Christopher, Is there an entry that can go in the AJP connector to restrict what addresses it will listen to requests from? Meaning you can list the IP addresses of the web servers?
I know I'm top replying, but Outlook sucks with this. :-( Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, March 20, 2020 11:40 AM To: users@tomcat.apache.org Subject: Re: AW: AW: AJP Connector issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 RK, On 3/20/20 09:57, RK Ashburn wrote: > I have tested r successful AJP connector with apache proxy on (tomcat > 7) > > 1. For AJP connector adding secretRequired="false" and address="0.0.0.0" > resolved my connectivity issue. I suspect the issue you are having > (with 403) is more like a permissions issue on the site the request > is trying to > reach, than a AJP connector configuration issue. binding to "all interfaces" may work, but it's not terribly secure. Are you really expecting an AJP connection from anywhere in the world? - -chris > On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < > florian.fri...@irb.fraunhofer.de> wrote: > >> Just to make it clear what from my opinion the problem is: >> >> SCHWERWIEGEND [main] >> org.apache.catalina.core.StandardService.startInternal Failed to >> start connector [Connector[AJP/1.3-8011]] >> org.apache.catalina.LifecycleException: Der Start des >> Protokoll-Handlers ist fehlgeschlagen at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:105 7) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.core.StandardService.startInternal(StandardService.j ava:440) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav a:766) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) at >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) >> at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) >> Caused by: java.lang.IllegalArgumentException: The AJP Connector >> is configured with secretRequired="true" but the secret attribute is either >> null or "". This combination is not valid. at >> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java :274) >> at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:105 5) >> ... 12 more >> >> This new "secretRequired" attribute prevents the Tomcat from starting >> flawlessly. It was first introduced with the Ghostcat release. So >> this is a wish from me to the Tomcat developers: >> Please set this new attribute not mandatory but optional. So that I >> can run the newest Tomcat >> without this attribute which I do now with the pre-Ghostcat releases. >> >> Have a nice weekend Florian Fritze >> >> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau >> IRB Competence Center Research Services & Open Science Nobelstr. 12, >> 70569 Stuttgart, Germany Telefon +49 711 970-2713 >> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de >> >> >> -----Ursprüngliche Nachricht----- Von: André Warnier >> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 >> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP Connector >> issue >> >> Ok, so it looks like : - the request is effectively reaching tomcat, >> and that it is tomcat sending back the 403 response. - the URL is >> "/", so presumably it is "well-formed" etc. >> >> Furthermore, according to something you wrote below, both Apache httpd and >> tomcat are running on the same Linux host. >> >> This reminds me vaguely of some issue previously (and recently) discussed >> on the list, with some request attributes which tomcat did not like.. >> But I do not remember ptecisely what the issue was, and it also seems to >> me that this concerned an IIS front-end, not Apache httpd. >> >> Perhaps someone else on the list has a better idea. >> >> >> Incidentally, it also seems that you are, in httpd, proxying >> *all* requests to tomcat. Which raises the question of why you have a >> httpd front-end in the first >> place. (But that's a later discussion maybe, let's first see why "/" doesn't work) >> >> >> On 20.03.2020 11:07, Fritze, Florian wrote: >>> Here is the additional information: >>> >>> The error page looks like Tomcat: >>> >>> HTTP Status 403 – Forbidden >>> >>> _____ >>> >>> Type Status Report >>> >>> Beschreibung Der Server hat die Anfrage verstanden, verbietet >>> aber eine >> Autorisierung. >>> >>> _____ >>> >>> Apache Tomcat/8.5.53 >>> >>> The Apache HTTPD log file says: >>> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 >>> "-" >> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" >>> 403 885 " >> https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT >> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) >> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>> >>> >>> >>> The Tomcat says: >>> >>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 >>> >>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" >>> 403 630 >>> >>> >>> >>> The server on which all is running is: >>> >>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 >>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux >>> >>> >>> >>> There is no new entry in the Apache HTTPD error.log concering >>> these >> requests. >>> >>> >>> >>> Help is appreciated >>> >>> Florian Fritze >>> >>> -- >>> >>> Florian Fritze M.A. >>> >>> Fraunhofer-Informationszentrum Raum und Bau IRB >>> >>> Competence Center Research Services & Open Science >>> >>> Nobelstr. 