Hazelcast Discovery multicast error in kubernetes - kubernetes

I have a problem with the comunication of 2 pods with hazelcast, my hazelcast.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2008-2018, Hazelcast, Inc. All Rights Reserved.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<hazelcast xsi:schemaLocation="http://www.hazelcast.com/schema/config hazelcast-config-3.11.xsd"
xmlns="http://www.hazelcast.com/schema/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<management-center> enabled="the url of my manager center</management-center>
</hazelcast>
The pods with hazelcast have a service which his endpoints are the pods with hazelcast. But each pod with hazelcast cant see the other, I have tried to include this in hazelcast.xml:
<network>
<join>
<multicast enabled="true">
<multicast-group>service_name.namespace.svc.cluster.local</multicast-group>
<multicast-port>5701</multicast-port>
</multicast>
</join>
</network>
where service_name is the service name which his endpoints are hazelcast pods and namespace my namespace, but hazelcast pod gives me this error:
SEVERE:
[3.12.13-SNAPSHOT] Not a multicast address
java.net.SocketException: Not a multicast address

Kubernetes usually does not support multicast, therefore to set up Hazelcast cluster you should use the Hazelcast Kubernetes plugin for discovery.
Please check the following link to get more details on the ways you can configure it: https://docs.hazelcast.com/hazelcast/latest/deploy/deploying-in-kubernetes

Related

ca siteminder saml sso proxyrule namespace case can not forward

everyone
our policyserver is 12.8
and run on redhat
and our sampl sso is ok
and we access application via relaystate ,
and we want to access more applications
and we want to access : https://fed.test.com.cn/test,https://fed.test.com.cn/prd,
we want to judge when is test ,forward to one place ,and judge when is prd ,forward to another place
and our proxyrule is here :
<?xml version="1.0"?>
<?cocoon-process type="xslt"?>
<!DOCTYPE nete:proxyrules SYSTEM "file:////app/siteminder/agent/agentfed/secure-proxy/proxy-engine/conf/dtd/proxyrules.dtd">
<!-- Proxy Rules -->
<!-- replace www.example.com with your namespace -->
<nete:proxyrules xmlns:nete="https://fed.test.com.cn/" debug="yes">
<nete:cond criteria="beginswith" type="uri">
<!-- replace /dir1 with an appropriate URI -->
<nete:case value="/test">
<!-- replace http://server1.example.com with the appropriate destination server -->
<nete:forward>https://10.164.29.65$0</nete:forward>
</nete:case>
</nete:cond>
</nete:proxyrules>
but when we passed https://fed.test.com/affwebservices/public/saml2assertionconsumer,
we found not forward to destination server.
so ,where is wrong ,we did not found errors in logs
can anyone help us ?
we are in hurry
Proxy rules don't apply to /affwebservices, that's a different "app" on SPS itself.

Accessing Kubernetes Dashboard

I can access kubernetes dashboard when run kubectl proxy --port=8001 and able to sign in with the token that ı recieved from secret.
http://localhost:8001/api/v1/namespaces/prod/services/http:kubernetes-dashboard:http/proxy/#/about?namespace=default
But when I expose my application via ingress I can also access the UI but I can not sign in with the token that ı can sign in for local. I am struggling to resolve this issue any help will be appreciated.
{
"jweToken": "",
"errors": [
{
"ErrStatus": {
"metadata": {},
"status": "Failure",
"message": "MSG_LOGIN_UNAUTHORIZED_ERROR",
"reason": "Unauthorized",
"code": 401
}
}
]
}
curl -v http://..../ -H "" Output
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store
< Content-Type: text/html; charset=utf-8
< Date: Tue, 18 Feb 2020 14:28:28 GMT
< Last-Modified: Fri, 07 Feb 2020 13:15:14 GMT
< Vary: Accept-Encoding
< Content-Length: 1262
<
<!--
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
ingress logs
8T14:21:42Z"}
{"level":"warning","msg":"Endpoints not available for prod/kubernetes-dashboard","time":"2020-02-18T14:21:42Z"}
{"level":"warning","msg":"Endpoints not available for prod/kubernetes-dashboard","time":"2020-02-18T14:21:43Z"}
{"level":"warning","msg":"Endpoints not available for prod/kubernetes-
When I expose my application via ingress I can also access the UI but I can not sign in with the token that I can sign in for local.
According to Kubernetes Dashboard documentation, since version 1.7.x (2017) you can still access dashboard via HTTP the same way older versions does when doing with localhost.
But when you choose to expose it:
Dashboard should not be exposed publicly over HTTP. For domains accessed over HTTP it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.
In order to expose your dashboard you need to configure HTTPS access.
You mentioned in the comments you are running Kubernetes On Premise and that you wish to access the dashboard via NodeIP.
In this case follow: Accessing Dashboard via NodePort.
Remember that instead of accessing https://<master-ip>:<nodePort> you should access https://<node-ip>:<nodePort> of the node which dashboard is installed.
If you have any doubts let me know in the comments and I'll help you.

