two apache instances using one shibd process possible?

Cantor, Scott cantor.2 at
Fri Feb 1 10:16:32 EST 2013

On 2/1/13 3:27 AM, "Gernot Hassenpflug" <ha4h-grnt at> wrote:
>I understand that
>- the session information is stored in shibd; and
>- each apache process with the mod_shib module caches session information.

They cache it for efficiency but the only state is in shibd.

>Presumably success happens when the IdP redirect request is
>intercepted by an apache instance belonging to the process where the
>initial access was made.

Only if there's no shared session cache, yes.

>I've now tested also the TCPListener, and this too "works" because at
>some point in the redirection repeats the matching apache process will
>intercept a repear redirect request. Obviously this does not function
>under any load.

The TCP listener over localhost is the standard Windows mechanism, it
works fine under load.

I don't understand the rest. If you have a shared shibd, it will work, if
not, not. Using a shared process is reasonable on one machine, much less
so going over a network.

>I thought from reading
>that I could run two apache processes as though they were on different
>boxes.  I believe this works exactly as it should.

Then I don't know what you're asking.

>However, nginx in front of these two instances defines a backend
>comprising both of them:
>upstream backend {
> server;
> server;

I know nothing about nginx or what that all means.

>So this presumably causes httpd and shibd to have problems, since
>there is no telling which instance of which apache process will handle
>any particular request.

It doesn't matter if they use one shibd. The Apache code is stateless,
100%. There's nothing that lives beyond one request other than data cached
for efficiency.

>Would it be necessary to have session-awareness in the front-end, or
>is there some way to avoid the problem as is? Or perhaps I am mistaken
>in what my problems are?

Sounds like it to me.

-- Scott

More information about the users mailing list