Hi, On Mon, Mar 9, 2020 at 9:34 PM Piyush Kumar Nayak <pna...@adobe.com.invalid> wrote:
> There appears to be a change in the behavior of AJP connector in Tomcat, > with respect to the protocol stack of the loopback address it binds to. > With older versions it binds to both IPv6 and IPv4 interface, but with > 9.0.31 it appears to bind to IPv4 only, if the address attribute is removed > from the connector config Do you use java.net.preferIPv4Stack or java.net.preferIPv6Stack system properties ? Tomcat Ajp protocol uses getEndpoint().setAddress(InetAddress.getLoopbackAddress()); [1] which by default would use ipv6 [2]. netstat would print 127.0.0.1 but the protocol will be tcp6 (first column), not tcp 1. https://github.com/apache/tomcat/blob/613babf191855c9bfed845b6926c012965840849/java/org/apache/coyote/ajp/AbstractAjpProtocol.java#L53 2. https://docs.oracle.com/javase/8/docs/technotes/guides/net/ipv6_guide/index.html The problem is that the server socket can bind only on one interface (ipv4 or ipv6) or all interfaces (both ipv4 and ipv6 + both loopback and external ones), but there is no option to bind only all loopback interfaces. I've just played a bit with this, binding on netAddress.getLoopbackAddress() gives (Ubuntu 19.10): tcp6 0 0 127.0.0.1:23456 :::* LISTEN 11756/java and then I can connect to it by using either "localhost" or "127.0.0.1" as a hostname for the client socket. Using "::1" or any of 127.x.y.z different than 127.0.0.1 fails as well. I need to bind a ServerSocket for those additionally to make it work. As we have found in one of the mail threads few days ago at the moment the only way to bind to several addresses is to have two <Connector> elements in server.xml - one for "127.0.0.1" and another for "::1". If one needs to listen on 127.0.0.2 then a third <Connector> would be needed. We can define custom address like "loopback" for which Tomcat will bind on both "127.0.0.1" and "::1" depending on the values of java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am not sure whether it is worth it So ugly test code ahead:import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.io.OutputStream; import java.net.InetAddress; import java.net.ServerSocket; import java.net.Socket; import java.nio.charset.StandardCharsets; /** * */ public class Test { public static class Server { public static void main(String[] args) throws IOException { InetAddress[] addr = new InetAddress[] { InetAddress.getLoopbackAddress(), InetAddress.getByName("::1") // THIS IS NEEDED for clients to be able to connect to ::1 }; for (final InetAddress address : addr) { ServerSocket server = new ServerSocket(23456, 10, address); server.setReuseAddress(true); System.out.println("Accepting at " + address); Thread t = new Thread(() -> { try { while (true) { final Socket accepted = server.accept(); System.out.println("Accepted connection from: " + accepted); try (OutputStream outputStream = accepted.getOutputStream()) { outputStream.write("Blah".getBytes(StandardCharsets.UTF_8)); } } } catch (IOException e) { e.printStackTrace(); } }); t.start(); } System.in.read(); } } public static class Client { public static void main(String[] args) throws IOException { int portNumber = 23456; String[] hostNames = new String[] { "localhost", "127.0.0.1", "::1" }; for (final String hostname : hostNames) { InetAddress addr = InetAddress.getByName(hostname); try ( Socket echoSocket = new Socket(addr, portNumber); BufferedReader in = new BufferedReader( new InputStreamReader(echoSocket.getInputStream())); ) { System.out.println(hostname + ": Read: " + in.readLine()); } } } } } I'll be glad if someone shows me a trick to bind on all loopback interfaces with one ServerSocket! Martin > > > Tomcat 9.0.16 - default config > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> > netstat -ano | findstr 8009 > TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING > 19832 > TCP [::]:8009 [::]:0 LISTENING > 19832 > > Tomcat 9.0.31 - note that address attribute is removed... in the standard > config it is set to "::1". > <Connector protocol="AJP/1.3" port="8009" redirectPort="8443" > secret="seckey" /> > netstat -ano | findstr 8009 > TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING > 8964 > > Even if the default is used it listens to IPv6 only > <Connector protocol="AJP/1.3" address="::1" port="8009" > redirectPort="8443" secret="seckey" /> > TCP [::1]:8009 [::]:0 LISTENING 3880 > As per the docs, the default for ipv6v6only attribute is false. Should it > not listen to both the protocol stacks. > > -Piyush. > > -----Original Message----- > From: Piyush Kumar Nayak <pna...@adobe.com.INVALID> > Sent: Saturday, March 7, 2020 5:29 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > Chris, > In both the cases, ISAPI and mod_jk, the hostname is set to "localhost" > Tomcat and webserver are on the same host machine. > > > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Friday, March 6, 2020 8:20 PM > To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Piyush, > > On 3/5/20 14:40, Piyush Kumar Nayak wrote: > > Thanks Mark, Two connector configs works. Any ideas, on why the > > behavior if different for ISAPI and mod_jk modules? > > What do your configurations look like for each module? > > - -chris > > > -----Original Message----- From: Mark H. Wood <mw...@iupui.edu> > > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > > > On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak > > wrote: > >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and > >> IPv6 loopback addresses. > >> > >> By default, it seems that Tomcat binds to IPv4 loopback Default > >> connector config : <Connector protocol="AJP/1.3" port="8014" > >> redirectPort="8447" packetSize="65535" secret="xxx" > >> tomcatAuthentication="false"/> > >> > >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING > >> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED > >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 > >> > >> Introducing the address attribute like so : <Connector > >> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" > >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds > >> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP > >> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 > >> [::1]:8014 ESTABLISHED 6564 > >> > >> Is there a way to make it bind to both the loopbacks. The problem we > >> are facing is our Tomcat installations can have connector configured > >> with IIS or Apache HTTPD. Apache connector, by default seems to make > >> a socket connection using the address ::1 (IPv6 loop back address), > >> whereas IIS connector tries to bind to the > >> IPv4 loopback. > > > > Two things I would try: > > > > 1. Two connectors, one with address='::1' and the other with > > address='127.0.0.1', both with port='8014'. > > > > 2. Configure the other end explicitly: tell HTTPD and IIS which > > address to use, and then configure your AJP Connector to match. > > > > -- Mark H. Wood Lead Technology Analyst > > > > University Library Indiana University - Purdue University Indianapolis > > 755 W. Michigan Street Indianapolis, IN 46202 > > 317-274-0749 www.ulib.iupui.edu > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 > pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA > VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe > 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk > FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl > E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp > kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC > rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH > OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9 > XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch > QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm > TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8= > =/AOd > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB > [ X ܚX K K[XZ[ > \ \ ][ X ܚX P X ] > \ X K ܙ B ܈ Y ] [ۘ[ [X[ K[XZ[ > \ \ Z [ X ] > \ X K ܙ B >
