[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: AJP Users Out There
From: Hugo Slavia <hugoslavia101 () gmail ! com>
Date: 2018-09-19 23:25:46
Message-ID: CAN3+XL3PWhhVaUDZtaghjkXDgA6uaWxuU4aLzqwpL42goOwpeg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Richard!
We will use the default values for retry and timeout.
I will post our settings for the community -- after we have our service
running for few weeks problem free (and without the external file call).
On Wed, Sep 19, 2018 at 12:50 PM Frovarp, Richard <richard.frovarp@ndsu.edu>
wrote:
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
>
> Default retry is 60. Default timeout is ProxyTimeout.
>
> And yeah, that's what retry does. It cascades errors. It's good for the
> load balancer config, but there are certainly times when it causes a lot
> more harm than good.
>
> On 09/19/2018 02:44 PM, Hugo Slavia wrote:
>
> Thank you Richard and Cameron.
>
> With 'retry = 0' --- is there a default timeout for a stalled connection?
> Debating whether to go with 'retry =0', and/or timeout.
>
> We had an issue due to a customized plug-in which called an external file
> that was not Java-thread safe (disabled now). The 'retry = 5', started the
> cascading errors.
>
>
> On Tue, Sep 18, 2018 at 8:50 PM Frovarp, Richard <richard.frovarp@ndsu.edu>
> wrote:
>
>> They are very different things. Timeout is to timeout an active
>> connection, or perhaps more accurately a stalled connection.
>>
>> Retry is the number of seconds HTTPD will ignore that backend after an
>> error. I can't remember all what causes it to go into error state. But for
>> that many seconds, it will not proxy and it will return an error back to
>> the requester. So if for some reason you have one request timeout, all
>> other requests to that backend by that worker will fail for retry seconds.
>> So if one of your users times out because Duo is unresponsive, it will fail
>> for all requests for retry seconds. The retry mechanism works well in a
>> load balancing environment, but probably less so if not.
>>
>> We've been bit by this in the past. Can't remember the specifics, and it
>> wasn't against Shib. But now we set retry to 0 as whatever it was that
>> caused it should not effectively cause a denial of service to everything
>> that it did.
>> ------------------------------
>> *From:* users <users-bounces@shibboleth.net> on behalf of Cameron Kerr <
>> cameron.kerr@otago.ac.nz>
>> *Sent:* Tuesday, September 18, 2018 8:23:33 PM
>> *To:* Shib Users
>> *Subject:* RE: AJP Users Out There
>>
>>
>> I would have thought ‘timeout' would be cleaner…. What are the semantics
>> of ‘retry' with regard to things like POST and replay detection?
>>
>>
>>
>> That said, I'm from New Zealand, and our instructions (Tuakiri
>> Federation) is based very much on the AAF documentation. I've seen no
>> obvious problems from using retry=5 (at least, none that I could account
>> for) in the several years our IdP has run.
>>
>>
>>
>> Hope that helps,
>>
>> Cameron
>>
>>
>>
>> *From:* users <users-bounces@shibboleth.net> *On Behalf Of *Hugo Slavia
>> *Sent:* Wednesday, 19 September 2018 1:16 PM
>> *To:* Shib Users <users@shibboleth.net>
>> *Subject:* AJP Users Out There
>>
>>
>>
>> For the AJP users out there -- with Apache/Tomcat -- do you have a
>> preference between 'retry' or 'timeout' in the AJP configuration?
>>
>>
>>
>> For other services, we generally use the timeout (without retry) -- I saw
>> an example by the Australian Federation with 'retry' -
>> http://wiki.aaf.edu.au/tech-info/idpconf
>>
>>
>>
>>
>>
>> ProxyPass /idp ajp://localhost:8009/idp retry=5
>>
>>
>>
>> ProxyPass /idp ajp://localhost:8009/idp timeout=600
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe@shibboleth.net
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
[Attachment #5 (text/html)]
<div dir="ltr">Thanks Richard!<div><br></div><div>We will use the default values for \
retry and timeout.</div><div><br></div><div>I will post our settings for the \
community -- after we have our service running for few weeks problem free (and \
without the external file call).</div></div><br><div class="gmail_quote"><div \
dir="ltr">On Wed, Sep 19, 2018 at 12:50 PM Frovarp, Richard <<a \
href="mailto:richard.frovarp@ndsu.edu">richard.frovarp@ndsu.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_3652463149074713650moz-cite-prefix"><a \
class="m_3652463149074713650moz-txt-link-freetext" \
href="https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass" \
target="_blank">https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass</a><br>
<br>
Default retry is 60. Default timeout is ProxyTimeout.<br>
<br>
And yeah, that's what retry does. It cascades errors. It's good for the load \
balancer config, but there are certainly times when it causes a lot more harm than \
good.<br> <br>
On 09/19/2018 02:44 PM, Hugo Slavia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you Richard and Cameron.
