AJP Users Out There
Hugo Slavia
hugoslavia101 at gmail.com
Wed Sep 19 15:44:39 EDT 2018
Thank you Richard and Cameron.
With 'retry = 0' --- is there a default timeout for a stalled connection?
Debating whether to go with 'retry =0', and/or timeout.
We had an issue due to a customized plug-in which called an external file
that was not Java-thread safe (disabled now). The 'retry = 5', started the
cascading errors.
On Tue, Sep 18, 2018 at 8:50 PM Frovarp, Richard <richard.frovarp at ndsu.edu>
wrote:
> They are very different things. Timeout is to timeout an active
> connection, or perhaps more accurately a stalled connection.
>
> Retry is the number of seconds HTTPD will ignore that backend after an
> error. I can't remember all what causes it to go into error state. But for
> that many seconds, it will not proxy and it will return an error back to
> the requester. So if for some reason you have one request timeout, all
> other requests to that backend by that worker will fail for retry seconds.
> So if one of your users times out because Duo is unresponsive, it will fail
> for all requests for retry seconds. The retry mechanism works well in a
> load balancing environment, but probably less so if not.
>
> We've been bit by this in the past. Can't remember the specifics, and it
> wasn't against Shib. But now we set retry to 0 as whatever it was that
> caused it should not effectively cause a denial of service to everything
> that it did.
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Cameron Kerr <
> cameron.kerr at otago.ac.nz>
> *Sent:* Tuesday, September 18, 2018 8:23:33 PM
> *To:* Shib Users
> *Subject:* RE: AJP Users Out There
>
>
> I would have thought ‘timeout’ would be cleaner…. What are the semantics
> of ‘retry’ with regard to things like POST and replay detection?
>
>
>
> That said, I’m from New Zealand, and our instructions (Tuakiri Federation)
> is based very much on the AAF documentation. I’ve seen no obvious problems
> from using retry=5 (at least, none that I could account for) in the several
> years our IdP has run.
>
>
>
> Hope that helps,
>
> Cameron
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Hugo Slavia
> *Sent:* Wednesday, 19 September 2018 1:16 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* AJP Users Out There
>
>
>
> For the AJP users out there -- with Apache/Tomcat -- do you have a
> preference between 'retry' or 'timeout' in the AJP configuration?
>
>
>
> For other services, we generally use the timeout (without retry) -- I saw
> an example by the Australian Federation with 'retry' -
> http://wiki.aaf.edu.au/tech-info/idpconf
>
>
>
>
>
> ProxyPass /idp ajp://localhost:8009/idp retry=5
>
>
>
> ProxyPass /idp ajp://localhost:8009/idp timeout=600
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180919/ee1acc28/attachment.html>
More information about the users
mailing list