On 24/02/2020 20:44, calder wrote: > On Mon, Feb 24, 2020, 14:19 Ellen Meiselman <elle...@gmail.com> wrote: > >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector >> between IIS and Tomcat. I am running out of ideas so it’s time to ask for >> help from the experts. I think the problems remaining are in the tomcat >> configuration area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests >> to Tomcat on port 8009, at which point Tomcat refuses those requests with a >> 403 error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. >> >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to >> authorize it. >> Apache Tomcat/8.5.51 >> > > > Is IIS returning the 403? If yes, we should see a "dot error" number, such > as 403.1 or 403.2, and so on.
All the evidence indicates that Tomcat, not IIS, is generating the 403 so the user will see a "proper" 403 rather than one of the IIS variants. > What does work: >> Requests directly to Tomcat on port 8080 to pages within the >> connector-exposed web application work fine. >> For example, both of these work: >> localhost:8080/exposedApplication/simple.html. (viewed on the server’s >> browser) >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed >> anywhere else) >> >> >> What does not work: >> Requests that go through IIS and the connector to the connector-exposed >> application result in a 403 error. >> For example, this does not work: >> https:my.servers.domain.com/exposedApplication/simple.html >> >> >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 >> >> I also have two older, similar Windows Server environments that work >> perfectly. They both use these versions: >> >> Tomcat version 8.5.3 (64 bit) as a service >> Isapi_redirect.dll version 1.2.40.0 64 bit >> IIS 8/Windows server 2012R2 >> >> >> The component versions between the working and non-working environments >> are slightly different, and I think that might be the source of the problem >> - there are probably new configuration requirements that I need to be aware >> of. I started with the settings used in the working environments and found >> that some things needed to be changed to get the connector to work at alll. >> For example I had to specify an iPv4 address for the connector where I >> didn’t need to before. >> >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector >> possibly causing a 403 error, but I don’t understand how to use it or if it >> is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. >> >> >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >> <Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000" >> redirectPort="8443" /> >> <Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009" >> requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" /> >> >> <Host name="localhost" appBase=“webapps" unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> <Host name="127.0.0.1" appBase=“webapps” unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret=xxxxxxxx >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> Any suggestions or new directions will be welcome. >> > > > A full stack trace (including any "caused by" statements) from Tomcat > *and* IIS would be helpful. There won't be any. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