<div><br>
</div>
<div>With 'retry = 0' --- is there a default timeout for a stalled \
connection? Debating whether to go with 'retry =0', and/or timeout.<br> \
<div><br> </div>
<div>We had an issue due to a customized plug-in which called an external file that \
was not Java-thread safe (disabled now). The 'retry = 5', started the \
cascading errors.</div> <div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Sep 18, 2018 at 8:50 PM Frovarp, Richard <<a \
href="mailto:richard.frovarp@ndsu.edu" \
target="_blank">richard.frovarp@ndsu.edu</a>> wrote:<br> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div link="blue" vlink="purple" lang="EN-NZ">
<div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black">
They are very different things. Timeout is to timeout an active connection, or \
perhaps more accurately a stalled connection.<br> <br>
</div>
<div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black">
Retry is the number of seconds HTTPD will ignore that backend after an error. I \
can't remember all what causes it to go into error state. But for that many \
seconds, it will not proxy and it will return an error back to the requester. So if \
for some reason you have one request timeout, all other requests to that backend by \
that worker will fail for retry seconds. So if one of your users times out because \
Duo is unresponsive, it will fail for all requests for retry seconds. The retry \
mechanism works well in a load balancing environment, but probably less so if \
not.<br> <br>
</div>
<div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black">
We've been bit by this in the past. Can't remember the specifics, and it \
wasn't against Shib. But now we set retry to 0 as whatever it was that caused it \
should not effectively cause a denial of service to everything that it did.</div> <hr \
style="display:inline-block;width:98%"> <div \
id="m_3652463149074713650m_-2091346175247802792divRplyFwdMsg" dir="ltr"><font \
style="font-size:11pt" color="#000000" face="Calibri,
sans-serif"><b>From:</b> users <<a \
href="mailto:users-bounces@shibboleth.net" \
target="_blank">users-bounces@shibboleth.net</a>> on behalf of Cameron Kerr \
<<a href="mailto:cameron.kerr@otago.ac.nz" \
target="_blank">cameron.kerr@otago.ac.nz</a>><br> <b>Sent:</b> Tuesday, September \
18, 2018 8:23:33 PM<br> <b>To:</b> Shib Users<br>
<b>Subject:</b> RE: AJP Users Out There</font>
<div> </div>
</div>
<div>
<div class="m_3652463149074713650m_-2091346175247802792WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I \
would have thought ‘timeout' would be cleaner…. What are the semantics of \
‘retry' with regard to things like POST and replay detection?</span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> \
</span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">That \
said, I'm from New Zealand, and our instructions (Tuakiri Federation) is based very \
much on the AAF documentation. I've seen no obvious problems from using retry=5 (at \
least, none that I could account for) in the several years our IdP has \
run.</span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> \
</span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hope \
that helps,</span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Cameron</span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> \
</span></p> <p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif" \
lang="EN-US">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="EN-US"> \
users <<a href="mailto:users-bounces@shibboleth.net" \
target="_blank">users-bounces@shibboleth.net</a>> <b>On Behalf Of </b>Hugo \
Slavia<br> <b>Sent:</b> Wednesday, 19 September 2018 1:16 PM<br>
<b>To:</b> Shib Users <<a href="mailto:users@shibboleth.net" \
target="_blank">users@shibboleth.net</a>><br> <b>Subject:</b> AJP Users Out \
There</span></p> <p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal">For the AJP users out there -- with Apache/Tomcat -- do you have \
a preference between 'retry' or 'timeout' in the AJP configuration? \
</p> </div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For other services, we generally use the timeout (without retry) \
-- I saw an example by the Australian Federation with 'retry' - <a \
href="http://wiki.aaf.edu.au/tech-info/idpconf" \
target="_blank">http://wiki.aaf.edu.au/tech-info/idpconf</a></p> <div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">ProxyPass /idp ajp://localhost:8009/idp retry=5</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">ProxyPass /idp ajp://localhost:8009/idp timeout=600</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
-- <br>
For Consortium Member technical support, see <a \
href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" \
target="_blank"> https://wiki.shibboleth.net/confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" target="_blank"> \
users-unsubscribe@shibboleth.net</a></blockquote> </div>
<br>
<fieldset class="m_3652463149074713650mimeAttachmentHeader"></fieldset> <br>
</blockquote>
<p><br>
</p>
</div>
-- <br>
For Consortium Member technical support, see <a \
href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" \
target="_blank">https://wiki.shibboleth.net/confluence/x/coFAAg</a><br> To \
unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a></blockquote></div>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic