Netfilter has dropped the connection from the state table. One of the timeouts in
/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_*
has expired. I'm guessing it is nf_conntrack_tcp_timeout_last_ack
.
Here is a scenario: Your web server sends a final packet with some data and fin set. The client goes comatose for 30 seconds. Netfilter removes the entry from the state table. The client wakes up and sends a fin ack that is not part of a tracked connection anymore.
I see this all the time on web servers. It is client problem.
If you want to verify that you could record the state table (/proc/net/nf_conntrack
) and correlate that with the firewall log.
Edit: I had the direction reversed but the concept applies. In this case his server is making outgoing https connections so it is actually the client and the remote web server may be slow to respond.
The rule
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
has nothing to do with it. It is about DST port 443 and this is SPT 443.
I would say this is wrong approach.
In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.
Option 1
Have apache web server proxy to 127.0.0.1:8080
You need this somewhere in your apache setup
LoadModule proxy_module {path-to-modules}/mod_proxy.so
AddModule mod_proxy.c
Or with apache2
$ sudo a2enmod proxy
$ sudo apache2ctl restart
And in virtual hosts you could have several apps
ProxyPass /myapp http://localhost:8080/myapp
ProxyPassReverse /myapp http://localhost:8080/myapp
or have a unique one
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
after changing virtual hosts setting, no need to restart apache
$ sudo apache2ctl graceful
will update settings without dropping ongoing connections.
Option 2, using mod_ajp
$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart
adding this to your virtualhost
ProxyPass /app ajp://backend.example.com:8009/app
Assuming tomcat instance is configured to have ajp connector on port 8009.
Check tomcat settings.
http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html
Option 3, using mod_jk
http://tomcat.apache.org/connectors-doc/
You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out.
I've preferred using the ajp connector so far.
Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.
Best Answer
Based on those articles it should work fine.
Just remember that you do not have the traffic you can always emulate it.
Use apache benchmark tool to put some fake traffic.
Just make sure sure that the page that you are loading takes a few seconds to load, to test the worst case scenario.
I created for you a cookbook that proves that the configuration that you provide works right.