AJP Users Out There

Frovarp, Richard richard.frovarp at ndsu.edu
Tue Sep 18 23:49:48 EDT 2018 

They are very different things. Timeout is to timeout an active connection, or perhaps more accurately a stalled connection.

Retry is the number of seconds HTTPD will ignore that backend after an error. I can't remember all what causes it to go into error state. But for that many seconds, it will not proxy and it will return an error back to the requester. So if for some reason you have one request timeout, all other requests to that backend by that worker will fail for retry seconds. So if one of your users times out because Duo is unresponsive, it will fail for all requests for retry seconds. The retry mechanism works well in a load balancing environment, but probably less so if not.

We've been bit by this in the past. Can't remember the specifics, and it wasn't against Shib. But now we set retry to 0 as whatever it was that caused it should not effectively cause a denial of service to everything that it did.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cameron Kerr <cameron.kerr at otago.ac.nz>
Sent: Tuesday, September 18, 2018 8:23:33 PM
To: Shib Users
Subject: RE: AJP Users Out There

I would have thought ‘timeout’ would be cleaner…. What are the semantics of ‘retry’ with regard to things like POST and replay detection?

That said, I’m from New Zealand, and our instructions (Tuakiri Federation) is based very much on the AAF documentation. I’ve seen no obvious problems from using retry=5 (at least, none that I could account for) in the several years our IdP has run.

Hope that helps,
Cameron

From: users <users-bounces at shibboleth.net> On Behalf Of Hugo Slavia
Sent: Wednesday, 19 September 2018 1:16 PM
To: Shib Users <users at shibboleth.net>
Subject: AJP Users Out There

For the AJP users out there -- with Apache/Tomcat -- do you have a preference between 'retry' or 'timeout' in the AJP configuration?

For other services, we generally use the timeout (without retry) -- I saw an example by the Australian Federation with 'retry' - http://wiki.aaf.edu.au/tech-info/idpconf


ProxyPass /idp ajp://localhost:8009/idp retry=5

ProxyPass /idp ajp://localhost:8009/idp timeout=600
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180919/1c37b23e/attachment.html>

More information about the users mailing list