Hi Chris,
> Does this mean that incoming connections require SSL or aso outgoing > (e.g. proxy) connections? I'm super ignorant of IIS configuration. > Incoming connections require SSL or will be upgraded to SSL. So if you > type in http, it will change to https. Right now because I do not have SSL set as required, I can type in http and it stays http. At that point, it starts working - I no longer get the 403 from Tomcat. My recommendation would be to take this opportunity to switch to HTTPS > and dump AJP. OK, I am willing to try - so to do that, would this be the procedure? 1. Set up certificates in Tomcat (big black box for me, but I'll try to figure it out) 2. Change the worker.worker1.type to HTTPS 3. Change the worker.worker1.port to 8443 Anything else? Ellen On Tue, Feb 25, 2020 at 5:47 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ellen, > > Oops pressed SEND before I was done... > > On 2/25/20 16:47, Ellen Meiselman wrote: > > So it turned out that the logs were mostly set at FINE already, so > > Johann’s suggestion was already done. > > > > But I think I now know where the problem lies. Secure IIS request > > > to > non-secire AJP. > > > > I don’t think this was a problem on the other servers before but > > the security has probably been tightened, and it just doesn’t > > produce an error - it just won’t allow it. > > > > I have had IIS set to require SSL > > Does this mean that incoming connections require SSL or aso outgoing > (e.g. proxy) connections? I'm super ignorant of IIS configuration. > > > but I turned it off to test and it actually worked all the way > > through to the simple.html file. so it’s some sort of policy about > > downgrading - which seems quite rational in retrospect. For > > example, this HTTP address does work. > > > > http://my.servers.domain.com/exposedApplication/simple.html > > > > I never tried it because I knew I had set SSL to required. > > Sometimes you make assumptions that block progress. > > > > This HTTPS address does not work - I get the 403 from tomcat. > > https://my.servers.domain.com/exposedApplication/simple.html > > > > So - if this makes sense to any of you, please tell me roughly > > what I need to do to make the AJP requests as secure as the port 80 > > requests. > > Um... > > > I know keystores and .pem files are involved, but please give me > > the big picture - what port does AJP need to run on, and where do > > I go to find out how to tell it to use a “real" cert. > > Traditionally, AJP is run over port 8009 but you can always choose any > port you wish as long as both sides of the connection (IIs, Tomcat) > agree on which port to use. > > AJP is a non-secure protocol, full stop. You can tunnel it through > other things but, as some have mentioned, since you are using > localhost it's not super important to use encryption. > > If you DO need encryption, you have two choices: > > 1. tunnel AJP over e.g. TLS using a tool like stunnel, which is > actually available for Windows. It's a little more "at home" in *NIX > environments, but I've header it works just as well on Windows. If you > do this, you WILL need to deal with keys and certs. > > 2. Drop AJP and use HTTPS. I don't believe there aren't any features > you can't get working through HTTP that AJP provides. I think this > also means you no longer need a special IIS redirector plug-in > anymore, so it's 100% vanilla IIS at that point. If you do this, you > WILL need to deal with keys and certs. > > But are you sure you need encryption? > > If you are using localhost, it's worthless IMHO. If you are traversing > a network -- even a "trusted" one -- it's a hard requirement also IMHO. > > My recommendation would be to take this opportunity to switch to HTTPS > and dump AJP. > > > Also I’ll have to figure out how to shut off port 8080 or require > > SSL on tomcat once I get everything going. Actually I’d like to > > limit Tomcat to responding to requests from the server itself. > > Nothing should be talking to Tomcat but the isapi connector. > > Bind to address="127.0.0.1" and only on ports that IIS is using for > proxying. If that means AJP over 8009, then use that. If that means > HTTPS over port 8443, then use that. Just comment-out the connector > you DON'T need. > > You'll never really know what protocol the client is using to talk to > the (reverse) proxy, so you have to make some assumptions. If you have > configured IIS to only proxy requests over a secure channel from the > client (which I highly recommend!) then you can assume that all > connections, regardless of protocol or port are indeed secure where it > counts: between the client and the reverse proxy. > > If you only want "secure" connections from the client, then you will > want to set both secure="true, scheme="https", and proxyPort="443" on > your <Connector>. This makes Tomcat generate https:// URLs with the > right port number, etc. for redirects, and also won't cause a redirect > storm if the application specifies that it wants to use only "secure" > connections (which I also highly recommend). > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpAUACgkQHPApP6U8 > pFhTGhAAuvtGHsUj3/67e27AV7LLwMxFBQ/FtsdiXEgx0AjX6iwmgmtqQTvtUchv > aTKoVTPMI+y/2+JOo+BXa7M63Tf7z7OuTbsyTN2b9ooAsWLKQMt0jVycbT65oAEx > kRLgpoWAxgy6dwEu8BF/qW13HA4VCmAuU0PSMzsbFWVEyLuG8K8FA9oT2S0p5tuZ > pbgPFjcda0uGs6KTb2jx+IWHBe22wdBxM4rcOFmhynfTmMpc4klXLpypoNDys/AK > vy1a3xvGGy4d9BxOUs9/h/LZIMfZV+NoE5cEu9VgvURQonnbFjbGspBqljAjiuTn > NplgdovCcfXKSryFDPtxG7q/vmUnrhgxyzW6fqhHjZvCTJXVAXUONTK375EkUNve > 5Eada14fISxRR4r2Xyh2f6x/sJBnDkQaDVxD1FVYEAXCDarkq8kvfbWZiSkwEMIv > 0NPWppUsMDFI0LG2pwpEwSWtg4bSnPxkF3/AtIKUrreqUMTQQzNfChLkXRm+pzv0 > s2+qrCAeQxQ/K4PUknGErOQjcOAI7t5kcmx3u+r9ir9F3DvPISUVaZaCHoVDNzgH > Q3O4DCPZ25N4AgV7hE+vm5rxcEUQkWdCu2uylNJBULqnkgx8vSHHxcif7qhzbf1K > rPoujP3Dsm3UwHcJPqUr4d3pyauxl4YYT6xoz2eP0tQckCMmFvw= > =WS1y > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
