Glassfish JK SSL Listener 502 Bad Gateway

Question

I have set up a very simple Apache + Glassfish cluster configuration.

It works fine if I create and use a listener that use the default http-listener-1.

However, if I switch to a secure listener which use http-listener-2 then the connection is established but then it is dropped with the user getting the 502 Bad Gateway error, and I have this message in mod_jk.log

[Wed Dec 04 16:17:55.905 2019] [6957:139970911750336] [debug] jk_open_socket::jk_connect.c (674): socket TCP_NODELAY set to On
[Wed Dec 04 16:17:55.905 2019] [6957:139970911750336] [debug] jk_open_socket::jk_connect.c (711): socket SO_KEEPALIVE set to On
[Wed Dec 04 16:17:55.905 2019] [6957:139970911750336] [debug] jk_open_socket::jk_connect.c (763): timeout 300 set for socket=16
[Wed Dec 04 16:17:55.905 2019] [6957:139970911750336] [debug] jk_open_socket::jk_connect.c (798): trying to connect socket 16 to 10.0.10.4:28010
[Wed Dec 04 16:17:55.906 2019] [6957:139970911750336] [debug] jk_open_socket::jk_connect.c (824): socket 16 [10.0.30.4:39278 -> 10.0.10.4:28010] connected

other log entries in between....

[Wed Dec 04 16:17:55.907 2019] [6957:139970911750336] [debug] ajp_send_request::jk_ajp_common.c (1779): (worker1) request body to send 0 - request body to resend 0
[Wed Dec 04 16:17:55.909 2019] [6957:139970911750336] [debug] jk_shutdown_socket::jk_connect.c (931): About to shutdown socket 16 [10.0.30.4:39278 -> 10.0.10.4:28010]
[Wed Dec 04 16:17:55.909 2019] [6957:139970911750336] [debug] jk_is_input_event::jk_connect.c (1410): error event during poll on socket 16 [10.0.30.4:39278 -> 10.0.10.4:28010] (event=16)
[Wed Dec 04 16:17:55.909 2019] [6957:139970911750336] [debug] jk_shutdown_socket::jk_connect.c (1015): Shutdown socket 16 [10.0.30.4:39278 -> 10.0.10.4:28010] and read 0 lingering bytes in 0 sec.
[Wed Dec 04 16:17:55.909 2019] [6957:139970911750336] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1339): (worker1) can't receive the response header message from tomcat, tomcat (10.0.10.4:28010) has forced a connection close for socket 16

The configuration is quite standard, the only difference is that I am using a personal certificate built with my internal certification authority. The certificate have been successfully added to the keystore and if I access the web app directly trough port 8181 it works (with some warning) and I can inspect my certificate.

Here is the https.conf part

  # Sample app
  JkMount /sample loadbalancer
  JkMount /sample/* loadbalancer

the workers.properties

worker.list=worker1,loadbalancer

# default properties for workers
worker.template.type=ajp13
worker.template.port=28010
worker.template.lbfactor=50
worker.template.connection_pool_timeout=600
worker.template.socket_keepalive=1
worker.template.socket_timeout=300

# properties for worker1
worker.worker1.reference=worker.template
worker.worker1.host=myhost.com

# properties for loadbalancer
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=worker1

Here the jk connector on Glassfish, as you see it's on port 28010, which I have made sure it is open.

score 0 · Accepted Answer · answered Apr 10 '20 at 13:21

After having spent some time in investigating this issue and reading documents, I came to the conclusion that JK is not working with TLS. The security flag only applies to http listener.

One possible working options I have experimented is to open a tunnel between the HTTPD and the Glassfish instances. It's easy, but it may have some downside. The most important is that the SSH connection may goes down. Building a service that restart the tunnel in this case can be also done, but it was beyond my knowledge (and timing).

Because the network on which the instances reside is already well protected, I ended up with communicating to JK trough a non secure connection.

Glassfish JK SSL Listener 502 Bad Gateway

1 Answers1