MacOS - Port 443 required by Tomcat v7.0 Server at localhost is already in use

I try to run a local tomcat7 server from my Eclipse on port 443.
But when I try to start it I get the following error:
Port 443 required by Tomcat v7.0 Server at localhost is already in
use. The server may already be running in another process, or a system
process may be using the port. To start this server you will need to
stop the other process or change the port number(s).
I looked around and saw a few answers to similar questions but can't get it to work.
I tried running Eclise as ROOT
$ sudo open /Applications/Eclipse.app
I also made sure that nothing is running on port 443
$ lsof -i :443
This returns nothing
When I go to 127.0.0.1:443 (http and https), I get the following result:
This site can’t be reached
127.0.0.1 refused to connect.
my local tomcat (defined in Eclipse) server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--><!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
--><Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener"/>
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="dev-tomcat-cert-es"
keystoreFile="<the correct path to the keystore file>"
keystorePass="<the correct password>"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine defaultHost="localhost" name="Catalina">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
<Context docBase="ct-server" path="/app" reloadable="true" source="org.eclipse.jst.jee.server:ct-server"/></Host>
</Engine>
</Service>
</Server>
I am wondering if MacOs is running something on this port that I can't see.
Or if there is some kind of loop in my configuration which tries to connect twice to the port.
I am using MacOs-Sierra
Any help would be appreciated.
Thanks.
Follow one single step:
1) Delete the server you have created.
a)then create new server ofcourse (i hv attached screenshots for steps)
[Delete your current server][1]
For Creating new server:
1)create new server and delete previously added Configure Environment Variable
Create new server (1)
[click on configure environment variables][3]
[remove the previously added variable and create new][4]
while adding new click next and look for your installed jre
This error shows up if you installed tomcat on MacOs-Sierra using brew.
#Michael-O is right - you need to be root.
One good way to get round that is to bind to 8443 instead of 443. Changing ports unleashes another error about the server not starting within the set timeout.
Either that or the "document does not exist error" will hit first.
The hurdles aren't few. The easiest option - install tomcat using a zip file.
Go to https://tomcat.apache.org/download-70.cgi, download a zip, unzip it and in Eclipse, create a new server and specify "tomcat installation directory" as the unzipped file.

Regarding the yang model for netconf xml file

Team
I have the below xml file:
<?xml version="1.0" encoding="utf-8"?>
<rpc message-id="${TIMESTAMP}" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running></running>
</source>
<filter>
<interface-configurations xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg"/>
</filter>
</get-config>
</rpc>
Q1: Will this netconf xml file have a yang model?
Q2: How can i access the underlying yang model(file) for this xml file?
Q1: Will this netconf xml file have a yang model?
You can easily determine if a device is using YANG to model its content from its <hello> message. Compliant devices advertise the YANG modules they support. The advertised capabilities will differ for YANG 1 and YANG 1.1.
For YANG 1 (RFC6020), this is what the specification says (5.6.4.1):
Servers indicate the names of supported modules via the <hello>
message. Module namespaces are encoded as the base URI in the
capability string, and the module name is encoded as the "module"
parameter to the base URI.
A server MUST advertise all revisions of all modules it implements.
For example, this <hello> message advertises one module "syslog".
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capability>
http://example.com/syslog?module=syslog&revision=2008-04-01
</capability>
</hello>
For YANG 1.1 (RFC7950), in 5.6.4:
A NETCONF server MUST announce the modules it implements (see
Section 5.6.5) by implementing the YANG module "ietf-yang-library"
defined in [RFC7895] and listing all implemented modules in the
"/modules-state/module" list.
The server also MUST advertise the following capability in the
<hello> message (line breaks and whitespaces are used for formatting
reasons only):
urn:ietf:params:netconf:capability:yang-library:1.0?
revision=<date>&module-set-id=<id>
The parameter "revision" has the same value as the revision date of
the "ietf-yang-library" module implemented by the server. This
parameter MUST be present.
The parameter "module-set-id" has the same value as the leaf
"/modules-state/module-set-id" from "ietf-yang-library". This
parameter MUST be present.
With this mechanism, a client can cache the supported modules for a
server and only update the cache if the "module-set-id" value in the
<hello> message changes.
can't seem to find a way to stop the above blockquote, hence this
Q2: How can i access the underlying yang model(file) for this xml file?
Device manufacturers usually provide a download page on their website, where you obtain their YANG files. Note that not all devices support YANG. NETCONF does not specify what content is modeled with; could be a bunch of XSD schemas, YANG, RelaxNG, etc., though YANG was designed with this purpose in mind (initially).
There is also an optional standard operation defined, called <get-schema>, which is part of ietf-netconf-monitoring YANG module. You first discover available schema, then obtain them. Since it is optional, not all devices support it.
<?xml version="1.0" encoding="utf-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<get>
<filter type="subtree">
<ncm:netconf-state xmlns:ncm="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
<ncm:schemas/>
</ncm:netconf-state>
</filter>
</get>
</rpc>
<?xml version="1.0" encoding="utf-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<data>
<netconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
<schemas>
<schema>
<identifier>ietf-inet-types</identifier>
<version>2013-07-15</version>
<format>yang</format>
<namespace>urn:ietf:params:xml:ns:yang:ietf-inet-types</namespace>
<location>NETCONF</location>
</schema>
<!-- ... -->
</schemas>
</netconf-state>
</data>
</rpc-reply>
<?xml version="1.0" encoding="utf-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="8">
<get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
<identifier>ietf-interfaces</identifier>
<version>2014-05-08</version>
<format>yang</format>
</get-schema>
</rpc>
<?xml version="1.0" encoding="utf-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="8">
<data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-interfaces {
namespace "urn:ietf:params:xml:ns:yang:ietf-interfaces";
prefix if;
// ...
}
</data>
</rpc-reply>

