Thanks,
Jan Dosoudil

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: Assertion failed

On Mar 5, 2014 11:09 AM, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Howard,

 On 3/5/14, 9:45 AM, Howard W. Smith, Jr. wrote:
  Chris,
 
  On Tue, Mar 4, 2014 at 4:18 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Dmitry,
 
  On 3/4/14, 2:48 AM, Dmitry Batiyevskiy wrote:
  Howard, My connector config is the following (i've already
  posted that):
 
  Connector port=8443 maxHttpHeaderSize=8192
  maxThreads=15000 enableLookups=false
  disableUploadTimeout=true acceptCount=100 scheme=https
  secure=true SSLEnabled=true compression=off
  SSLCertificateFile=/opt/tomcat/mycompany.com.crt
  SSLCertificateKeyFile=/opt/tomcat/mycompany.com.key /
 
  Also -Dhttps.protocols=TLSv1 option is passed to java machine
 
  The reason for me to use apr connector is https performance,
  isn't NIO much slower in that?
 
  I don't have any recent performance data, but using OpenSSL is
  apparently measurably faster than using JSSE.
 
  On the other hand, is the NIO connector does not crash, isn't
  that a point in its favor?
 
 
  Can you please clarify your statements above? are you saying that
  OpenSSL implies (or equals) NIO or APR?

 APR implies OpenSSL, and I suppose vice-versa. APR is native code and
 uses OpenSSL for its SSL engine. All of the pure-Java connectors (BIO,
 NIO, and possible a soon-to-be-available NIO2 connector) all use JSSE
 (Java Secure Sockets Extension) for SSL. For whatever reason, OpenSSL
 is measurably faster than JSSE.

 If you are fronting Tomcat with a web server which terminates SSL
 itself, then I see no particular reason to use the connectors over the
 NIO connectors.

 (Note that you can still use APR for its entropy capabilities even if
 not using it for SSL. You'll get session ids coming from OpenSSL's
 random source instead of Java's. I'm not sure that matters too much.)

 - -chris

Understood. Thanks Chris!

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTF0qNAAoJEBzwKT+lPKRYkIUQALqutaNWH1pLL1Gg89RgHyb+
 01ORV9O6q2fwtsIgW5WPurZr6gJAcf8K2C1bAkE6WCudgLrHjaTwQtb5peWFqHr0
 IiCLa2bVxkDXDPFy5ESViPTML6UPiOHBXa707ZAK3vzRB5jy6fHbqMVvPBRx4CzD
 T0jKAqU9Odj38QBaUWvCi1BNgc0J5i4OyXBDNJmchyB0G6tN29vYo9zpaUnl972e
 4qLzmWEGBzUnQ6y2zTga2fOZQJ4Lu5hQCLYmoCM84sU1Xl9BjHJ1Tn1mWm7jEm7V
 zMlIgFlJ/y65AUCqSRerMO5V5y4N+44CeQ2WV5v3hes4htAqRV7BFOgCfQW8e6Ng
 oqn4KLQU81rCOsN61tQIv1j17wkP6vux9WbaDScr+UVfjFZgdygaZvOLkmDs/bXG
 +b3DNsGVswOU4it2Y/cp6NAzwWDQfdfQUYDn9U/XOi9MnYSXNf+2dorTqnUhZ3Y7
 mbxrCFpwKdbgXTkvs1UPwOZVhJ8dBuno/HofKuqbd+s9SkF/eXZNdyWolRUQ8sdK
 KFWgByHW+18IM1RiBieu9/iGA1U4nUz0HvLo0UxXpN1GAXO/67/Hv2h/LiqB/tQh
 yVFbvEZV5bR64D9FoPFReGQG4as2NBfIrbFz4XhqHwps5DDYm7WsS4hK87PE7fNC
 qeyeWruqGubsZfwDrfft
 =ihsJ
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Optimization on simple requests

2014-03-05 Thread John Smith

Chris,

Thanks! Very helpful advice.

Best,
John


On Tue, Mar 4, 2014 at 1:54 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 John,

 On 3/4/14, 1:17 PM, John Smith wrote:
  Tomcat 7.0.42 on RHEL6.
 
  Assume that Tomcat is serving only one jsp page. Say it just
  rewrites a parameter value from the querystring to the html within
  the jsp.
 
