Coach Thrasher

« Wow, Attendance... | Main | US National Team... »
Saturday Feb 17, 2007

Connecting Apache to Tomcat with mod_jk and SELINUX

After pulling my hair out for hours, and not finding any posts with my symptoms, I finally figured out how to get Apache to connect to multiple Tomcat instances through mod_jk, on odd ports. The problem on a Fedora Core (3 to 6 here) setup is that SELINUX, if enabled, will prevent Apache from making connections, even to localhost. Confounding my troubleshooting was that the default 8009 AJP connect port was working fine. And my "jkstatus" worker was happily reporting that my clustered workers were all happy, and talking ajp13... but that was not the case.
Here's the Setup:



Fedora Core 6

Server Version:   Apache/2.2.3 (Fedora)

JK Version:       mod_jk/1.2.20

Tomcat:           5.5.17

When you do an install of FC6, and choose SELINUX, Apache, and Tomcat, and SELINUX is setup for "Enforcing", the SELINUX will be configured to let Apache talk to Tomcat on 8009 which is the default ajp13/mod_jk port. All other ports will fail if you are clustering or loadbalancing multiple Tomcats on various ajp ports. This is because SELINUX prevents Apache from making network connections to any other ports in the default "Enforcing" setup.

You will know that you're connections are being deined if you're mod_jk.log is showing something like:



jk_open_socket::jk_connect.c (451): connect to 127.0.0.1:8109 failed with errno=13

ajp_connect_to_endpoint::jk_ajp_common.c (873): Failed opening socket to (127.0.0.1:8109) with (errno=13)

ajp_send_request::jk_ajp_common.c (1259): (myAjp13Worker) error connecting to the backend server (errno=13)

ajp_service::jk_ajp_common.c (1916): (myAjp13Worker) sending request to tomcat failed,  recoverable operation attempt=1

And your web browser will report a HTTP 503 when you try to connect to an ajp13 proxied Tomcat instance URI.

To check if SELINUX is on, this should return "0":



selinuxenabled ; echo $?

To verify this is the issue shut down your iptables firewall and try shutting SELINUX off using:



system-config-securitylevel

If that's the issue then horray! This worker's going to get a beer!

To continue running SELINUX, change it's policy on allowing httpd to make connections with:



setsebool -P httpd_can_network_connect=1

You can query the policy to view settings with:



getsebool -a | grep httpd

Posted at 09:16PM Feb 17, 2007 by jason in Software  | 

Comments:

Post a Comment:
Comments are closed for this entry.

Calendar

« July 2010
SunMonTueWedThuFriSat
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today

Feeds

Search

Links

Navigation

Referrers