Questions[mod-balancer](server)

We have an Apache Reverse Proxy which works fine (configuration below). Now we have the need to forward a few requests to another server (server3.domain.com) and check that a cookie named "LtpaToken" exists in user request. If the cookie is absent, the error page will return (we want to block anonymous requests).

I need to forward http(s)://server.domain.com/jsreports/* to JSReport's http(s) server VM ( server3.domain.com IP address) and check the LtpaToken if exists.

Can anybody give some hints how can it be implemented? Thank you!

        SSLEngine on
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off

ServerName server.domain.com
        ServerAlias server.com
        ProxyRequests Off
#   ProxyPreserveHost On
    
<Proxy balancer://my_cluster>
    BalancerMember https://server.domain.com keepalive=on
    BalancerMember https://server2.domain.com keepalive=on  status=+H
    AllowOverride None
    Order allow,deny
    allow from all
    
#   ProxySet lbmethod=byrequests
</Proxy>

 <Location /balancer-manager>
        SetHandler balancer-manager
        Order deny,allow
    Deny from all
        allow from 192.168.1
    allow from 5.5.20
    allow from 10.0.0
</Location>

    ProxyPass /balancer-manager !   
    ProxyPass / balancer://my_cluster/
    ProxyPassReverse / balancer://my_cluster/

I have apache running on one machine as a load balancer:

<VirtualHost *:443>
  ServerName    ssl.example.com
  DocumentRoot  /home/example/public

  SSLEngine             on
  SSLCertificateFile    /etc/pki/tls/certs/example.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.key

  <Proxy balancer://myappcluster>
    BalancerMember http://app1.example.com:12345 route=app1
    BalancerMember http://app2.example.com:12345 route=app2
  </Proxy>

  ProxyPass         / balancer://myappcluster/ stickysession=_myapp_session
  ProxyPassReverse  / balancer://myappcluster/

</VirtualHost>

Note that the balancer takes requests under SSL port 443, but then communicates to the balancer members on a non-ssl port. Is it possible to have the forwarding to the balancer members be under SSL too?

If so, is this the best/recommended way?

If so, do I have to have another SSL cert for each balancer member?

Does the SSLProxyEngine directive have anything to do with this?

I have Apache acting as a load balancer in front of 3 Tomcat servers. Occasionally, Apache returns 503 responses, which I would like to remove completely. All 4 servers are not under significant load in terms of CPU, memory, or disk, so I am a little unsure what is reaching it's limits or why. 503s are returned when all workers are in error state - whatever that means. Here are the details:

Apache config:

<IfModule mpm_prefork_module>
  StartServers           30
  MinSpareServers        30
  MaxSpareServers        60
  MaxClients            200
  MaxRequestsPerChild  1000
</IfModule>

...

<Proxy *>
  AddDefaultCharset Off
  Order deny,allow
  Allow from all
</Proxy>

# Tomcat HA cluster
<Proxy balancer://mycluster>
  BalancerMember ajp://10.176.201.9:8009 keepalive=On retry=1 timeout=1 ping=1
  BalancerMember ajp://10.176.201.10:8009 keepalive=On retry=1 timeout=1 ping=1
  BalancerMember ajp://10.176.219.168:8009 keepalive=On retry=1 timeout=1 ping=1
</Proxy>

# Passes thru track. or api.
ProxyPreserveHost On
ProxyStatus On

# Original tracker
ProxyPass /m  balancer://mycluster/m
ProxyPassReverse /m balancer://mycluster/m

Tomcat config:

<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JasperListener" />
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">
      <Host name="localhost"  appBase="webapps"
          unpackWARs="true" autoDeploy="true"
          xmlValidation="false" xmlNamespaceAware="false">
    </Engine>
  </Service>
</Server>

Apache error log:

