It’s very common to terminate HTTPS (TLS) at higher up in your server stack but you still need your webapp running in tomcat to generate the urls using https even though tomcat is called with http internally in your network. This seems to be a very common problem that I keep seeing year after year so this short article will show you how to accomplish that and how to test it’s working.

In this diagram https is terminated at firewall but that could as well be loadbalancer or even http server like Nginx or Apache. For the test setup I’m actually using Nginx and for instructions on how to setup HTTPS with Nginx check out my post on setting up Nginx with Let’s Encrypt. Once you’ve setup https with Nginx add following location block to the server block with HTTPS. This will proxy all requests to tomcat http port 8080.

location ~ / {
      proxy_set_header   Host             $host;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header   REMOTE_ADDR      $remote_addr;

      proxy_pass         http://localhost:8080;

Tomcat is actually really easy to configure so that it is able to generate URLs with https when the https is terminated somewhere higher in the stack. All you need is to add proxyPort, scheme, and secure to the connector in server.xml. Below is an example. If you are using both http and https then just create a new connector for https traffic that is running in different port and proxy only the https traffic to that port.

<Connector port="8080" protocol="HTTP/1.1"
      secure="true" />

Now to check that it is actually working correctly you need to check your servlet container is seeing those values correctly. For that purpose I’ve created a simple webapp which you can deploy and call through your stack. It shows if each of the three checks pass and additionally shows the request URL and server name so you can also check that any virtual hosts you use are also passed correctly to the servlet container.

Download HTTPS Checker webapp. See the source in Github.

Creating a custom Nginx build for Ubuntu/Debian Thu, 07 Jul 2016 16:04:07 +0000

I’ve been using the RTCamp Ubuntu package for Nginx because it had ngx_cache_purge and ngx_pagespeed modules builtin. The problem with is that it’s still stuck on Nginx 1.8 version which doesn’t support HTTP/2 so I had to figure out how to do my own build based on the latest Nginx mainline version.

These instructions apply to both Debian and Ubuntu even though for my example I use the Ubuntu 16.04 LTS. I’ll be adding ngx_cache_purge, ngx_pagespeed and headers-more modules in to the package.

Prepare for the build

I like to work on anything that require compiling in /usr/local/src so we’ll need to go there and you’ll need to get the nginx package signing key to make apt happy.

cd /usr/local/src
apt-key add nginx_signing.key

I’m using the mainline of Nginx which gets more frequent updates than stable but is still just as stable.

cat <<-EOF > /etc/apt/source.list.d/nginx.list
deb xenial nginx
deb-src xenial nginx

apt-get update

Get the build dependencies and the source code for nginx.

apt-get build-dep nginx
apt-get source nginx

At the time of writing this the latest version of nginx I get from the repository is 1.11.2. So the nginx source I get are in directory nginx-1.11.2. The debian package files are under debian in the source and that’s where I’m going to create modules directory for the code of the modules I want included.

mkdir nginx-1.11.2/debian/modules
cd nginx-1.11.2/debian/modules

Get the modules

Now in the modules directory I’m going to download and extract the code for each of the modules I want included.

tar -zxvf 2.3.tar.gz

That extracts the ngx_cache_purge module to directory ngx_cache_purge-2.3 remember that as we’ll need it later.

tar -zxvf v1.11.33.2-beta.tar.gz
cd ngx_pagespeed-
tar -zxvf

For Google Pagespeed you’ll need to get the nginx module and the pagespeed implementation. Again note the module directory ngx_pagespeed-

tar -zxvf v0.30.tar.gz

Again note the directory where headers more is extracted which in this case is headers-more-nginx-module-0.30.

Configure compiler arguments

The last thing to do before we can actually build this thing is we need to add the modules into the actual build. That happens by modifying the rules file under debian directory of nginx. I’ll simply add the –add-module lines as the last arguments to COMMON_CONFIGURE_ARGS. Note the backslash \ at the end of the line, make sure you remember to add it to the currently last argument which in my case is –with-ld-opt=”$(LDFLAGS)” so yours should look like this with the added lines bolded. 

 --prefix=/etc/nginx \
 --sbin-path=/usr/sbin/nginx \
 --modules-path=/usr/lib/nginx/modules \
 --conf-path=/etc/nginx/nginx.conf \
 --error-log-path=/var/log/nginx/error.log \
 --http-log-path=/var/log/nginx/access.log \
 --pid-path=/var/run/ \
 --lock-path=/var/run/nginx.lock \
 --http-client-body-temp-path=/var/cache/nginx/client_temp \
 --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
 --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
 --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
 --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
 --user=nginx \
 --group=nginx \
 --with-http_ssl_module \
 --with-http_realip_module \
 --with-http_addition_module \
 --with-http_sub_module \
 --with-http_dav_module \
 --with-http_flv_module \
 --with-http_mp4_module \
 --with-http_gunzip_module \
 --with-http_gzip_static_module \
 --with-http_random_index_module \
 --with-http_secure_link_module \
 --with-http_stub_status_module \
 --with-http_auth_request_module \
 --with-http_xslt_module=dynamic \
 --with-http_image_filter_module=dynamic \
 --with-http_geoip_module=dynamic \
 --with-http_perl_module=dynamic \
 --add-dynamic-module=debian/extra/njs-ef2b708510b1/nginx \
 --with-threads \
 --with-stream \
 --with-stream_ssl_module \
 --with-http_slice_module \
 --with-mail \
 --with-mail_ssl_module \
 --with-file-aio \
 --with-ipv6 \
 $(WITH_HTTP2) \
 --with-cc-opt="$(CFLAGS)" \
 --with-ld-opt="$(LDFLAGS)" \
 --add-module="$(CURDIR)/debian/modules/ngx_cache_purge-2.3" \
 --add-module="$(CURDIR)/debian/modules/ngx_pagespeed-" \

Compile and build the package

Now you are ready to build the deb package. Make sure you are in the nginx source root.

cd /usr/local/src/nginx-1.11.2
dpkg-buildpackage -uc -b
cd ..

