Help : Shibboleth SP for apache/jboss clustering environnent
Mohammed Maatit
mmaatit at gmail.com
Tue Jun 1 16:21:22 UTC 2021
Hello Jarno
my answers
How does the traffic flow normally (with SSO enabled) ? Is it something
like: F5 -> apache -> jboss(ajp/port 8009) ?
yes, correct
Where does this 503 error (service unavailable) come from, does F5 generate
it, or apache (or something else) ?
in the web browser we have the error message :
Service Unavailable
The server is temporarily unable to service your request due to maintenance
downtime or capacity problems. Please try again later.
Apache/2.4.37 (Red Hat) Server at apps.domain.intra Port 443
in ssl_access log we have : "POST /app/nc?command=ping HTTP/1.1" *503 *390
What happens when you stop apache on the node you're connected to but leave
jboss running ? Does F5 failover to the second node ?
yes it does
If the traffic flow is F5->apache->jboss do you have some kind of health
check in F5 so F5 detects when jboss is down and stops sending traffic to
that node ?
F5 stop sending traffic to apache ( down). and send traffic to the other
apache (up)
Heartbeat mecanism is implemented allowing F5 to monitors nodes
BR
Le mar. 1 juin 2021 à 15:46, Jarno Huuskonen <jarno.huuskonen at uef.fi> a
écrit :
> Hello,
>
> On Tue, 2021-06-01 at 15:02 +0200, Mohammed Maatit wrote:
> > thank you in advance for your help
> >
> > I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on
> > RHEL environment.
> > In front of them I have a F5 BIG IP device which redirects https requests
> > to the 2 nodes (sticky session activated)
> > when SSO is disabled in my application, shibd service stopped and
> > apache24.conf commented in httpd.conf (#Include
> > /etc/shibboleth/apache24.config)), failover works fine.
> > When I enable SSO, the authenfication process (sp/IDP) works fine and I
> am
> > connected to the first node,so perfect.
> > but when I stop the JBoss server that I am connected to, I do not switch
> > to the second node and I have the 503 error.
>
> How does the traffic flow normally (with SSO enabled) ? Is it something
> like: F5 -> apache -> jboss(ajp/port 8009) ?
>
> Where does this 503 error (service unavailable) come from, does F5 generate
> it, or apache (or something else) ?
>
> What happens when you stop apache on the node you're connected to but leave
> jboss running ? Does F5 failover to the second node ?
>
> If the traffic flow is F5->apache->jboss do you have some kind of health
> check in F5 so F5 detects when jboss is down and stops sending traffic to
> that node ?
>
> > I do not see where the bad configuration is located.
> > if I stop apache and jboss on node1, F5 redirects users to node 2 and
> also
> > SSO works fine. and the reverse works well too (apache2 and jbosss2
> > stopped,apache1 and jbosss1 running )
> > the problem is located exactly when one of the two nodes falls and the
> > switch does not occurs
>
> -Jarno
>
> --
> Jarno Huuskonen
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210601/a0706fa0/attachment.htm>
More information about the users
mailing list