HAProxy https on Openshift ends in redirect loop on non-local gears

I have a Tomcat 7 (JBoss EWS 2.0) app with HAProxy Web Load Balancer. Https works fine when there is only one server running but as soon as I add another one (by setting minimum number of gears to 2), a problem occurs.
I have checked out the GEAR cookie when connecting and as soon as it is the local gear local-569aaabf0c1e661db1000004 the connection is established, but the 569aadaa89f5cff3c9000058-petrfox GEAR cookie makes trouble.
The problem is that every attempt to connect, which is redirected (by the load balancer) to the newly started gear, ends in 302 redirect loop (by accessing https://dftestapp-petrfox.rhcloud.com/ I get 302 with header Location:https://dftestapp-petrfox.rhcloud.com/).
You can try it on the link above - if the page loads, just remove the GEAR cookie and refresh, you will be most probably redirected to the other one gear this time.
Generated HAProxy configuration (haproxy.cfg) is
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
maxconn 256
# turn on stats unix socket
stats socket /var/lib/openshift/569aaabf0c1e661db1000004/haproxy//run/stats level admin
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
#option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 128
listen stats 127.7.244.3:8080
mode http
stats enable
stats uri /
listen express 127.7.244.2:8080
cookie GEAR insert indirect nocache
option httpchk GET /
http-check expect rstatus 2..|3..|401
balance leastconn
server gear-569aadaa89f5cff3c9000058-petrfox ex-std-node827.prod.rhcloud.com:56761 check fall 2 rise 3 inter 2000 cookie 569aadaa89f5cff3c9000058-petrfox
server local-gear 127.7.244.1:8080 check fall 2 rise 3 inter 2000 cookie local-569aaabf0c1e661db1000004
I tried to turn off forcing https in my app (by removing <intercept-url pattern="/**" requires-channel="https"/> in applicationContext-security.xml), used just http and it worked. Therefore I assume there must be some more https configuration needed. But my question is where and what do I need to configure? I find it strange that it doesn't work with the generated configuration, because load balancing is something why one chooses Openshift and https is in some circumstances a must have. It is also strange to me that everything goes well when you are redirected to the local-gear.
I didn't find any material which would be any of help. Could you please help me with this problem?
UPDATE: I don't know where the problem is, but it could be in settings of the server. Here is the config file server.xml (which I had never changed)
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="-1" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector address="${OPENSHIFT_JBOSSEWS_IP}"
port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="false" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- RemoteIp valve, pass protocol header from proxy. -
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
-->
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
protocolHeader="x-forwarded-proto"
/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
-->
</Host>
</Engine>
</Service>
</Server>
I had a similar problem with Too many redirects and the scalable Tomcat gear.
You can try to configure your server.xml and web.xml as the Technical FAQ suggests for Tomcat:
How do I redirect traffic to HTTPS.
Unfortunately, it didn't quite worked well for me. Everything was running ok if my app had only one gear - http traffic was being redirected to https. However, when I turned on the application scaling and the second gear was started, the Too many redirects error was appearing after every redeploy.
I was unable to resolve this. I've ended up in using the default Tomcat config and redirecting the unsecure traffic to https in my application's controllers (inspired by the Technical FAQ's answer for Node.js here). Everything works fine now.