Install customized Nginx

Now you should have all the nginx packages built and can install them with dpkg but when you install them you need to remember to tell apt to hold the packages and not upgrade them from a newer release from the repository. If there is a new release that you want to upgrade to you need to repeat these steps.

dpkg --install nginx_1.11.2-1~xenial_amd64.deb
apt-mark hold nginx
dpkg --install nginx-module-geoip_1.11.2-1~xenial_amd64.deb
apt-mark hold nginx-module-geoip

Once you’ve installed the package you can verify that it indeed has the modules by running:

nginx -V 2>&1 | grep ngx_cache_purge -o

If you got back ngx_cache_purge then congrats it worked. If it didn’t then make sure your –add-module argument is correctly done.

Moving a project from one git repository to another while retaining it’s history Sat, 11 Jun 2016 15:36:35 +0000

I recently had to move a project from one git repository to another existing repository under different source tree and I wanted to retain the history of each file. This is rather easy once you know how to do it but you can easily jack up things if you don’t know. So I wanted to write clear instructions for the next time I have to do this and hopefully it also helps someone else.

So I’m going to use Liferay as the example for this so that it’s as clear as it can be. We have two repositories liferay-portal and liferay-plugins which are both hosted on Github. Lets assume as we are modularizing things we want to move the akismet-portlet plugin from liferay-plugins repository to liferay-portal repository under modules/apps/akismet. The akismet-portlet is currently under portlets in the liferay-plugins repository. We could simply copy it there but then we would loose the whole history of that project. So we’ll use some git magic to pull the akismet-portlet into the new path under liferay-portal repository. This example assumes you are working with the master branch but the same steps works with any branch.

1.  Clone the liferay-plugins repository

It’s important to create a fresh clone of the repository as what we are about to do to it will make it unusable. There is a way to recover though I learned that the hard way.

git clone [email protected]:liferay/liferay-plugins.git tmp-plugins-repo
cd tmp-plugins-repo

2. Extract the akismet-portlet and it’s history

In this step we’ll checkout the branch from which we want to move the project and then we’ll rewrite the branch so that it only contains commits to the project we want to move. Word of warning if you skipped step one go back to it since this is destructive operation. 

git checkout master
git filter-branch --subdirectory-filter portlets/akismet-portlet -- --all

When you’ve ran the the git filter-branch you’ll notice that the files from portlets/akismet-portlet are now in the root and nothing else in the repository appears to exist.

3. Move the project to it’s new path in the new repository

Next we need to move the files to the path they are going to be in the liferay-portal repository which is under modules/apps/akismet.

mkdir -p modules/apps/akismet/akismet-portlet
git mv -k * modules/apps/akismet/akismet-portlet
git commit -a "Moved akismet-portlet to modules/apps/akismet/akismet-portlet"

Now the files are in their right place and the changes have been committed to the repository.

4. Pull the akismet-portlet from liferay-plugins to liferay-portal repository

Now you need to clone the liferay-portal repository if you haven’t done it yet. I’m assuming that it is next to the tmp-plugins-repo.

git remote add tmp-plugins-repo ../tmp-plugins-repo
git checkout -b akismet-portlet-move
git pull tmp-plugins-repo master

Now you are ready to merge it to master or send a pull request to someone who will merge it. The only thing is that it has to be merged and can’t be rebased.

Now I used Liferay’s Github repository as example but at Liferay when we move things around we always do it with plain copy followed by massive commit that looses all history. If you don’t care about file history then that works just fine but don’t come crying to me when you try to track down why a certain line of code was added.

Setting up https with Let’s Encrypt on Nginx Sun, 29 May 2016 15:40:24 +0000

Let’s Encrypt is an awesome free, automated and open way of protecting your site with https. As you may have noticed this site is using Let’s Encrypt certificate and I’ve started rolling it out to all my other sites too. With free https certificate there’s really no excuse not to use https only. In fact if you want to take advantage of HTTP/2 you’ll need https since no one currently supports it unencrypted even though the spec doesn’t mandate it.

Even if your site doesn’t have any sensitive information if you ever update/login to it from from a untrusted location such as Café your login credential might get disclosed to someone malicious and like most of us you’ll probably use the same credentials in multiple places that might be a real bad thing. Now I didn’t come up with all these steps I’m about to explain here but the credit rather goes to Bjørn Johansen whose blog posts I’ll summarise here. I’ll link all the posts I used as initial reference to set this up on my server at the end of the post in case you’ll need more details. Let’s Encrypt support for Nginx is still experimental and buggy so you’ll need to use manual method to install it.

Setting up Let’s Encrypt client

We’ll use git to get the client and bc is needed later so in Ubuntu/Debian you’ll install them with apt.

apt-get install git bc

Now with git we’ll clone the Let’s Encrypt client repo.

git clone /opt/letsencrypt

Preparing Nginx

To verify the domain Let’s Encrypt verification server will look for verification files created by the client in a subdirectory of your webroot under:  /.well-know/acme-challenge/

Since I have lots of sites under the same Nginx and I want them all to use https eventually I’ve created a configuration snippet under /etc/nginx/global named letsencrypt-challenge.conf with the following content:

# Allow access to the ACME Challenge for Let’s Encrypt
location ~ /\.well-known\/acme-challenge {
    allow all;

This is not required if you don’t block files starting with a dot.

The server section for the site could look something like this:

server {
    listen 80;
    root /var/www/;

    include global/letsencrypt-challenge.conf;

Once you’ve added the global/letsencrypt-challenge.conf in don’t forget to reload your nginx.

service nginx reload

Get the certificate from Let’s Encrypt

Now you are ready to use the Let’s Encrypt client to request a certificate for your domain.

