two apache instances using one shibd process possible?
Cantor, Scott
cantor.2 at osu.edu
Fri Feb 1 10:16:32 EST 2013
On 2/1/13 3:27 AM, "Gernot Hassenpflug" <ha4h-grnt at asahi-net.or.jp> wrote:
>
>I understand that
>- the session information is stored in shibd; and
>- each apache process with the mod_shib module caches session information.
They cache it for efficiency but the only state is in shibd.
>Presumably success happens when the IdP redirect request is
>intercepted by an apache instance belonging to the process where the
>initial access was made.
Only if there's no shared session cache, yes.
>I've now tested also the TCPListener, and this too "works" because at
>some point in the redirection repeats the matching apache process will
>intercept a repear redirect request. Obviously this does not function
>under any load.
The TCP listener over localhost is the standard Windows mechanism, it
works fine under load.
I don't understand the rest. If you have a shared shibd, it will work, if
not, not. Using a shared process is reasonable on one machine, much less
so going over a network.
>I thought from reading
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPClustering
>that I could run two apache processes as though they were on different
>boxes. I believe this works exactly as it should.
Then I don't know what you're asking.
>However, nginx in front of these two instances defines a backend
>comprising both of them:
>
>upstream backend {
> server 127.0.0.1:81;
> server 127.0.0.2:81;
>}
I know nothing about nginx or what that all means.
>So this presumably causes httpd and shibd to have problems, since
>there is no telling which instance of which apache process will handle
>any particular request.
It doesn't matter if they use one shibd. The Apache code is stateless,
100%. There's nothing that lives beyond one request other than data cached
for efficiency.
>Would it be necessary to have session-awareness in the front-end, or
>is there some way to avoid the problem as is? Or perhaps I am mistaken
>in what my problems are?
Sounds like it to me.
-- Scott
More information about the users
mailing list