Apache stops responding to SSL + mod_jk
https://stackoverflow.com/questions/11437604
-
20-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Our Apache2 instance occasionally seems to stop responding to SSL requests when under load.
We have a Windows Server 2003 running Apache 2.2 w/ OpenSSL. It is configured with mod_jk connector version 1.2.32 which balances two instances of Tomcat 6.
Apache2 is configured to accept requests on :80 and redirect to :443 using mod_rewrite, which works fine. (this is important later)
We've got an external process that routinely calls a URL mapped through mod_jk. The process was poorly configured to initially send its request to http (:80) and was then getting redirected to https (:443) resulting in a double-hit on the server. This meant the access.log would show two requests, one with a 302 status (redirect from the :80 request) followed by 200 status (ok from the :443 request).
Eventually the access.log ceased showing the subsequent "status 200" messages and showed only 302 (redirects). Visiting the https URL via browser also confirmed that Apache was not responding. Our Monitis alert said, "CRITICAL - Cannot make SSL connection". Additionally, our mod_jk.log stopped recording requests at that time of failure. It's important to note here that Apache continued to reply to all http requests and sent 302 redirects all the while that the ssl requests were failing.
Accessing each of the two tomcat instances directly via http succeeded without any problems.
We restarted our Apache2 service, which immediately resolved the issues, and things began operating normally once again.
There are so many moving parts in this puzzle that I'm not sure of the culprit. I am suspecting that there may be a problem with SSL, though I did not test a non-tomcat URL via SSL at that time. It could also be mod_jk related. Thanks for reading.
Solution
I strongly recommend that you ditch mod_jk in favour of mod_ajp_proxymod_proxy_ajp. It does exactly the same thing, but it is miles simpler to configure; it is built into Apache rather than being a by-product of the Tomcat project; it can be used in conjunction with mod_proxy_balancer when you get the need for it; and it has been working flawlessly for me, including SSL, for several months in production.
