Re: Problems with requests without trailing slash Tomcat 9.0.65

[Fedor Makarov]

Also I tried to write a filter to manually redirect, but tomcat intercepts the 
request before it gets into the filter. Can I disable this behavior for tomcat 
and do it manually?

  
>Понедельник, 9 января 2023, 11:43 +03:00 от Fedor Makarov 
>:
> 
>
>
>We have to webapps lundase and vvsguiden therefore, the options you have 
>suggested do not look applicable on debug I saw that RequestURI in request 
>looks like lundase/lundase/...
> 
>>Вторник, 27 декабря 2022, 22:06 +03:00 от Christopher Schultz < 
>>ch...@christopherschultz.net >:
>> 
>>Fedor,
>>
>>On 12/27/22 05:55, Fedor Makarov wrote:
>>>
>>> proxy for local environment we use the js conf:
>>> proxy: {
>>>     '/api/': {
>>>       target: 'http://localhost:8080/',
>>>       changeOrigin: false,
>>>     },
>>>     '/': {
>>>       target: 'http://localhost:8080/lundase',
>>>       changeOrigin: false
>>>     }
>>>   },
>>>
>>> for normal lunch we use apache2.conf:
>>>
>>> RewriteCond %{REQUEST_URI} ^(/api/|/mapi/|/binary/|/rpc/invoker/)
>>>
>>> RewriteRule ^/rpc/invoker/(.*)$ http://localhost:9090/rpc/invoker/$1 
>>> [NC,P,L]
>>> RewriteRule ^/api/(.*)$ http://localhost:9090/api/$1 [NC,P,L]
>>> RewriteRule ^/mapi/(.*)$ http://localhost:9090/mapi/$1 [NC,P,L]
>>> RewriteRule ^(.*)$ http://localhost:9090/lundase/$1 [NC,P,L]
>>
>>What you are doing is trying to remove the context-path of the
>>application through URL re-writing which will probably cause endless
>>problems during the life of your application.
>>
>>I have two possible suggestions for you:
>>
>>1. Re-name your application from lundase to ROOT (to deploy it to /
>>instead of /lundase).
>>
>>or
>>
>>2. Don't try to remove the /lundase URL prefix as part of your URL
>>rewriting.
>>
>>If you don't choose one or the other of these options, you will find
>>that you have many years of debugging and trying to fix up every little
>>weird thing that happens with cookies, redirects, and in-page links.
>>
>>-chris
>>
>>
>>-
>>To unsubscribe, e-mail:  users-unsubscr...@tomcat.apache.org
>>For additional commands, e-mail:  users-h...@tomcat.apache.org  
> 
>---
>Fedor Makarov
>  
 
