-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ellen,
On 2/25/20 16:47, Ellen Meiselman wrote: > So it turned out that the logs were mostly set at FINE already, so > Johann’s suggestion was already done. > > But I think I now know where the problem lies. Secure IIS request > > to > non-secire AJP. > > I don’t think this was a problem on the other servers before but > the security has probably been tightened, and it just doesn’t > produce an error - it just won’t allow it. > > I have had IIS set to require SSL Does this mean that incoming connections require SSL or aso outgoing (e.g. proxy) connections? I'm super ignorant of IIS configuration. > but I turned it off to test and it actually worked all the way > through to the simple.html file. so it’s some sort of policy about > downgrading - which seems quite rational in retrospect. For > example, this HTTP address does work. > > http://my.servers.domain.com/exposedApplication/simple.html > > I never tried it because I knew I had set SSL to required. > Sometimes you make assumptions that block progress. > > This HTTPS address does not work - I get the 403 from tomcat. > https://my.servers.domain.com/exposedApplication/simple.html > > So - if this makes sense to any of you, please tell me roughly > what I need to do to make the AJP requests as secure as the port > 80 requests. Um... > I know keystores and .pem files are involved, but please give me > the big picture - what port does AJP need to run on, and where do I > go to find out how to tell it to use a “real" cert. Traditionally, AJP is run over port 8009 but you can always choose any port you wish as long as both sides of the connection (IIs, Tomcat) agree on which port to use. AJP is a non-secure protocol, full stop. You can tunnel it through other things but, as some have mentioned, since you are using localhost it's not super important to use encryption. > > Also I’ll have to figure out how to shut off port 8080 or require > SSL on tomcat once I get everything going. Actually I’d like to > limit Tomcat to responding to requests from the server itself. > Nothing should be talking to Tomcat but the isapi connector. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VoXkACgkQHPApP6U8 pFigog//bSaKIqRjLoNiyuoELd2PYcYx7Xw15sDxMXmI9/RziE8iECprRfUQhj47 EkUCe79vYa/Sowx72T4gsyZC/F76XRWMNuXKZjChkzQHBZtjStV/xdfi8NSKLLN4 e5qSFn9DtTwnQueLC91Uoq6sXaZ0ld2hRDBN0z1k3nTS+RK1t3BTjr63KLcyn/Ep RL386efU7HGESpcCNMJlh4Z6o12p6LNVhRF1nc/QYcaQW5dRElU5UJjW/trnuzsd JjUJtpdOdUO2FBkAlMyqvLlfj+OYOQ6rGQRhQP2VmqSUozp4EOekNrthQE3AWRVL 4eM1nRXhrmmBFGp7S1J49VELFqe8e+6RCvg1KNpSqLuKX+/UfN97IvGZd757fLdp T5jvMODuAztZyj1lgvU8se70B46cjSOSvsUXeiHUWppDAWUto5gwao66ry41UhRC 6sEP1UBhGvrXNs/w+mxW+3OuyTtey2wbtN5bydJulpi3w7sv5360sv56m9uJFEmn 3X1z0nyevkZySEuLJu12WPbGmbS9KJ6tpnZdpQ45q4124/1/2IbdsBxL8AKukAwn D0n8fTA9PRKYqA5iyQOHI/1hlcTYQKsPbmxd11ysnrnM6pFwstXq76rT00aEDMCB YhGARExsqqQUGf/Uusbzk14xcFX6vG4+ngVbMvXhmrx7SxMZOII= =a+rE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
