apache?

[Kenny Lussier]

On Sat, Apr 4, 2009 at 8:43 PM, Alan Johnson <alan at datdec.com> wrote:

> On Sat, Apr 4, 2009 at 1:15 PM, Kenny Lussier <klussier at gmail.c> wrote:
>
>> Hi All,
>>
>> I am seeing an interesting problem with what I think is apache, but could
>> be tcp related as well. Our firewall blocks all connections to 443 except
>> for specific hosts. When someone connects to apache on 443, we proxy the
>> connection to a load balancer, which sprays the connections across several
>> tomcat servers.
>>
>> A few days ago, we upgraded the front-end apache servers from RHEL3
>> running httpd-2.0.47 to RHEL5, httpd-2.2.3-22.
>
>
> Did anything else related to Tomcat or your web service change with this
> upgrade?  Different versions of Tomcat or JVM?  I get the feeling those are
> running on different machines and have not been touched, but I wanted to
> confirm.
>
> Also, are you using mod_jk to connect to Tomcat?  This was the default in
> Apache 2.0, but 2.2 switched to something else for default (mod_proxy, I
> think?).  I switched back to mod_jk, but it took some fancy stepping,
> especially since we were upgrading to 64-bit at the same time.  but
> anyway...
>
>
>> One thing that I noticed is that in RHEL3, tcp_syncookies is set to 0
>> (off) by default, and on RHEL5 it is set to 1 (on). Could syncookies be
>> causing this?
>
>
> Could be.  I don't really know.  Any reason you don't want to flip the bit
> and see if it helps?


Oh, we flipped it, alright.... We're just waiting to see if it happens
again. We are also mirroring all of the traffic on both sides of the
firewall, on the inside of the proxy, etc. We aren't leaving anything to
chance. I'm just trying to understand how syncookies could cause this sort
of an issue.


>
> Also, why not ask RedHat?  That's what you are paying for.  Otherwise, you
> may as well switch to CentOS.  I have some very simple scripts to convert
> from RH to CentOS if you like.  They work great for 3 and 4, but I have not
> made any for 5 as I have no RH 5 to worry about.  It should be fairly easy
> to make some 5 scripts using what I have as a guide.  I expect the steps to
> be the same with perhaps a few different package and file names.  That's the
> differecne between my 3 and 4 scripts anyway.


I haven't engaged RedHat yet because the first thing that they want is a
reboot. I swear that they are learning from Microsoft more every day...
These are mission-critical production systems, and they will want too much
experimentation. That, and I really just hate calling tech support :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090404/018cc65c/attachment.html