 
---
Fedor Makarov
 

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Yes Chris, It's just for during startup. For a particular instance I would like 
to capture the Certificate Info and Truststore being used and pipe that into a 
separate log/txt file.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, January 9, 2023 8:10 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thanks for the info.
> >
> > In a nutshell I think the certpath,provider would be sufficient. I'm
> > thinking that I can add this to the java options as
> > -Djava.security.debug=ssl:certpath,provider however I don't know how
> > to specify where to log the information.
> java.security.debug is really a blunt instrument. It's unfortunate that it's 
> one
> of the only ways to get information out of the TLS stack. It would have been
> great if Java had started using its own logging system once it was introduced,
> but no.
> 
> That debugging tool always dumps to stdout (or stderr?) and you have very
> little control over where it goes.
> 
> You would never want to use it for ongoing logging. It truly is for debugging-
> only.
> 
> The good news is that application code should be able to get the information
> you are looking for.
> 
> Oh, wait...
> 
> > [...] I'm checking to see if there is any out-of-the-box option to
> > capture in a log which SSL certificate and trust keystore is being
> > used during startup?
> What do you mean "during startup"? I originally read that as "for incoming
> connections" thinking that you wanted to log which cert was used for a
> particular request. But it sounds like maybe you are asking for something to
> just be logged one-time during startup?
> 
> -chris
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Friday, January 6, 2023 2:41 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Mark,
> >>
> >> On 1/6/23 15:00, Mark Thomas wrote:
> >>> Hi Jon,
> >>>
> >>> In a word, no. Sorry.
> >>>
> >>> Some sort of info log message probably makes sense for this. SNI
> >>> makes things a little more complicated but we should be able to do
> something.
> >>> What is the minimum info you'd like to see?
> >>
> >> How about adding a request attribute with some kind of identifier (fpr?
> >> serial-number?) in it and indicates at least which server-cert was chosen.
> >> Then it can trivially be added to e.g. access_log or even to
> >> application code which wants to do custom logging.
> >>
> >> -chris
> >>
> >>> On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Good afternoon and Happy New Year,
> 
>  I know about the SSL debug logging, however, I'm checking to see if
>  there is any out-of-the-box option to capture in a log which SSL
>  certificate and trust keystore is being used during startup?
> 
>  Thanks,
> 
>  Dream * Excel * Explore * Inspire
>  Jon McAlexander
>  Senior Infrastructure Engineer
>  Asst. Vice President
>  He/His
> 
>  Middleware Product Engineering
>  Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
>  8080 Cobblestone Rd | Urbandale, IA 50322
>  MAC: F4469-010
>  Tel 515-988-2508 | Cell 515-988-2508
> 
> 
> >>
> jonmcalexan...@wellsfargo.com
>  This 

Re: Question about Redisson

[Christopher Schultz]

Doug,

On 1/9/23 15:48, Doug Whitfield wrote:

Interesting. I’m not on the marketing team. What comments are you
talking about? I can certainly try to get them removed.

I think he's talking about this:

"Don’t let your team waste another minute wading through outdated forums 
or online documentation to fix, secure, or maintain your 
mission-critical infrastructure. Get the technical support you need for 
the open source software you use — all in one place."


[https://www.openlogic.com/]


We don’t fork software which means when we find a bug we always work
with upstream to get it fixed. The idea that we don’t work with the
community when necessary is an insane for anything to put on our
website (doesn’t mean I have any power to fix the copy though).
Understood. I think Mark is mostly trying to make a point. He's 
obviously willing to engage on the actual question, as well, as you can see.


One thing I wanted to make perfectly clear, which is something I was 
confused about when first encountering the term "recycling" when it 
comes to certain types of object (like request, response, etc.) in 
Tomcat. When the Tomcat documentation says these objects are "recycled" 
it really means that they are "re-used". That is, assuming a stable 
server where no weird errors occur and the number of connections is 
relatively constant, no new Request and Response objects will be created 
over time. Instead, they will have their various fields blanked-out for 
re-use with a subsequent request. This is a performance optimization to 
avoid GC churn, since request and response objects are usually short-lived.


You can get an application to expose its misuse of request- or 
response-related objects by disabling this recycling in your 
configuration. The result is usually very obvious errors in the log file 
due to NPE or similar.


The first step toward debugging IHMO would be to disable recycling and 
repeat your tests. I'm assuming given your STR that this is trivially 
reproducible?


Are you able to reproduce the same problem with a non-Redisson-based 
segmented cluster, such as one using Tomcat's BackupManager?


-chris


From: Mark Thomas 
Date: Monday, January 9, 2023 at 12:12
To: users@tomcat.apache.org 
Subject: Re: Question about Redisson
Given the disparaging comments OpenLogic makes about obtaining support
for open source projects from a community forum, it is more than a tad
ironic to see an OpenLogic Enterprise Architect asking for help here.

I suggest that OpenLogic replace the text on their home page with
something rather more honest that reflects that OpenLogic turns to the
community forum when their Enterprise Architects need answers (which
you'll find in-line below).