/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --webroot -w /var/www/ \

If all goes well you’ll get four files under /etc/letsencrypt/live/ Those files are privkey.pem, cert.pem, chain.pem and fullchain.pem. You’ll need those to setup ssl in Nginx but before we do that let’s make sure the certificate is automatically renewed because it will be valid only 90 days.

Setup auto renew for certificate

So like I just mentioned the certificates from Let’s Encrypt are only valid for 90 days and I’m sure you don’t want to try to remember to renew them manually so we’ll setup a cron job to do that automatically for us. There’s already a nice script that will do all the heavy lifting for us. Well just need to download it and make it executable for root.

curl > /opt/
chown root:root /opt/
chmod 0500 /opt/

Please note that this script assumes you installed Let’s Encrypt client in /opt/letsencrypt if you didn’t please adjust the path in the script. It’s also good idea to try to understand what the script does and not just blindly execute any script you’ve downloaded from the web as root.

The script tries to renew the certificate for you when the expiration date is less than 30 days away. Well setup cron to run the script once a week so even if it fails for some reason there’s still plenty of time to get it right. Create a file /etc/cron.d/letsencrypt-renew with following content:

32 5 * * 1 root /opt/ /var/www/ > /dev/null 2>&1

Setup https in Nginx

In order to https you’ll need a new server block that listens the port 443 and you’ll need to tell nginx where the private key and certificate are found for this domain.

server {
    listen 443 ssl;
    root /var/www/;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    include global/letsencrypt-challenge.conf;

That is what is required at the minimum but we are not going to stop there as there are six more steps we can take to make it more secure and optimize it’s https performance.

1) Connection credential caching

Most of the https overhead is in the initial connection setup and by caching the parameters we’ll significantly improve subsequent requests. All you need is following lines in your config:

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;

This creates a shared cache between all the worker processes. 1MB cache can store around 4000 sessions so this should be plenty for most sites. You can adjust it smaller if you are concerned but Nginx should be smart enough not to consume all memory just for the cache.

2) Disable SSL

This may seem counterintuitive but https is actually SSL (secure socket layer) and TLS (transport layer security). Technically SSL has been superseded by TLS and SSL shouldn’t be used because of many weaknesses it has. Disabling SSL means you are making your site not accessible by IE6 but do you really care about that.

The latest version of TLS is 1.2 but there are still modern browsers that only support 1.0 so we should also support it. Just add following line to you nginx config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

3) Optimize cipher suites

Encryption is at the core of https and some of the ciphers are more secure and some are not secure at all anymore so we’ll want to tell the client the preferred order of cipher suites to use. All of the ciphers on this list use forward secrecy but with this list you’ll loose support for all IE versions on Windows XP but again do you really care.

ssl_prefer_server_ciphers on;

4) Generate DH parameters

DH parameters affect the Diffie-Hellman key exchange which where client and server negotiate the key for the session. By default it’s only 1024 bit key and our Let’s Encrypt key is 2048 bits so we need to make Nginx also use 2048 bits for DH key exchange otherwise it’s not as secure as it could be. The only downside is that Java 6 doesn’t support anything over 1024 but again do you really care about that.

Generate the DH parameters file with 2048 bit long prime.

openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem

Add the dhparam to your config file:

ssl_dhparam /etc/nginx/cert/dhparam.pem;

5) Enable OCSP stapling

When a proper browser is presented with a certificate it will check to see if that certificate is revoked from the issuer and that adds extra overhead. This is where Online Certificate Status Protocol (OCSP) comes to rescue. The web server contacts the certificate authority’s OCSP server at regular interval to get a signed response which it then staples on the handshake when the connection is setup. This is much more efficient than having the browser go out to do the check.

To make sure the response from the CA is not tampered with nginx needs to check the CA root and intermediate certificates. Let’s Encrypt client already provides us with all the required certificates so all we need to do is configure stapling and the ssl_trusted_certificate.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/;

The resolver is a must and you can use Google public DNS servers as I’ve used here or you can use your own.

6) Strict transport security

HTTP Strict Transport Security (HSTS) is a way to tell the browser that this domain should only be used over https. Even though you might setup redirection from http to https any requests that go over http are insecure. This feature is supported in all modern browsers and it’s really simple to enable you’ll just add a header Strict-Transport-Security with the maximum age. Then for the specified amount of time the browser doesn’t even try to access the site via http.

add_header Strict-Transport-Security "max-age=31536000" always;

Putting it all together

That’s a lot of configuration so here is a complete example configuration:

server {
    listen 443 ssl;
    root /var/www/;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    include global/letsencrypt-challenge.conf;

    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 60m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_dhparam /etc/nginx/cert/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/;

    add_header Strict-Transport-Security "max-age=31536000" always;

Optional steps

What you most likely want to do is redirect from http to https. That is done by replacing your old server with following:

server {
    listen 80;
    root /var/www/;

    return 301 https://$host$request_uri;

Since you have https setup you might want to enable HTTP/2 if you are using new enough Nginx. That is very simple you just add the word http2 after ssl in the listen like this:

listen 443 ssl http2;

But if you are running an older nginx you can still enable SPDY which has been superseded by HTTP/2 but it might still be useful until you can enable HTTP/2. SPDY is enabled similarly to HTTP/2.

listen 443 ssl spdy;

Test your configuration

So how do you know you configured everything correctly. The site might be working in your browser but that still doesn’t guarantee everything is correct. Qualys SSL Labs provides a nice scanner to test your setup. If you configured everything correctly you should get A+ rating just as is shown below for this site.


[1] Let’s Encrypt for Nginx
[2] Optimizing HTTPS on Nginx

Monitoring Apache HTTPd with New Relic Fri, 28 Aug 2015 07:18:47 +0000 When figuring out what’s wrong with a sites performance it’s important to get facts about every aspect and component involved with that site. Apache is quite often used in front of java applications and it’s the app server for php applications. Bad apache configuration can make a site seem sluggish even when there are plenty of other resources available so it’s important to see what’s going on here. From the first screen of Apache HTTPd plugin you’ll get a nice overview of all your monitored apaches.

New Relic Plugins Apache Listing

Drilling down to a single server overview shows request velocity, cpu load, busy/idle workers and even bytes sent over time.

New Relic Plugins Apache Overview

Going to throughtput shows throughtput details over time.

New Relic Plugins Apache Throughtput

Workers section shows you what is happening with the workers. If you have a lot of busy workers you can see in what state their are and that might provide some insight to what is going on.

New Relic Plugins Apache Workers

Installing Apache HTTPd agent for New Relic

1) I’m using the MeetMe New Relic Agent to monitor Apache HTTPd. It’s written in python and we’ll need to install pip. The following is using the Ubuntu python-pip package. You can find alternative install methods from pip docs.

apt-get install python-pip libyaml-dev python-dev

2) Next use pip to install newrelic-plugin-agent. When I ran it I got some errors but it still worked.

pip install newrelic-plugin-agent

3) Next we’ll need to create the configuration file for the agent. You can start by copying /opt/newrelic-plugin-agent/newrelic-plugin-agent.cfg or just use what I have posted below. The first thing you need is to set license_key. You can find your license key from your account settings page on The second one is to add apache_httpd configuration. You can add multiple httpds to monitor.

cat - <<EOF>> /etc/newrelic/newrelic-plugin-agent.cfg
%YAML 1.2
 license_key: YOUR_LICENSE_KEY
 wake_interval: 60
 #newrelic_api_timeout: 10
 #proxy: http://localhost:8080

  - name: localhost
    scheme: http
    host: localhost
    verify_ssl_cert: true
    port: 80
    path: /server-status

 user: newrelic
 pidfile: /var/run/newrelic/

     format: '%(levelname) -10s %(asctime)s %(process)-6d %(processName) -15s %(threadName)-10s %(name) -45s %(funcName) -25s L%(lineno)-6d: %(message)s'
     class : logging.handlers.RotatingFileHandler
     formatter: verbose
     filename: /var/log/newrelic/newrelic-plugin-agent.log
     maxBytes: 10485760
     backupCount: 3
     level: INFO
     propagate: True
     handlers: [console, file]
     level: ERROR
     propagate: True
     handlers: [console, file]

4) Make sure you have enabled mod_status in your apache and you’ve allowed access from the host your agent is running if it’s not running in the same host as your apache.

5) Then we need to add a init script for the newrelic-plugin-agent. There’s one under /opt/newrelic-plugin-agent but for me it was incomplete file so I just downloaded the one from github.

mv newrelic-plugin-agent.deb /etc/init.d/newrelic-plugin-agent
chmod 755 /etc/init.d/newrelic-plugin-agent
update-rc.d newrelic-plugin-agent defaults

Now you can start the newrelic-plugin-agent with

service newrelic-plugin-agent start

Now in few minutes you should see your Apache HTTPd server(s) listed under Plugins HTTPd on

Monitoring Nginx with New Relic Wed, 29 Apr 2015 03:20:41 +0000 Apache HTTPd has always been my goto httpd, reverse proxy and load balancer but lately I’ve grown more interested in Nginx. It’s very high performance and lightweight not to mention easy to configure. Of course with my currently a single Nginx I wanted to see how could I hook it up my monitoring. Turns our there’s a New Relic agent directly from Nginx.

New Relic Plugins Nginx Listing

From the overview you can see the number of active and idle connections as well as the request rate.

New Relic Plugins Nginx Overview

From connections you’ll even more connection details. With very little connections and requests my graphs are currently slightly boring. In addition to connection details you can find more details about requests, upstreams, servers and cache.

New Relic Plugins Nginx Connections
Installing New Relic Monitoring Agent for Nginx

1) First you need to add the Ubuntu package repository for Nginx. If you’ve done this already when you installed Nginx you can skip to next step. If you are not using Ubuntu 14.04 like I am you can find the other Linux packages from Nginx website.

apt-key add nginx_signing.key

cat - <<-EOF >> /etc/apt/sources.list.d/nginx.list
deb trusty nginx
deb-src trusty nginx

apt-get update

2) Next you need to install the Nginx New Relic Agent

apt-get install nginx-nr-agent

3) Next you’ll need to edit the agent configuration file in /etc/nginx-nr-agent/nginx-nr-agent.ini. You need to add your license key which you can find from your account settings page on


Additionally you need to add a new source which points to your Nginx status url.


4) You’ll need to add a server block to Nginx for the status. Since I had very simple configuration in my Nginx I just added the following to /etc/nginx/sites-enabled/default

server {
   server_name localhost;

   location = /nginx_stub_status {
     stub_status on;
     deny all;

5) Last thing you need to do is reload Nginx and start the Nginx New Relic Agent.

service nginx reload
service nginx-nr-agent start

Now in few minutes you should start seeing your Nginx server listed under Plugins Nginx on

New Relic has a wonderful plugin framework and there’s a ton of ready made plugins and also SDK and API for things it doesn’t already support. MySQL plugin is one of those ready made plugins and it provides all the key information you’ll need. The MySQL plugin page quickly shows what’s going on all monitored databases.
New Relic Plugins MySQL

When you drill down to a individual database server the overview shows the SQL volume and how it’s split between reads and writes. More key metrics are displayed under Key Utilizations. You’ll also find database connections and network traffic on this page.

New Relic Plugins MySQL Overview

Going further down to Query analysis you’ll see in more details about the queries.

New Relic Plugins MySQL Query Analysis

If you are using InnoDB there’s a separate page to show key metrics from InnoDB.

New Relic Plugins MySQL InnoDB Metrics

Installing MySQL / MariaDB Monitoring

1) MySQL plugin can easily be installed with New Relic platform installer. So the first thing you need to do is install the platform installer. You’ll need your New Relic license key which you can find from account settings on Once you have that you can install it with following one liner which is for 64bit Debian and Ubuntu.


2) Next go to the newly created newrelic-npi directory and run install. You’ll want to answer yes to all the questions and when prompted to configure the plugin grab the configuration from the next step.

./npi install nrmysql

3) If you skipped configuration you can configure the plugin afterward too. You can find the configuration file under newrelic-npi from plugins/com.newrelic.plugins.mysql.instance/newrelic_mysql_plugin-2.0.0/config/plugin.json. Below is a sample configuration for MariaDB (works for MySQL) running on localhost and we’ll be creating a separate user newrelic with password somepassword which the plugin will use to gather data. You can connect to multiple databases with the same agent. I usually install this agent on the same server my nagios is running on.

 "agents": [
     "name" : "MariaDB on localhost",
     "host" : "localhost",
     "metrics" : "status,newrelic,buffer_pool_stats,innodb_status,innodb_mutex",
     "user" : "newrelic",
     "passwd" : "somepassword"

4) Now we need to create a user in the database and grant some rights to it.

cat - <<EOF | mysql -u root -p
CREATE USER newrelic@'%' IDENTIFIED BY 'somepassword';

5) Last thing is to start the service but before we do make sure you have Java installed as this agent is written in Java. If you don’t have Java installed check my unattended Java install script. Otherwise you can proceed to start the service that should have been created during npi install if you answered all the questions correctly.

service newrelic_plugin_com.newrelic.plugins.mysql.instance start

Now it may take few minutes before you see your server under Plugins MySQL in If it doesn’t check the log under plugins/com.newrelic.plugins.mysql.instance/newrelic_mysql_plugin-2.0.0/logs/ for hints and make sure the agent actually started.

Monitoring Ubuntu / Debian Server with New Relic Fri, 24 Apr 2015 04:00:07 +0000 With New Relic Server Monitoring you’ll see all the important information about your system with just one glance. This is a essential tool for troubleshooting performance issues and also seeing that your system is properly sized. Sometimes poor application performance has nothing to do with the application but rather the system it’s running. If the system is not correctly sized you might be running out of memory, cpu or the bottle neck could be disk io. Without proper monitoring it is very hard to pinpoint the cause.

The servers listing gives a nice overview of all servers and you an easily see if there’s any issues.

New Relic Servers
New Relic Servers

When looking at a specific server you’ll see a history of it’s CPU and memory usage as well as load average and network I/O. If you have any APM enabled applications installed you’ll see a overview of their response times, throughput and error rate. You’ll also see some of the top processes running on the server.

New Relic Servers Overview
New Relic Server Overview

When you drill down to processes listing you’ll quickly see the top memory and cpu consumers. You can also look at the history of individual processes.

New Relic Server Processes
New Relic Server Processes

Installing New Relic Server Monitoring on a Ubuntu / Debian Server

1) Add an apt source for New Relic.

cat - <<-EOF >> /etc/apt/sources.list.d/newrelic.list 
# newrelic repository list 
deb newrelic non-free

2) You’ll need to get the key for New Relic repository and then update apt sources. After that you can install newrelic-sysmond.

apt-key adv --recv-keys --keyserver 0xB31B29E5548C16BF
apt-get update
apt-get install newrelic-sysmond

3) Next you’ll need to tell it your license key so that it reports the data to your account. You can find your license key from your account settings page on You can either edit the configuration file or you can set the license like shown below:

/usr/sbin/nrsysmond-config --set license_key=YOUR_LICENSE_KEY

4) Finally once everything is configured you can start the system monitor daemon.

service newrelic-sysmond start

Now in few minutes you should start seeing your server listed under Servers on

Monitoring and Graphing Liferay with MRTG Thu, 17 Oct 2013 11:10:01 +0000 MRTG (The Multi Router Traffic Grapher) is usually used to monitor SNMP enabled network devices and draw graphs of how much traffic has passed through each interface. It can also be used to graph any two values (in/out) and I use it for graphing cpu usage, loadavg, iowait, used memory, disk space and temperature sensor values that I can read through SNMP. Liferay however doesn’t support SNMP so I developed a perl script that can read JMX MBean values using JMX4Perl and Jolokia. I’m going to assume you have JMX4Perl and Jolokia setup already the way I describe it in my earlier post: Monitoring Liferay with Nagios, Jolokia and JMX4Perl. You should also note that MRTG won’t send you any alerts so it’s a good idea to setup Nagios to do just that.

Now you might wonder why would you need MRTG if you already have Nagios. Nagios operates on the present value although there’s a add-on nagios grapher that can create graphs like MRTG does but I like MRTG more because you can see all the graphs on one page. Being able to see a full overview of the system is very important when trying to identify performance problems. This is also why you want to get more information out of the application, Liferay in this case. My script will help in reading connection pool and thread pool utilization as well as heap usage. Those are essential when doing troubleshooting.

First you’ll need to install and setup MRTG. I’m not going to go into details on that because it dependes on your system and the internet is full of guides to do it. Once you have it done you’ll need to download my script which is available in my github repository. For rest of this post I’m going to assume it’s located in /usr/local/bin/ but it’s up to you where you put it. Just adjust the script path accordingly.

Monitoring c3p0 connection pool

Getting the values for c3p0 is a little bit tricky because it will generate a unique mbean name based on the identity token it generates for the connection pool every time the server is started. Because of this my script assumes you only have one c3p0 connection pool if you have multiple pool you’ll need to add additional logic in to the mrtg-jmx4perl to find the correct mbean. Notice that this is the case if you configure Liferay to use connection pool from instead of using a JNDI resource. We can read the mbean for c3p0 by using mbean name as “com.mchange.v2.c3p0:type=*,*” and the attributes we are most interested are numConnectionsAllUsers and numBusyConnectionsAllUsers. Below is a sample mrtg configuration snippet.

Target[dbpool]: `/usr/local/bin/ --server=servername --mbean="com.mchange.v2.c3p0:type=*,*" --attribute="numConnectionsAllUsers numBusyConnectionsAllUsers"`
MaxBytes[dbpool]: 20
Title[dbpool]: DB Pool
PageTop[dbpool]: <h1>DB Pool</h1>
WithPeak[dbpool]: dwmy
Unscaled[dbpool]: dwmy
Options[dbpool]: growright,unknaszero,nopercent,gauge
YLegend[dbpool]: Connections
LegendI[dbpool]: Connections
LegendO[dbpool]: Busy Connections
Legend1[dbpool]: Connections
Legend2[dbpool]: Busy Connections
Legend3[dbpool]: Peak Connections
Legend4[dbpool]: Peak Busy Connections

Here’s a daily graph from one of my Liferay portal servers.

mrtg - db pool connections

Monitoring Tomcat AJP Thread Pool

This one is pretty easy because the the mbean name is static but it does vary depending on do tomcat version and connector you are using. In Tomcat 7 with native library the name for ajp thread pool is Catalina:type=ThreadPool,name=”ajp-apr-8009″. Without native library it would be ajp-bio-8009. In tomcat 6 my ajp pool mbean name is Catalina:type=ThreadPool,name=jk-8009. Notice the lack of double quotes in the name. You can easily check the name using jconsole. So for this one the config looks like:

Target[ajp-threadpool]: `/usr/local/bin/ --server=servername --mbean="Catalina:type=ThreadPool,name=\"ajp-apr-8009\"" --attribute="currentThreadCount currentThreadsBusy"`
MaxBytes[ajp-threadpool]: 50
Title[ajp-threadpool]: AJP Thread Pool
PageTop[ajp-threadpool]: <h1>AJP Thread Pool</h1>
WithPeak[ajp-threadpool]: dwmy
#Unscaled[ajp-threadpool]: dwmy
Options[ajp-threadpool]:  growright,unknaszero,nopercent,gauge
YLegend[ajp-threadpool]: Threads
LegendI[ajp-threadpool]: Threads
LegendO[ajp-threadpool]: Busy Threads
Legend1[ajp-threadpool]: Threads
Legend2[ajp-threadpool]: Busy Threads
Legend3[ajp-threadpool]: Peak Threads
Legend4[ajp-threadpool]: Peak Busy Threads

Here’s a daily graph of a thread pool.

mrtg - thread pool

Monitoring Heap Usage

The last one we are going to monitor is Java Heap usage. It can be read from java.lang:type=Memory using attribute HeapMemoryUsage and path used. Now we are reading only one value.

Target[heap]: `/usr/local/bin/ --server=servername --mbean="java.lang:type=Memory" --attribute="HeapMemoryUsage" --path="used"`
MaxBytes[heap]: 1296302080
Title[heap]: Heap
PageTop[heap]: <h1>Heap</h1>
WithPeak[heap]: dwmy
Unscaled[heap]: dwmy
Options[heap]:  growright,unknaszero,nopercent,gauge,noo
YLegend[heap]: bytes
kilo[heap]: 1024
LegendI[heap]: Used
Legend1[heap]: Used
Legend3[heap]: Peak Used

Here’s a daily graph of heap memory usage.

mrtg - heap usage

You can download the full sample-mrtg.cfg from github.

That’s how easy it is to monitor and graph Liferay or pretty much any Java webapp using MRTG. You could easily use this to monitor ehcache utilization or anything else that’s accessible via JMX.

Installing MariaDB on Ubuntu Sun, 19 Aug 2012 08:33:56 +0000 I’ve been using MariaDB for some time now and it’s perfect replacement for MySQL especially with the latest news onOracle’s move to hinder MySQL developer community despite it’s promise to EU. Now is a perfect time to ditch MySQL and move to something that’s backed by the original authors of MySQL and that something is MariaDB.

1. First pick your Ubuntu version repository mirror close to you from MariaDB downloads page. Once you’ve picked up your mirror then add them to /etc/apt/source.list.d/mariadb.list. I’m still running 10.04 so here’s what I put in my mariadb.list:

# MariaDB repository list - created 2012-07-04 18:04 UTC
deb lucid main
deb-src lucid main

2. Next you’ll need to import the signing key

sudo apt-key adv --recv-keys --keyserver 0xcbcb082a1bb943db

3. Update

aptitude update

4. Install

aptitude install mariadb-server-5.5

Now you have MariaDB 5.5 installed and you can configure it exactly like you would configure MySQL.

Monitoring Liferay with Nagios, Jolokia and JMX4Perl Sun, 29 Jul 2012 19:15:04 +0000 How do I monitor Liferay? That’s a question I’ve heard a lot lately. Well the standard way of getting some information about the application is by using JMX. The downside of JMX is that it’s a Java only standard and the only remote connection is by using RMI which doesn’t really sit well with non Java monitoring software like very popular Nagios. Another hurdle might be that your network admin might not be inclined to open up RMI access to the jvm.

There’s a nice agent called Jolokia that can provide a http bridge to JMX. You can install it as java agent in pretty much any java app or deploy it as a webapp. With Jolokia installed you can query any MBeans for their values using a simple http GET and get the data as JSON objects. JMX4Perl is a perl module and scripts that provide a easy way to run those queries through Jolokia. One of those scripts is check_jmx4perl which can be used in nagios service checks.

Okay so now we know that we are going to need Nagios, Jolokia and JMX4Perl to monitor the Liferay JVM but what should we monitor? Well that depends on what information you are interested in but at minimum I would monitor ajp or http thread usage as well as heap utilization. Just by monitoring those values you’ll know when your JVM is becomes unresponsive and can also get some early warning that there’s issues for example heap usage goes over warning threashold and never returns to normal or keeps constantly going over the threshold which could indicate they you don’t have enough heap allocated.

I’m going to assume that you have  nagios installed and configured and I will only go through how to install Jolokia and configure some checks for threads and heap. So let’s start by installing JMX4Perl.

Installing JMX4Perl is pretty simple with cpan. You just launch cpan command line client and install it like this:

cpan> install JMX::Jmx4Perl

Next you’ll need to download Jolokia and deploy the jolokia.war to your app server. For this example I’m going to assume that you are using Tomcat 7. Once you’ve deployed Jolokia it’s usually good idea to restrict who can query it. For this example we are just going to restrict it to a certain IP address (the Nagios server) and limit it to read operations only. Since I don’t like modifying the war we are going to tell Jolokia where to find the policy file through a context parameter. Create a jolokia.xml in tomcat/conf/Catalina/localhost with following content:

<Context path="/jolokia">
        <Parameter name="policyLocation" value="file:///etc/jolokia/jolokia-access.xml" />

That tells Jolokia to look for the policy file jolokia-access.xml from /etc/jolokia/jolokia-access.xml. This is great when you are running multiple tomcats in the same server and want them to share the jolokia policy file.

Now go ahead and create the jolokia-access.xml in /etc/jolokia

<?xml version="1.0" encoding="utf-8"?>
                <host>[YOUR NAGIOS SERVER IP]</host>

Next we need to create configuration for jmx4perl. In /etc/jmx4perl/jmx4perl.cfg we are going to include some preconfigured checks extend them. Tomcat 7 you need to add quotes around the thread pool name. We also need to set warning and critical levels for alerts. You’ll also need to add a Server for each tomcat you want to monitor.

# Default definitions
include default/memory.cfg
include default/tomcat.cfg

# ==========================
# Check definitions

<Check tc7_connector_threads>
	Use = relative_base($1,$2)
	Label = Connector $0 : $BASE
	Value = Catalina:name="$0",type=ThreadPool/currentThreadCount
	Base = Catalina:name="$0",type=ThreadPool/maxThreads
	Critical 95
	Warning 90

<Check j4p_memory_heap>
	Use memory_heap
	Critical 95
	Warning 90

<Server tomcat>
	Url http://MY_TOMCAT_HOSTNAME:8080/jolokia

Then in /etc/nagios3/commands.cfg we’ll need to add a check command for jmx4perl and we’ll use the check_jmx4perl script to do that.

define command {
	command_name    check_j4p_cmd
	command_line    /usr/local/bin/check_jmx4perl --unknown-is-critical --config /etc/jmx4perl/jmx4perl.cfg --server $ARG1$ --check $ARG2$ $ARG3$

Then we need to define a service to monitor in /etc/nagios3/conf.d/host-MY_TOMCAT_HOSTNAME.cfg

define service {
	use generic-service
	service_description Tomcat Heap Memory
	check_command check_j4p_cmd!tomcat!j4p_memory_heap!x

define service {
	use generic-service
	service_description Tomcat AJP Threads
	check_command check_j4p_cmd!tomcat!tc7_connector_threads!ajp-bio-8009

The check above is for your tomcat heap and the other one is for Tomcat 7 AJP threads.

Now you should all the pieces to implement your own monitoring using Nagios, Jolokia and JMX4Perl. You should also remember that you can apply this to any JEE application not just Liferay.

Configuring c3p0 connection pool for Liferay on Tomcat Wed, 18 Jul 2012 23:52:14 +0000 There’s several ways you could configure a connection pool for Liferay on Tomcat but the way I’m going to show is the JEE way and the only one I consider correct.

The first thing is to copy or move the c3p0.jar from webapps/ROOT/WEB-INF/lib/ to lib/. Also make sure you have your dabase driver there. In this example it would be mysql.jar.

Then we need to tell Liferay that you want to use a connection pool from JNDI and this you can do by adding following line to your which can be placed in Liferay Home directory (the directory above tomcat).

Add following snippet to conf/server.xml inside GlobalNamingResources. Adjust the pool size and idle time and connection test period according to your environment. They are particularly important when you have a firewall between your Liferay and database or when the database server drops connections after certain idle period.

    preferredTestQuery="select 1 from dual"

Now we need to link the jdbc/LiferayPool name defined in to the jdbc/LiferayPool defined in server.xml and this definition goes to conf/Catalina/localhost/ROOT.xml

<ResourceLink name="jdbc/LiferayPool" global="jdbc/LiferayPool" type="javax.sql.DataSource"/>

Now we are done and you can start your tomcat with the new connection pool. Note you can follow similar process to configure MailSession from JNDI.

]]> 0 5
What to Do When You Get “Error listerStart” with Tomcat Tue, 29 May 2012 13:58:41 +0000 I’m sure many people other than me have banged their head in the wall trying to figure out an error like this:

SEVERE: Error listenerStart 
26-May-2012 13:44:27 org.apache.catalina.core.StandardContext startInternal 
SEVERE: Context [] startup failed due to previous errors

That basically means that tomcat failed to start the webapp because there was an error with some listener, quite often Spring context listener. The really annoying part is that it doesn’t actually show you what went wrong. There’s actually pretty simple way to get tomcat to log the actual error. You just need to create a in WEB-INF/classes of the failing webapp and add following lines to it:

org.apache.catalina.core.ContainerBase.[Catalina].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].handlers = java.util.logging.ConsoleHandler

Then just reload the webapp to see the error in tomcat console log. I hope this tip saves you a lot of hasle from trying to figure out the root cause of the problem.

