Thursday, July 28, 2011

Can I have a single static IP for my Amazon Load Balancer?

No.. that is not possible! 


Amazon's ELB is itself load balanced... It does not have a 1:1 correspondence with IP addresses. Instead it takes the requests for a specific LB and then redirect them to one of the several possible machines they have which in turn redirects users request to their servers pointed by the LB. 


This basically avoids any bottlenecks but in turn limits us to use a single Static IP for the Load balancer. 



Since a CNAME can’t be the root of your domain (it must be an A record) – you can’t fully balance traffic to your domain.
At the moment, customers have to forward all traffic to a CNAME, from http://example.com to http://www.example.com, to load balance their domains. This introduces a single point of failure. If the server you allocate to serve traffic from the root of your domain goes down, nobody gets forwarded.
In addition, this root server isn’t load balanced, so it receives all the initial traffic to your site. This defeats ELB’s purpose somewhat.

Wednesday, July 27, 2011

How to Install Tomcat7 on Ubuntu using apt-get

As of date there isn't an apt-get package for Installing tomcat7 on Ubuntu. So you need to Install it manually. Its easy... all you have to do is follow some simply steps which are listed below:

Assuming you already have JRE/JDK Installed on your Ubuntu box, we will straightaway jump to Installing tomcat....


As of writing this post this is the latest one...

2.  Unpack the downloaded file: you can use the command

tar xvzf apache-tomcat-7.0.19.tar.gz

3.  Now we will move everything to a more meaniningful directory.. like tomcat7.. so here is what you need to do:

sudo mv apache-tomcat-7.0.19/ /usr/share/tomcat7

4. Modify catalina.sh so that it points to the correct JRE you want to use... This file can be found in /usr/share/tomcat7/bin

5. Just insert JAVA_HOME and JRE_HOME after the first line.

That's all you had to do... You can try running it with following command and check...

sudo /usr/share/tomcat7/bin/startup.sh

The output shall tell the various things like:
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using JRE_HOME: /usr/local/jdk1.6.0_20/jre
Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar


Check if you are able to get to the home page...

http://localhost:8080.. This should bring up tomcat7 Home page..

If you want to stop the server use:

sudo /usr/share/tomcat7/bin/shutdown.sh

Automatic Starting

To make tomcat automatically start when we boot up the computer, you can add a script to make it auto-start and shutdown.


sudo gedit /etc/init.d/tomcat7

Now paste in the following:


# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

case $1 in
start)
sh /usr/share/tomcat7/bin/startup.sh
;;
stop) 
sh /usr/share/tomcat7/bin/shutdown.sh
;;
restart)
sh /usr/share/tomcat7/bin/shutdown.sh
sh /usr/share/tomcat7/bin/startup.sh
;;
esac 
exit 0

You’ll need to make the script executable by running the chmod command:


sudo chmod 755 /etc/init.d/tomcat7

The last step is actually linking this script to the startup folders with a symbolic link. Execute these two commands and we should be on our way.

sudo ln -s /etc/init.d/tomcat7 /etc/rc1.d/K99tomcat
sudo ln -s /etc/init.d/tomcat7 /etc/rc2.d/S99tomcat



References: http://diegobenna.blogspot.com/2011/01/install-tomcat-7-in-ubuntu-1010.html 

Thursday, July 21, 2011

Workaround for authenticating application to Proxy Server without modifying the app itself

This week we ran into an issue with proxy servers. The server needed authentication and our sample code does not allow any authentication mechanism for that.. Thanks to my colleague Ajay who taught me how to do that with a mere simple configuration in web.xml

.Net's default web proxy does not have the UseDefaultCredentials flag switched on by default. It's false. This property if true, authenticate to the WebService/Proxy using the credentials of the currently logged on user and for client applications, this is the desired behavior in most scenarios.

So all you have to do is , put this in web.config or app.config within <configuration> tag :
<system.net>
  <defaultProxy
    useDefaultCredentials="true" >
  </defaultProxy>
</system.net>

This workaround can work in testing environment, but might not work in production environment, as it picks current user credentials to authenticate to proxy server. But in production environment, the current user(IIS Admin/Service account) may not have the access to the internet.

Transferring or Copying AMI from one Amazon Region to Another

There is no direct way provided by Amazon to do this.. But this is certainly which can be done.. Here is how…:
Suppose you want to transfer an Amazon AMI from North America’s us-east-1 region to APAC region here is all you need to do:

NA region
Apac Region

Create a new key pair and save it.

