Good News! You can shut-off port 8080 by commenting out the HTTP Connector in the server.xml. Did you have the require SSL on the IIS Side? AJP doesn't use SSL, so it should work either way going thru IIS.
Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: Ellen Meiselman <elle...@gmail.com> Sent: Tuesday, February 25, 2020 3:48 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat So it turned out that the logs were mostly set at FINE already, so Johann’s suggestion was already done. But I think I now know where the problem lies. Secure IIS request > to > non-secire AJP. I don’t think this was a problem on the other servers before but the security has probably been tightened, and it just doesn’t produce an error - it just won’t allow it. I have had IIS set to require SSL, but I turned it off to test and it actually worked all the way through to the simple.html file. so it’s some sort of policy about downgrading - which seems quite rational in retrospect. For example, this HTTP address does work. http://my.servers.domain.com/exposedApplication/simple.html <http://my.servers.domain.com/exposedApplication/simple.html> I never tried it because I knew I had set SSL to required. Sometimes you make assumptions that block progress. This HTTPS address does not work - I get the 403 from tomcat. https://my.servers.domain.com/exposedApplication/simple.html <http://my.servers.domain.com/exposedApplication/simple.html> So - if this makes sense to any of you, please tell me roughly what I need to do to make the AJP requests as secure as the port 80 requests. I know keystores and .pem files are involved, but please give me the big picture - what port does AJP need to run on, and where do I go to find out how to tell it to use a “real" cert. Also I’ll have to figure out how to shut off port 8080 or require SSL on tomcat once I get everything going. Actually I’d like to limit Tomcat to responding to requests from the server itself. Nothing should be talking to Tomcat but the isapi connector. Thanks, Ellen I > On Feb 25, 2020, at 4:07 PM, js84 <aon.913111...@aon.at> wrote: > > Hello! > > What for are you using secret property when running tomcat locally using > loopback interface? > > I suggest to increase loglevel to „debug“ temporary. (Don’t forget to > reset it because performance will slow down dramatically if > isapi_redirect logfile grows on a Windows machine.) > > Best regards, > Johann > > Von: Christopher Schultz > Gesendet: Dienstag, 25. Februar 2020 21:42 > An: users@tomcat.apache.org > Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ellen, > > On 2/25/20 13:10, Ellen Meiselman wrote: >> No, just that I don't know how to set this particular connector up >> another way. I based this on the instructions on the isapi_connector >> site http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html >> and on the 2 older servers we have which are working.> I'm sort of >> thinking of suggesting that we get rid of IIS entirely and switch to >> Tomcat. Then we can run the necessary Java application and also serve >> all the HTML items we need to using the same web server. > Tomcat is a perfectly good "plain old" web server. Some security > people get all freaked-out when you suggest that Tomcat be exposed > "directly" but IMHO it can't be any worse than IIS. > > But also IMHO there are always reasons to use a reverse proxy: > flexibility and availability. When you are restarting Tomcat for > whatever reason, what will clients see if they try to access your > application? CONNECTION REFUSED? :( With the proxy in the way, that is > much less likely. Also, if you want to serve Java web applications, > python web applications, .NET whatevers, you'll be able to do that > much more flexibly with a reverse-proxy in the mix. > > - -chris > >> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> Ellen, >> >> On 2/25/20 12:55, Ellen Meiselman wrote: >>>>> Sorry - no, the quotes were not there except for a 5 minute test >>>>> of a hopeless theory that they