mod_jk vs SELinux

Tomcat cluster behind an Apache HTTPd

Several protocols exist to run one or multiple Apache Tomcats behind an Apache HTTPd. One of the commonly used protocols is AJP/1.3-Protokoll (Apache JServ Protocol), because it easily supports load balancing. Because the SSL-termination happen within the webserver, this scenario can only be used if the communication channel between the HTTPd and Tomcat is secure.

Clustered tomcat setup

mod_jk

Tomcat supports AJP/1.3-protocol out of the box, but HTTPd needs mod_jk. This setup is rather simple and used by many companies. At least in theory. When testing this setup on a SELinux-enabled distribution it failed to work and I found the following log entry:

connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=13)

Looking at the debug-output of mod_jk, it shows the connection to 127.0.0.1:8009 failed. The first suspect was IPv6. I went ahead and completely disabled it:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

But this did not change the situation. The service was only using IPv4, telnet worked, but Apache HTTPd still could get no connection. In the end I found the following log entry:

[error] init_jk::mod_jk.c (3235): Initializing shm:/var/log/httpd/jk-runtime-status.16551 errno=13. Load balancing workers will not function properly.

A short research brought SELinux into focus. I’m still unsure why SELinux is enabled for some workstation distributions by default. It is a good security feature, but so far I found the tooling a bit hard to use. Especially for newbies it’s complicated to get an easy overview (whether using a GUI or a simple Log-file) or find errors. My very easy workaroundis to open the file ‘/etc/selinux/config’ and add the following:

SELINUX=disabled

This solves all SELinx related issues. Note: This completely disables SELinux. It is acceptable for a development system within a secure environment, but this workaround should never be applied to any production system.

Copyright © christophbrill.de, 2002-2018.