Tomcat cluster behind an Apache HTTPd
Several protocols exist to run one or multiple Apache Tomcats behind an Apache HTTPd. One of the commonly used protocols is AJP/1.3-Protokoll (Apache JServ Protocol), because it easily supports load balancing. Because the SSL-termination happen within the webserver, this scenario can only be used if the communication channel between the HTTPd and Tomcat is secure.
Tomcat supports AJP/1.3-protocol out of the box, but HTTPd needs mod_jk. This setup is rather simple and used by many companies. At least in theory. When testing this setup on a SELinux-enabled distribution it failed to work and I found the following log entry:
connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=13)
Looking at the debug-output of mod_jk, it shows the connection to 127.0.0.1:8009 failed. The first suspect was IPv6. I went ahead and completely disabled it:
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
But this did not change the situation. The service was only using IPv4, telnet worked, but Apache HTTPd still could get no connection. In the end I found the following log entry:
[error] init_jk::mod_jk.c (3235): Initializing shm:/var/log/httpd/jk-runtime-status.16551 errno=13. Load balancing workers will not function properly.
A short research brought SELinux into focus. I’m still unsure why SELinux is enabled for some workstation distributions by default. It is a good security feature, but so far I found the tooling a bit hard to use. Especially for newbies it’s complicated to get an easy overview (whether using a GUI or a simple Log-file) or find errors. My very easy workaroundis to open the file ‘/etc/selinux/config’ and add the following:
This solves all SELinx related issues. Note: This completely disables SELinux. It is acceptable for a development system within a secure environment, but this workaround should never be applied to any production system.