On 24/02/2020 20:53, Chris Cheshire wrote: > On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman <elle...@gmail.com> wrote: >> >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector between >> IIS and Tomcat. I am running out of ideas so it’s time to ask for help from >> the experts. I think the problems remaining are in the tomcat configuration >> area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests to >> Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 >> error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. >> >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to authorize >> it. >> Apache Tomcat/8.5.51 >> >> >> What does work: >> Requests directly to Tomcat on port 8080 to pages within the >> connector-exposed web application work fine. >> For example, both of these work: >> localhost:8080/exposedApplication/simple.html. (viewed on the server’s >> browser) >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere >> else) >> >> >> What does not work: >> Requests that go through IIS and the connector to the connector-exposed >> application result in a 403 error. >> For example, this does not work: >> https:my.servers.domain.com/exposedApplication/simple.html >> >> >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 >> >> I also have two older, similar Windows Server environments that work >> perfectly. They both use these versions: >> >> Tomcat version 8.5.3 (64 bit) as a service >> Isapi_redirect.dll version 1.2.40.0 64 bit >> IIS 8/Windows server 2012R2 >> >> >> The component versions between the working and non-working environments are >> slightly different, and I think that might be the source of the problem - >> there are probably new configuration requirements that I need to be aware >> of. I started with the settings used in the working environments and found >> that some things needed to be changed to get the connector to work at alll. >> For example I had to specify an iPv4 address for the connector where I >> didn’t need to before. >> >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector possibly >> causing a 403 error, but I don’t understand how to use it or if it is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. >> >> >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >> <Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000" >> redirectPort="8443" /> >> <Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009" >> requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" /> >> >> <Host name="localhost" appBase=“webapps" unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> <Host name="127.0.0.1" appBase=“webapps” unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret=xxxxxxxx >> >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> >> Any suggestions or new directions will be welcome. >> >> Thank you, >> >> Ellen Meiselman >> > > Change requiredSecret="true" to secretRequired="true" in your AJP > connector definition.
Well spotted Chris. I'd missed that. requiredSecret==secret The order attributes are processed in is not always the order in which they are defined. The value of secret is probably being over-written with "true". Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