[Mon Mar 22 18:39:47 2010] [error] (70007)The timeout specified has expired: proxy: AJP: attempt to connect to 10.176.201.10:8009 (10.176.201.10) failed
[Mon Mar 22 18:39:47 2010] [error] ap_proxy_connect_backend disabling worker for (10.176.201.10)
[Mon Mar 22 18:39:47 2010] [error] proxy: AJP: failed to make connection to backend: 10.176.201.10
[Mon Mar 22 18:39:47 2010] [error] (70007)The timeout specified has expired: proxy: AJP: attempt to connect to 10.176.201.9:8009 (10.176.201.9) failed
[Mon Mar 22 18:39:47 2010] [error] ap_proxy_connect_backend disabling worker for (10.176.201.9)
[Mon Mar 22 18:39:47 2010] [error] proxy: AJP: failed to make connection to backend: 10.176.201.9
[Mon Mar 22 18:39:47 2010] [error] (70007)The timeout specified has expired: proxy: AJP: attempt to connect to 10.176.219.168:8009 (10.176.219.168) failed
[Mon Mar 22 18:39:47 2010] [error] ap_proxy_connect_backend disabling worker for (10.176.219.168)
[Mon Mar 22 18:39:47 2010] [error] proxy: AJP: failed to make connection to backend: 10.176.219.168
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state
[Mon Mar 22 18:39:47 2010] [error] proxy: BALANCER: (balancer://mycluster). All workers are in error state

Load balancer top info:

top - 23:44:11 up 210 days,  4:32,  1 user,  load average: 0.10, 0.11, 0.09
Tasks: 135 total,   2 running, 133 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.1%us,  0.2%sy,  0.0%ni, 99.2%id,  0.1%wa,  0.0%hi,  0.1%si,  0.3%st
Mem:    524508k total,   517132k used,     7376k free,     9124k buffers
Swap:  1048568k total,      352k used,  1048216k free,   334720k cached

Tomcat top info:

top - 23:47:12 up 210 days,  3:07,  1 user,  load average: 0.02, 0.04, 0.00
Tasks:  63 total,   1 running,  62 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us,  0.0%sy,  0.0%ni, 99.8%id,  0.1%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   2097372k total,  2080888k used,    16484k free,    21464k buffers
Swap:  4194296k total,      380k used,  4193916k free,  1520912k cached

Catalina.out does not have any error messages in it.

According to Apache's server status, it seems to be maxing out at 143 requests/sec. I believe the servers can handle substantially more load than they are, so any hints about low default limits or other reasons why this setup would be maxing out would be greatly appreciated.

I have a situation where I have a load balancer set up with Apache2 and mod-balancer that is going to load balance two Apache2 web servers. I'd like my load balancer to be able to serve multiple sites but currently every virtual host I create seems to serve the same site.

On the load balancer (lb1) I have the default virtual host enabled so that when you browse to the load balancers IP address you see the standard Apache2 message.

The following is the virtual host layout that I use for all subsequent domains that the load balancer can serve (substitute mydomain.com for the actual domain name of course):

<VirtualHost *>
        ServerName www.mydomain.com
        ServerAlias mydomain.com

        ProxyRequests Off

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        <Proxy balancer://mydomain.com.cluster>
                BalancerMember http://web1.mycluster.com:80 route=web1 retry=5
                BalancerMember http://web2.mycluster.com:80 route=web2 retry=5
                ProxySet lbmethod=byrequests
        </Proxy>

        ProxyPass / balancer://mydomain.com.cluster/ stickysession=BALANCEID n$

        ProxyPassReverse / http://web1.mycluster.com/
        ProxyPassReverse / http://web2.mycluster.com/
</VirtualHost>

This is what a virtual host on the web server (web1 & web2) end looks like. Both web servers have the same virtual hosts enabled. The only difference between the virtual hosts is the reference to either web1 or web2 respectively (I show the virtual host of web1 here):

<VirtualHost *>
        ServerName www.mydomain.com
        ServerAlias mydomain.com

        RewriteEngine On
        RewriteRule .* - [CO=BALANCEID:balancer.web1:.mydomain.com]

        DocumentRoot /mnt/share/mydomain.com/www/public_html

        <Directory />
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

This seems to work for mydomain.com. If I create another virtual host with the same layout e.g. for myotherdomain.com then browsing to myotherdomain.com will actually serve mydomain.com.

What I'm I doing wrong?