• Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat 8 503 Error with Apache2 mod_jk as Reverse Proxy  RSS feed

 
Bradn Jones
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm following this guide to setup Tomcat 8 on Ubuntu Server 16.04 using Apache2's mod_jk module as a reverse proxy:

https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-ubuntu-16-04

Everything works until the last step, which is to change the HTTP and AJP Connectors in server.xml to only listen on localhost. Here's the change I made to the AJP Connector (added localhost in the address):



Before this change, typing https://myhostname takes me to the Tomcat administration page; after it, I get "503 Service Unavailable".

Here's the relevant portion of mod_jk.log

 
Tim Holloway
Bartender
Posts: 18503
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might want to check the Tomcat catalina.out and localhost log files to make sure that port 8009 didn't fail to open.

Although your proxy log message seems to be indicating that Apache might have been trying to connect using IPV6 and your allowable address (127.0.0.1) is an IPv4 address. If that's the case, I'd try and ensure that the Apache-to-Tomcat tunnel on port 8009 used IPv4, since I don't thing IPv6 gains you a lot on a loopback connection.
 
Bradn Jones
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here are the logs based on your suggestion, it doesn't seem like there is an issue with port 8009 starting as line 36 of the catalina.out says this "Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]" but I'm not 100% sure:

Also, how do I ensure that the Apache-to-Tomcat tunnel on port 8009 uses IPv4.  I didn't see anything I could change in the server.xml connector config to specify IP Type??

Apologies, I'm new to configuring tomcat and this is a bit of a learning process for me.

Thanks much!

Localhost.log:


catalina.out after running systemctl restart tomcat as root




 
Tim Holloway
Bartender
Posts: 18503
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use the command "netstat -tnlp" to list what programs are listing on which ports/protocols.

But it does appear that Apache is attempting to use IPv6 to communicate and your listening address on the connector is set for IPv4.

Unfortunately, Apache does its IPv6/IPv4 things with a certain amount of "magic" these days, so it's not always easy to tell what protocols it's going to use. You'll probably have to read the Apache docs. I would expect that the mod_jk configuration options would deal with that, but unfortunately, the DigitalOcean tutorial doesn't show a functional and complete set of sample mod_jk directives 

It's not totally essential that you limit the port 8009 listening address. That's not a public port, so access to it should be firewall-blocked both at the external entry to your site from the Internet, and in your case, on the local machine (iptables) itself. If someone managed to get far enough into your server to be able to send local requests inside the machine's firewall, you've probably already be totally eaten.

Also, are you the "Bostich" that posted to the DigitalOcean site not long ago? We really would like to be notified when you cross-post stuff. Otherwise people get confused because sometime they'll answer on one site and sometimes on another.
 
Bradn Jones
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim,

Thank you for your clarifications!  Yes that post on DO is mine.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!