Create a new small instance of Ubuntu AMI.

Create a 15GiB Volume in same region

Attach volume to new instance.

e.g.,

ec2-attach-volume --region ap-southeast-1 -d /dev/sdh -i <instanceid> <volumeid>



Login to the new instance and give proper rights to the new volume

sudo chmod a+rw /dev/sdh
Spin an instance of AMI that you want to transfer to apac region

Login to this AMI and run following command to transfer data to new volume that we created in apac region..

sudo dd if=/dev/sda1 | ssh -i your-apac-key.pem public-dns-of-apac-instance dd of=/dev/sdh1

This is a binary transfer so it takes a hell lot of time.. doesn’t give any message etc.. so all you need to do is wait and get a coffee for yourself..



Stop the instance and Detach both volumes from apac instance

ec2-detach-volume --region ap-southeast-1 -d /dev/sdh -i <instanceid> <volumeid>

Attach the new volume that we created to this instance

Lastly Update the instance with:
/etc/apt$ sudo vi sources.list
:1,$s/us-east-1/ap-southeast-1/
:wq
sudo apt-get update
sudo apt-get upgrade

and now you can create a new AMI of this Instance.. It will be exactly the same as the one in NA region.


Friday, July 8, 2011

Advantages of Terminating SSL connection on Load Balancer

Advantages of Terminating SSL connection on Load Balancer

  • The SSL server certificate used to terminate client connections can be managed centrally on the load balancer, rather than on every individual application instance.
  • The work of encrypting and decrypting SSL traffic is moved from the application instance to the load balancer.
  • All of the features available for HTTP can be used with HTTPS connections as well.

If you plan to terminate SSL on Load balancer there is one security consideration that you must be aware of... ie., the traffic flowing through your Load balancer and the Application Instance. Since SSL is terminated on LB, all traffic flowing through the load balancer to application Instance will not be secured. You need to make sure that the application Instance is configured (using security groups in Amazon Web Services) using the security groups so that only LB traffic is allowed to enter Application Instances.

To see how exactly you need to do it visit: http://docs.amazonwebservices.com/ElasticLoadBalancing/2011-04-05/DeveloperGuide/index.html?elb-security-features.html#using-elb-security-groups

Thursday, July 7, 2011

Starting Tomcat with jpda to do real time Debugging of Web application

If you are planning to debug a tomcat application using Eclipses's remote debugger you need to start tomcat with JPDA... In Ubuntu the tomcat startup does not have a jpda command line parameter so you need to do a little bit of change to your startup scripts to enable it..

Here is all you need to do:

1. Add following lines into /etc/init.d/tomcat6 :

if [ "$2" = "jpda" ]
then
    JPDA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n"
fi
CATALINA_OPTS="$JPDA_OPTS"


2. Edit the below line in /etc/init.d/tomcat6

$DAEMON -user "$TOMCAT6_USER" -cp "$JSVC_CLASSPATH" \
                    -outfile SYSLOG -errfile SYSLOG \
                    -pidfile "$CATALINA_PID" $JAVA_OPTS "$BOOTSTRAP_CLASS"

to become 

$DAEMON -user "$TOMCAT6_USER" -cp "$JSVC_CLASSPATH" \
                    -outfile SYSLOG -errfile SYSLOG \
                       $CATALINA_OPTS \
                    -pidfile "$CATALINA_PID" $JAVA_OPTS "$BOOTSTRAP_CLASS"

3.  Start tomcat now with jpda as a command line parameter..

sudo service tomcat6 start jpda

Command to find active TCP connections

Use the netstat command as below to see active TCP connections... It will tell you state of different connections.. for e.g., if TCP SYN has been sent.. connection has been ESTABLISHED, WAIT_CLOSE which tells that it is waiting to close the connection once get an acknowledgement back from the remote machine that it received all data.

netstat -tan
 or
netstat -tag

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 10.202.149.48:22        XXX.XXX.XXX.XXX:48185     ESTABLISHED
tcp6       0      0 :::10052                :::*                    LISTEN
tcp6       0      0 :::8009                 :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::54803                :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN

Enabling Tomcat Access Logs

By default they seem to be disabled...

Just uncomment the following in server.xml and restart tomcat...

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>



If this isn't present in server.xml just insert it before host section closes i.e., </host>