Very nasty ajp error when using ssl, client certificates, mod_proxy_ajp and jetty 6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
We have a java application that, as part of its authentication
process, needs to examine the contents of a X509 certificate from the
client. The application is also a financial based one and therefore
needs to be run entirely over SSL. Our architecture consists of an
httpd 2.2.3 front end and a jetty 6 app server. Jetty and apache talk
using AJP (mod_proxy_ajp on the apache side). For most requests this
seems to work fine. However, occasionally we get some *extremely*
nasty behaviour from apache (it may be caused by jetty, but I'm not
sure as yet). Anyway, we get the following type messages in our apache
log:

[Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
this error code: proxy: read response failed from 172.17.102.156:8009
(172.17.102.156)
[Fri Oct 03 14:26:43 2008] [error] (70007)The timeout specified has
expired: ajp_ilink_receive() can't receive header
[Fri Oct 03 14:26:43 2008] [error] ajp_read_header: ajp_ilink_receive failed
[Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand
this error code: proxy: read response failed from 172.17.102.156:8009
(172.17.102.156)
[Fri Oct 03 14:29:52 2008] [error] ajp_check_msg_header() got bad signature 4854
[Fri Oct 03 14:29:52 2008] [error] ajp_ilink_receive() received bad header
[Fri Oct 03 14:29:52 2008] [error] ajp_read_header: ajp_ilink_receive failed
[Fri Oct 03 14:29:52 2008] [error] (120007)APR does not understand
this error code: proxy: read response failed from (null)
(172.17.102.156)

Now, this seems to occur only for certain connection types: For
example, it seems to often occur for connections from MSIE browsers,
as well as on occasions when our java application server times out on
requests (e.g. when our back end takes a very long time to come back
with a response). I suspect these may be related, as I've read that
MSIE browsers don't terminate SSL connections correctly.

Anyway, when this occurs, the entire apache server seems to freeze up
for several minutes.

Here's the relevant apache config:


Basic ssl config:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  600


SSLMutex pthread

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin


ServerAdmin root@localhost

ServerName www.ourapp.com:443

ProxyPreserveHost   On
ProxyPass           /our-app ajp://172.17.102.156:8009/our-app
ProxyPassReverse        /our-app ajp://172.17.102.156:8009/our-app


SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/httpd/certs/server.crt

SSLCertificateKeyFile /etc/httpd/certs/server.key

SSLCACertificateFile /etc/httpd/certs/ca.crt

SSLVerifyClient require

SSLVerifyDepth  1

SSLOptions +StdEnvVars +ExportCertData +StrictRequire

<IfModule setenvif_module>
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
</IfModule>


LoadModule proxy_ajp_module modules/mod_proxy_ajp.so


In case there's anyone familiar with jetty out there, my jetty AJP
config is very simple
<Configure id="Server" class="org.mortbay.jetty.Server">

  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- Add a AJP listener on port 8009                           -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <Call name="addConnector">
    <Arg>
       <New class="org.mortbay.jetty.ajp.Ajp13SocketConnector">
         <Set name="port">8009</Set>
       </New>
    </Arg>
  </Call>

</Configure>

(The IP addresses etc. have been changed to protect the innocent)

If anyone could give any pointers for a solution to this it'd be
great, as the app in question is due to go live shortly, and we'll
have to delay go-live until this issue is resolved.
Thanks
Denis

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux