Hi,
I’m having a lot of trouble configuring the isapi_redirect connector between
IIS and Tomcat. I am running out of ideas so it’s time to ask for help from the
experts. I think the problems remaining are in the tomcat configuration area,
not the IIS area anymore.
What’s wrong:
The ISAPI module appears to be working and correctly sending AJP requests to
Tomcat on port 8009, at which point Tomcat refuses those requests with a 403
error. The isapi_redirect.log shows the complete content of the tomcat
response, and no longer shows any errors - in other words, it thinks it is
working.
Text of the 403 error:
HTTP Status 403 – Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/8.5.51
What does work:
Requests directly to Tomcat on port 8080 to pages within the connector-exposed
web application work fine.
For example, both of these work:
localhost:8080/exposedApplication/simple.html. (viewed on the server’s browser)
my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere else)
What does not work:
Requests that go through IIS and the connector to the connector-exposed
application result in a 403 error.
For example, this does not work:
https:my.servers.domain.com/exposedApplication/simple.html
This Windows 2019 setup has the following versions of tomcat, windows, etc:
Tomcat version 8.5.51
Isapi_redirect.dll version 1.2.46.0
IIS 10/Windows server 2019
I also have two older, similar Windows Server environments that work perfectly.
They both use these versions:
Tomcat version 8.5.3 (64 bit) as a service
Isapi_redirect.dll version 1.2.40.0 64 bit
IIS 8/Windows server 2012R2
The component versions between the working and non-working environments are
slightly different, and I think that might be the source of the problem - there
are probably new configuration requirements that I need to be aware of. I
started with the settings used in the working environments and found that some
things needed to be changed to get the connector to work at alll. For example I
had to specify an iPv4 address for the connector where I didn’t need to before.
My theories at the moment:
1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about the
allowedRequestAttributesPattern attribute for the AJP connector possibly
causing a 403 error, but I don’t understand how to use it or if it is needed.
2. It’s possible that something in the Tomcat permissions settings are wrong,
but I really don’t know where to look.
Relevant configuration settings in server.xml, workers.properties and
uriworkermap.properties:
server.xml
<Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000"
redirectPort="8443" />
<Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009"
requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" />
<Host name="localhost" appBase=“webapps" unpackWARs="true"
autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="127.0.0.1" appBase=“webapps” unpackWARs="true"
autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="127_0_01_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
workers.properties
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009
worker.worker1.secret=xxxxxxxx
uriworkermap.properties
/exposedApplication/*=worker1
Any suggestions or new directions will be welcome.
Thank you,
Ellen Meiselman
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