How to Create a Consistent Liferay Backup Mon, 28 May 2012 16:30:32 +0000 This is a question I’ve gotten asked in nearly all the Liferay System Administrator trainings I’ve given. Most people will just backup their database and Liferay data directory separately but any competent system admin will tell you that it’s not guaranteed to be consistent because someone could upload or delete files between the time you took the database dump and the time you copied the data directory. Now I’m assuming that you are storing your document library binaries to filesystem instead of database.

Now to achieve a consistent backup with minimal interruption to your portal what you need to do is get a read lock on all your Liferay tables. This will prevent writes to the database. Then you dump the database to file with a tool like mysqldump and then you take a quick snapshot of the filesystem before you unlock the tables. You need to keep the connection that locked the tables open until this whole process is done. Once you have the database dump and filesystem snapshot ready only then you can release the lock and then you can backup the data directory using what ever method you would normally use.

For the PoC I’m using MySQL and my filesystem is on Linux LVM volume which supports taking snapshots. I’ve written a Perl script to execute all the commands. I’m sharing the script under GPL and it’s available in Github. Feel free to fork it and modify it to suit your needs and if you have good ideas send me a pull request.

The way the script works is you pass in bunch of parameters like database details, lvm volume location, source and target directories. Here’s an example: -u dba-backup -p mypassword -d lportal -h localhost \
--lvm-volume-path /dev/vg0/opt --lvm-snapshot-volume-path /dev/vg0/opt-snapshot \
--lvm-snapshot-volume-name opt-snapshot --lvm-snapshot-volume-size 50G \
--snapshot-mount-path /backups/snapshot \
--source-path /liferay-portal-6.1.0/data/document_library \
--db-target-path /backups/mysql/lportal.sql.gz \
--data-target-path /backups/liferay --compress

Now even if that doesn’t exactly match your system I hope it gives you an idea how to roll your own Liferay backup.

Debugging Maven Plugins Sun, 27 May 2012 08:49:52 +0000 When developing maven plugins things don’t always work the way you expect so you need to debug the Mojo to see what’s really going on. I had a weird case where my plugin worked when I ran it independently but when I ran it with mvn clean package it always failed. First thing you can do is run in debug mode which produces a lot more output and shows all the plugin execution configuration. You can enable it with -X argument like this:

mvn -X clean package

Now that didn’t quite help with my case so next thing I did was to run it with remote debugger. That way I could step through the code line by line and inspect all the variables. To do that you just modify the MAVEN_OPTS environment variable in the shell where you are executing you maven plugin and add java debugger agentlib config like this:


I used suspend=y so that it would wait for my debugger to attach before continuing the execution. Then you just add some breakpoints in you IDE and remote debug it like any java application. That by the way solved my issue as I realized each of my Liferay maven plugins were initialing Liferay configuration but since they were all run after each other in the same context only the first one mattered.

Configuring ActiveMQ 5 jms topic in Tomcat 6 Tue, 11 Dec 2007 14:15:27 +0000 For some reason it is quite difficult to find a clear instruction on howto configure ActiveMQ jms topic in tomcat as a JNDI reference and the consume message from it into message driven pojo. I chose to use ActiveMQ 5 since it requires less dependent libraries to run than previous versions.

Start by downloading ActiveMQ 5.0.0 from Apache ActiveMQ site

You need following jars to be located under CATALINA_HOME/lib:
– activemq-core-5.0.0.jar
– commons-logging-1.1.jar
– geronimo-j2ee-management_1.0_spec-1.0.jar (or another jar that has apis)
– geronimo-jms_1.1_spec-1.0.jar (or another jar that has javax.jms apis)
– geronimo-jta_1.0.1B_spec-1.0.jar (or another jar that has javax.transaction apis)

You can find above libraries from ACTIVEMQ_HOME/lib

That configure the topic and connection factory to CATALINA_HOME/conf/server.xml

	description="JMS Connection Factory"
	brokerURL="vm://localhost" brokerName="LocalActiveMQBroker"/>

	description="my Topic"

Then you need to add resource-link to either CATALINA_HOME/conf/context.xml or webapps META-INF/context.xml

	<ResourceLink global="jms/ConnectionFactory" name="jms/ConnectionFactory" type="javax.jms.ConnectionFactory"/>
	<ResourceLink global="jms/SampleTopic" name="jms/SampleTopic" type="javax.jms.Topic"/>

You also need to add a resource-ref to your webapps web.xml


Then configure message driven pojo with spring. You should notice that this is really a pojo that does not know anything about jms.


package fi.javaguru.mdp;

public class SamplePojo {

    public void doSomething(final String msg) {

        System.out.println("Got message: " + msg);

Spring configuration for consuming messages

<beans xmlns=""

    <jee:jndi-lookup id="jmsConnectionFactory" jndi-name="jms/ConnectionFactory" resource-ref="true"/>
    <jee:jndi-lookup id="jmsTopic" jndi-name="jms/SampleTopic"
		resource-ref="true" proxy-interface="javax.jms.Topic"/>

    <bean id="pojo" class="fi.javaguru.mdp.SamplePojo" />
    <bean id="listener" class="org.springframework.jms.listener.adapter.MessageListenerAdapter">
        <property name="delegate" ref="pojo"/>
        <property name="defaultListenerMethod" value="doSomething"/>

    <bean id="container" class="org.springframework.jms.listener.SimpleMessageListenerContainer">
        <property name="connectionFactory" ref="jmsConnectionFactory"/>
        <property name="messageListener" ref="listener"/>
        <property name="destination" ref="jmsTopic"/>


This sample assumes you are sending String messages to the topic. You could also send other objects as long as the consumer knows about those objects. Thats it for now. I will write another post later that will continue this sample with producing messages to a topic.

