Here is the additional information: The error page looks like Tomcat:
HTTP Status 403 – Forbidden _____ Type Status Report Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung. _____ Apache Tomcat/8.5.53 The Apache HTTPD log file says: - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" The Tomcat says: - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630 The server on which all is running is: Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux There is no new entry in the Apache HTTPD error.log concering these requests. Help is appreciated Florian Fritze -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de -----Ursprüngliche Nachricht----- Von: André Warnier (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP Connector issue On 20.03.2020 08:23, Fritze, Florian wrote: > Hello Chris, > > thanks for the reply. Maybe I am doing something wrong, but setting > secretRequired="false" does not solve my issue. Let me show you what I > did and experience: I added <Connector port="8011" protocol="AJP/1.3" > redirectPort="8443" secretRequired="false" /> to the Tomcat > configuration and the ajp connector on the Apache HTTPD side connects > to 8011. When I now visit my website I got HTTP Status 403 – Forbidden And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style). Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ? (compare by timestamnp and URI) Also, under what OS does your front-end httpd run ? > > I attached also the error page as a screenshot to this mail. This > behaviour exists only sice the Ghostcat fix release (I know that this > has nothing to do with security fix but probably with the release itself). > > Thanks in advance > Florian > > -- > Florian Fritze M.A. > Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center > Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, > Germany Telefon +49 711 970-2713 > florian.fri...@irb.fraunhofer.de<mailto:florian.fri...@irb.fraunhofer.de> | > www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> > > -----Ursprüngliche Nachricht----- > Von: Christopher Schultz > <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > Gesendet: Donnerstag, 19. März 2020 20:14 > An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > Betreff: Re: AJP Connector issue > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Florian, > > On 3/19/20 07:43, Fritze, Florian wrote: >> since the Tomcat release with the Ghostcat security fix (Tomcat >> 8.5.51) me as an admin have the problem using the >> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to >> connect the Apache HTTPD with the Tomcat running on localhost. The >> attribute secretRequired must be set to „true“ or „false“ with >> „false“ set the connection is not possible between Tomcat and Apache HTTPD. > > When you have set secretRequired="false", it's not possible to > connect? When you try to connect, what DOES happen? > >> With „true“ the Apache development is not ready in the current >> version to work with the „secret“ attribute. Only the next version of >> Apache >> 2.4 supports this attribute. > Correct. Support for secret= in mod_proxy_ajp was evidently never > really a priority for anybody until now. > >> So I want to use the newest Tomcat version and an AJP connector but >> after the Ghostcat fix release there is this attribute which does not >> work in my configuration. >> >> Are there any suggestions or solutions available that you can deliver >> me (links or documentation, etc.) > > secretRequired="false" should be all you need. > > Of course, to be truly secure, you need to make sure that not just > anybody can make requests through your AJP interface. Have you secured > that interface from potential evildoers? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8 > pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC > bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq > cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C > rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L > 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2 > qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln > aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6 > iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB > Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9 > ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh > sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec= > =CYi0 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
