Help : Shibboleth SP for apache/jboss clustering environnent

[Jarno Huuskonen]

Hello Mohammed,

On Tue, 2021-06-01 at 18:21 +0200, Mohammed Maatit wrote:
> Hello Jarno 
> 
> my answers
> 
> How does the traffic flow normally (with SSO enabled) ? Is it something
> like: F5 -> apache -> jboss(ajp/port 8009) ?
> yes, correct
> 
> Where does this 503 error (service unavailable) come from, does F5
> generate
> it, or apache (or something else) ?
> in the web browser we have the error message : 
> Service Unavailable
> The server is temporarily unable to service your request due to
> maintenance downtime or capacity problems. Please try again later.
> Apache/2.4.37 (Red Hat) Server at apps.domain.intra Port 443
> 
> in ssl_access log we have : "POST /app/nc?command=ping HTTP/1.1" 503 390

So F5 still(incorrectly) sends traffic to that node when apache is working
but jboss is not working ? And because apache can't reach jboss then apache
returns 503 error.

(In apache error log there's probably also proxy errors).

> What happens when you stop apache on the node you're connected to but
> leave
> jboss running ? Does F5 failover to the second node ?
> yes it does
> 
> 
> If the traffic flow is F5->apache->jboss do you have some kind of health
> check in F5 so F5 detects when jboss is down and stops sending traffic to
> that node ?
> 
> F5 stop sending traffic to apache ( down). and send traffic to the other
> apache (up)
> Heartbeat mecanism is implemented allowing F5 to monitors nodes
> 

I think this heartbeat might be insufficient if it can't detect when apache
is up but jboss is down and keeps sending traffic to that node (and apache
responds with 503 error because apache can't reach jboss).

Can you modify F5 so it can monitor/detect that both apache and jboss are up
?

Or maybe you can you modify apache config so that apache/mod_cluster can
proxypass to balancer://<your_ManagerBalancerName> ... (to both jboss
servers).

-Jarno

> BR
> 
> Le mar. 1 juin 2021 à 15:46, Jarno Huuskonen <jarno.huuskonen at uef.fi> a
> écrit :
> > Hello,
> > 
> > On Tue, 2021-06-01 at 15:02 +0200, Mohammed Maatit wrote:
> > > thank you in advance for your help
> > > 
> > > I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7
> > on
> > > RHEL environment. 
> > > In front of them I have a F5 BIG IP device which redirects https
> > requests
> > > to the 2 nodes (sticky session activated)
> > > when SSO is disabled in my application, shibd service stopped and
> > > apache24.conf commented in httpd.conf (#Include
> > > /etc/shibboleth/apache24.config)), failover works fine.
> > > When I enable SSO, the authenfication process (sp/IDP) works fine and
> > > I
> > am
> > > connected to the first node,so perfect. 
> > > but when I stop the JBoss server that I am connected to, I do not
> > > switch
> > > to the second node and I have the 503 error. 
> > 
> > How does the traffic flow normally (with SSO enabled) ? Is it something
> > like: F5 -> apache -> jboss(ajp/port 8009) ?
> > 
> > Where does this 503 error (service unavailable) come from, does F5
> > generate
> > it, or apache (or something else) ?
> > 
> > What happens when you stop apache on the node you're connected to but
> > leave
> > jboss running ? Does F5 failover to the second node ?
> > 
> > If the traffic flow is F5->apache->jboss do you have some kind of health
> > check in F5 so F5 detects when jboss is down and stops sending traffic
> > to
> > that node ?
> > 
> > > I do not see where the bad configuration is located.
> > > if I stop apache and jboss on node1, F5 redirects users to node 2 and
> > also
> > > SSO works fine. and the reverse works well too (apache2 and jbosss2
> > > stopped,apache1 and jbosss1 running )
> > > the problem is located exactly when one of the two nodes falls and the
> > > switch does not occurs
> >