might be needed. Right now there is >>>>> no secret at all in the workers.properties, and >> in the >>>>> ajp connector, i have secretRequired ="false". >>>>> Workers.properties: worker.worker1.type=ajp13 >>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>> >>>>> Server.xml: <Connector protocol="AJP/1.3" >>>>> address="127.0.0.1" port="8009" secretRequired="false" >>>>> redirectPort="8443" /> >> >> Hmm. I think we've all been operating under the assumption that the >> "secret" (by whatever name) was the source of the problem. It appears >> that was incorrect. >> >> Have a look at Jon's question about file permissions. >> >> Was this a configuration that had been working until recently, or is >> this a new configuration that you haven't (yet) been able to get >> working ? >> >> Any reason not to use HTTP(S) for your protocol instead of AJP? >> >> -chris >> >>>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < >>>>> ch...@christopherschultz.net> wrote: >>>>> >>>>> Ellen, >>>>> >>>>> On 2/25/20 12:06, Ellen Meiselman wrote: >>>>>>>> Yes, everything is on the same server. >>>>>>>> >>>>>>>> workers.properties: # Set properties for worker1 >>>>>>>> (ajp13) worker.worker1.type=ajp13 >>>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>>>>> worker.worker1.secret="mySecret". >>>>> >>>>> Just so there is no confusion: your "mySecret" should have neither >>>>> quotes nor the trailing period. >>>>> >>>>> Are those literally in your ISS config file? >>>>> >>>>> -chris >>>>> >>>>>>>> On Tue, Feb 25, 2020 at 11:27 AM >>>>>>>> <jonmcalexan...@wellsfargo.com.invalid> wrote: >>>>>>>> >>>>>>>>> -----Original Message----- From: Ellen Meiselman >>>>>>>>> <elle...@gmail.com> Sent: Tuesday, February 25, 2020 >>>>>>>>> 10:01 AM To: Tomcat Users List <users@tomcat.apache.org> >>>>>>>>> Subject: Re: At wits end: >>>>>>>>> Difficulties with IIS ISAPI connector and Tomcat >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> I've been testing, and so far, there is no change in the >>>>>>>>>> behavior. I am >>>>>>>>> still getting the same tomcat->based 403 error. >>>>>>>>> >>>>>>>>>> Based on what you said above... >>>>>>>>>> >>>>>>>>>> secretRequired="true" (which is the default, so it can be >>>>>>>>>> removed) secret="xxxxxxx" >>>>>>>>> >>>>>>>>> >>>>>>>>>> ...I removed secretRequired="true" and left secret. >>>>>>>>>> So the connector >>>>>>>>> definition now looks like this: >>>>>>>>>> <Connector protocol="AJP/1.3" address="127.0.0.1" >>>>>>>>>> port="8009" secret="mySecret" redirectPort="8443" >>>>>>>>>> /> >>>>>>>>> >>>>>>>>> <SNIP> >>>>>>>>> >>>>>>>>> I'm assuming that your web-front-end is on the same server as >>>>>>>>> your Tomcat instance, based on you having the address set to >>>>>>>>> 127.0.0.1, correct? What do you have in your >>>>>>>>> workers.properties file? >>>>>>>>> >>>>>>>> >>>>>> >>>>>> ----------------------------------------------------------------- >>>>>> - > - --- >>>>>> >>>>>> >> >>>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: >>>>>> users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>> >>> >>> -------------------------------------------------------------------- >>> - >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vhr0ACgkQHPApP6U8 > pFh5Rg//WTLD7EEH9UVwjEri7uzawYO1IFneURN9LQYaMd7EkrC5NKbwoQieLwwW > 3ylab6iSK1mjjKs3SiMVSIgBynDBBym6r7GtAd1xKGjlBHIYpeFFom1Y1W1K/PYg > Cdzdcbu6uOHmwOvprAxlH8IRAkvLTQy1P4dUeNHaoZljdrzVDRuoYJIrnoR3TFhD > 1EwrrITH5we9iQ93KoreaxQMqcR5GoxWe8kbVP8rzflZGbeQfpPT5P3XypWaRFIg > 8pmyEP+x4U70JvXbAHHtjeiC6iOHjdEmuFBVZZV8bpipikcOEsY+t7WsZ9uJeMkh > Su8A/234t4IX3uPXaQD7f6JBSbiqZ2UtUtCgTjHTAZpY+R5G/CErENz15Imw9n5z > 8qpy6plCoXX7gjDSUqt4kzZMzv2ibskI2l3l8B4N6IGym+bozbbpor8lwODnegHg > A1xYbLM4tLCDaN3p+TnMCpVh2JCWpz59azkNoxNFrQtAdvg5oiOP6ktvzg7sXMp3 > 7FtxzDbaF5xNoDzrsJTImw9+aRWnmngsCDkz3IjZTHJxqjLKktHLz8jMdBJX+1UO > Vu0Xg/ORTv229wEDgoaynLjKRrVHwC1lMgV8LFoVtX3WwOhhmcuEFWWhwOaRcOAA > 9QRLLWSBguA1vgxO3Ycd+FDoHa/kFTgK1MXO6ECwDFUUzFCTOGY= > =4Wjy > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