  Also assume that there are ~200,000 users attempting to access that
  page - say almost simultaneously.
 
  What are the most relevant optimizations I can make to a single
  instance of tomcat for this scenario?

 So you want the highest-performance solution to the above scenario?

 As for Tomcat configuration, I would use the NIO connector with a
 large number of max connections (you'll have to see what practical
 size to give it) and a large number of threads in your thread pool
 (i.e. executor).

 NIO gets you the benefit of not blocking waiting for a second (or
 third, etc.) keepalive request to arrive over a connection before that
 thread can be used to do some real work. If all connections are
 Connection:close then this is less of an issue.

 If you have a big, beefy CPU relative to your Internet connection's
 bandwidth, you should probably enable compression on the connector:
 that will help you push bytes back to the client faster. You'll have
 to test whether or not this actually helps you in your particular
 situation, because you are trading CPU time for I/O time.

 Define only one Host element in your server.xml, and name it
 whatever your public hostname is: there is a slight optimization in
 the mapper that works slightly faster if you have exactly one Host
 element, and if that name matches the Host header from the request.
 (There is an even faster case for where there are no elements in the
 host list, then the default is used, but I'm not sure how to get a
 zero-element host list and yet still have a default host).

 Don't add any Valves or Filters that you don't absolutely need.

 I would remove any intermediate proxies that don't absolutely need to
 be there (like Apache httpd, Microsoft IIS, nginx, etc.). Tomcat
 itself comes fairly well-configured for performance out of the box
 (except for the use of the BIO connector, which gets the job done and
 it very stable and reliable, but certainly does not win any speed
 contests).

 If you want to optimize the hell out of the experience, you'll want to
 dump JSP: there's a lot of setup that goes into creating the
 environment in which a JSP page runs, and you don't mention that you
 need any of it above.

 If you just need to write HEADER + some value from query string +
 FOOTER, then try to do that all in 3 I/O writes, like this would be in
 a servlet:

 static final String HEADER = htmlheadtitleMy Fast
 Page/title/headbodyh1My Fast Page/h1pYour parameter value
 is i;
 static final String FOOTER = /i/p/body/html;

 void doGet(request, response) {

   ServletOutputStream out = response.getOutputStream();
   out.print(HEADER);
   out.print(request.getParameter(key));
   out.print(FOOTER);
 }

 To save network bandwidth, remove any non-essential whitespace from
 your text as I have done above.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTFiFPAAoJEBzwKT+lPKRYR5wP/iiaEcMIFxKBE9Rr9EP6ZhA+
 +fxznQ1QED232LlhvAAcAiAjnOOv/dzLxmC62dai9EZoV0/24WcMpYaEjaRo2jZu
 jIyeGb4Dn4ommJj7aPG+yesPRRTBY6j23SIauWbnRNBCggn/YCpOnjERuUHPtjMO
 G4kDeZaHGGjfirwTuPYCKxiKlYow6C4H8HUzLH84BvuktPPCgO16qbtCSCI0st+b
 av4pza4lzKSO3YsjS3PBNa7eI9q7zvLYqTeB7TziyLq7Jf5OOWPL73qUVJUgb54A
 M6GzvsdIYWHCigGZff0iHT3oNbDEteSVK7TPLP8+XzI8x8F+xsn5G8yv5wXhStDH
 44g2E2hZLwLhaaSiJqtxKGb2kTwoJA+CX33MnbngOkMGUO7SmRMlkx77d08GiYoA
 uvOKep8zz7R4Is8EZu5sdzUQSxPx2Y59uzQNMiBeER47d+hfu4aOl241QUrN2osO
 NsddzzXB6i9auvdhDdGUkNwbT2Iy8NtMKPBUvM+LWz2GC+8+/WyVeRjhQ5N3BUwc
 5YHCKrHVEgZR/NO7j6HvsqXBdUnbt8JNFp0O6XtkCUtlilDabki50wIqVXn/jEmc
 rG9YJKYDFDQdxJSEnpeZEw5+iDmORkSyIOEMw5htqVCCgeBRp2jeATVWKpdcM76G
 EJD/P6bdni3Vj7kthhjs
 =ADJI
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Optimization on simple requests