12, 70569 Stuttgart, Germany >>> >>> Telefon +49 711 970-2713 >>> >>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de >>> >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- Von: André Warnier >>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 >>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP >>> Connector issue >>> >>> >>> >>> On 20.03.2020 08:23, Fritze, Florian wrote: >>> >>>> Hello Chris, >>> >>>> >>> >>>> thanks for the reply. Maybe I am doing something wrong, but >>>> setting >>> >>>> secretRequired="false" does not solve my issue. Let me show >>>> you what I >>> >>>> did and experience: I added <Connector port="8011" >>>> protocol="AJP/1.3" >>> >>>> redirectPort="8443" secretRequired="false" /> to the Tomcat >>> >>>> configuration and the ajp connector on the Apache HTTPD side >>>> connects >>> >>>> to 8011. When I now visit my website I got HTTP Status 403 – >>>> Forbidden >>> >>> >>> >>> And just to make diagnosis a bit quicker : does that 403 error page look >> like an Apache httpd page, or a tomcat page ? (they look quite differemt in >> style). >>> >>> >>> >>> Also, can you check both the httpd logs, and the tomcat logs >>> for that request, and check what they say ? (compare by >>> timestamnp and URI) >>> >>> >>> >>> Also, under what OS does your front-end httpd run ? >>> >>> >>> >>>> >>> >>>> I attached also the error page as a screenshot to this mail. >>>> This >>> >>>> behaviour exists only sice the Ghostcat fix release (I know >>>> that this >>> >>>> has nothing to do with security fix but probably with the >>>> release >> itself). >>> >>>> >>> >>>> Thanks in advance >>> >>>> Florian >>> >>>> >>> >>>> -- >>> >>>> Florian Fritze M.A. >>> >>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence >>>> Center >>> >>>> Research Services & Open Science Nobelstr. 12, 70569 >>>> Stuttgart, >>> >>>> Germany Telefon +49 711 970-2713 >>>> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof er >>>> >>>> .de> | >>> >>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> >>> >>>> >>> >>>> -----Ursprüngliche Nachricht----- >>> >>>> Von: Christopher Schultz >>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> >>> >>>> >>>> Gesendet: Donnerstag, 19. März 2020 20:14 >>> >>>> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>> >>>> Betreff: Re: AJP Connector issue >>> >>>> >>> >>>> > Florian, >>>> > >>>> > On 3/19/20 07:43, Fritze, Florian wrote: >>>> >>>>>> since the Tomcat release with the Ghostcat security fix >>>>>> (Tomcat >>>> >>>>>> 8.5.51) me as an admin have the problem using the >>>> >>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html >>>>>> module to >>>> >>>>>> connect the Apache HTTPD with the Tomcat running on >>>>>> localhost. The >>>> >>>>>> attribute secretRequired must be set to „true“ or „false“ >>>>>> with >>>> >>>>>> „false“ set the connection is not possible between Tomcat >>>>>> and Apache >>> HTTPD. >>>> > >>>> > When you have set secretRequired="false", it's not possible to >>>> > connect? When you try to connect, what DOES happen? >>>> > >>>> >>>>>> With „true“ the Apache development is not ready in the >>>>>> current >>>> >>>>>> version to work with the „secret“ attribute. Only the >>>>>> next version of >>>> >>>>>> Apache >>>> >>>>>> 2.4 supports this attribute. >>>> > Correct. Support for secret= in mod_proxy_ajp was evidently never >>>> > really a priority for anybody until now. >>>> > >>>> >>>>>> So I want to use the newest Tomcat version and an AJP >>>>>> connector but >>>> >>>>>> after the Ghostcat fix release there is this attribute >>>>>> which does not >>>> >>>>>> work in my configuration. >>>> >>>>>> >>>> >>>>>> Are there any suggestions or solutions available that you >>>>>> can deliver >>>> >>>>>> me (links or documentation, etc.) >>>> > >>>> > secretRequired="false" should be all you need. >>>> > >>>> > Of course, to be truly secure, you need to make sure that not just >>>> > anybody can make requests through your AJP interface. Have you > secured >>>> > that interface from potential evildoers? >>>> > >>>> > -chris >>>> >>> >>>> >>> >>>> ------------------------------------------------------------------- - -- >>> >>>> >>>> To unsubscribe, e-mail: >>>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat .a >>>> >>>> pache.org> >>> >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>> >>>> >>> >>> >>> >>> >>> >>> >>>> - --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: >>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat. ap >>> >>> ache.org> >>> >>> For additional commands, e-mail: >>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>> >>> >>> >> >> >> >>> - --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For >> additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8 pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo 0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2 rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ 6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8 /SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+ tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o= =207+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
