Hi, we like to make a short proposal about how the communication protocol between mod_jk and the Tomcat application server could be expanded to avoid problems with proxy firewalls between both of them.
We are using the Apache webserver (1.3.23) in conjunction with the Tomcal application server (3.2.3). Because of security issues both are separated by an internal firewall operating as an proxy server. Because of reliability we have configured two machines with the Apache webserver within our DMZ and behind the DMZ two additional machines running the Tomcat application server. We have also configured the load balancing within the mod_jk, so that both application servers can be referenced from both webservers. Packet Filter Apache Proxy Tomcat Application Firewall Webserver Firewall Server +-----+ +------+ +----+ +------+ | | Load / | AP 1 | ------- | | ------ | TC 1 | | | Balancer / +------+ \ / | | +------+ | | +----+ / \ / | | | FW | -- | LB | X X | FW | | | +----+ \ / \ | | | | \ +------+ / \ | | +------+ | | \ | AP 1 | ------- | | ------ | TC 1 | +-----+ +------+ +----+ +------+ In this setup the proxy firewall causes the problems we have. If mod_jk connects to the firewall the connection will be accepted by the firewall without knowing if the application server behind the firewall is up and running. From mod_jk`s point of view everything looks fine after having established a connection to the firewall. So mod_jk starts sending data and is waiting for a reply. The firwall indicates, that the requested application server is down and closes the connection to mod_jk. For mod_jk this can only be interpreted as a network or an application error and so an 'Internal Server Error' is raised in the connect browser window. To avoid the problem with proxy firewalls we think the protocol between mod_jk and tomcat could be expanded with a ping/pong message which indicates to mod_jk that a connection to the Tomcat application server has been established. The successfull establishment of a connection to a process is in our scenario not sufficient. mod_jk should be sure to be connected to the Tomcat application server before sending data. If the connection to the first Tomcat application server fails the connection is still in mode 'recoverable' and mod_jk will try to reach the second application server. Thank you in advance, best regards Norbert -- Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