On 09/01/2023 16:55, Doug Whitfield wrote:

Hi Tomcat Community,

We are seeing and issue that manifests as a cross session “bleeding” scenario. 
The issue is this:

1. User A make a new request and the request goes to pod A and gets Session1
2. User A's next request then gets redirected to pod B. The request is 
processed using Session1
3. User B now makes a new request and the request goes to pod B and instead of 
getting a new session, User B gets the same Session1 as User A

We are using https://github.com/redisson/redisson for caching with Tomcat 
9.0.58. Given the fixed bugs in the Tomcat changelog, I have suggested trying 
9.0.66 or later. However, this suggestion has been met with resistance.


Which bugs fixed between 9.0.58 and 9.0.66 do you believe are relevant
to this issue?

The only possibility I could see was "Improve the recycling of Processor
objects to make it more robust" which is the fix for CVE-2021-43980. You
will only hit that issue in specific circumstances that I do not wish to
make public. If you can provide OS/Java version info and the Connector
(and Executor if used) configuration from server.xml I can tell you if
you are likely to be affected by that issue.


For those unfamiliar with Redisson, I think the most important high-level piece 
from their docs is this:
“Redisson's Tomcat Session Manager allows you to store sessions of Apache 
Tomcat in Redis. It empowers you to distribute requests across a cluster of 
Tomcat servers. This is all done in non-sticky session management backed by 
Redis.”

I believe we could take a heap dump and get the answer, but at the moment that 
isn’t something we want to do.

My question, at the moment, is pretty simple. How does this interact with 
Tomcat? Would the session management bugs in Tomcat apply?


Almost certainly.

There are lots of ways to trigger response mix-up. The primary cause is
application bugs. This usually takes the form of the application
retaining a reference to the request and/or response object beyond the
end of processing for a single request/response. Tomcat recycles request
and response objects so these objects can be being used for a new
request while the application is still using them for the old request.

The next most frequent cause is Tomcat 

Possibilities for fetching config information from Kubernetes

[Christopher Schultz]

All,

I'm aware that there is a k8s manager for clustering 
(CloudMembershipService) but I was wondering if / how that could be 
extended in order to provide any other types of automated configuration 
information for a Tomcat installation.


For example, I'd love to be able to deploy a Tomcat node and have it 
grab its primary database connection information from k8s.


I spent like 5 minutes reading through the CloudMembershipService and 
KubernetesMembershipProvider classes and it seems to be all bundled 
together and very geared toward fetching cluster information.


It seems that most of the KubernetesMembershipProvider.start method 
could be moved into a separate support class which just manages k8s 
connection information (e.g. fetching from the environment, building 
URLs to various interesting paths, wrapping fethcing-and-JSON-parsing, 
etc.) and that could be re-used for a parameter-resolver for XML config 
files like we can do for system properties like




It occurs to be that we should be able to do something like this:



... and write a resolver that fetches that value on the fly. (Hopefully 
it would cache stuff, so that a dozen different environmental references 
don't have to be resolved separately.)


Does that sound useful to anyone? I've never used k8s but I'm looking at 
making a service of mine easier to deploy in a totally automated way, 
and this kind of thing would certainly help with that.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Redisson

[Doug Whitfield]

Interesting. I’m not on the marketing team. What comments are you talking 
about? I can certainly try to get them removed.

We don’t fork software which means when we find a bug we always work with 
upstream to get it fixed. The idea that we don’t work with the community when 
necessary is an insane for anything to put on our website (doesn’t mean I have 
any power to fix the copy though).


Douglas Whitfield | Enterprise Architect, 
OpenLogic



From: Mark Thomas 
Date: Monday, January 9, 2023 at 12:12
To: users@tomcat.apache.org 
Subject: Re: Question about Redisson
Given the disparaging comments OpenLogic makes about obtaining support
for open source projects from a community forum, it is more than a tad
ironic to see an OpenLogic Enterprise Architect asking for help here.

I suggest that OpenLogic replace the text on their home page with
something rather more honest that reflects that OpenLogic turns to the
community forum when their Enterprise Architects need answers (which
you'll find in-line below).

On 09/01/2023 16:55, Doug Whitfield wrote:
> Hi Tomcat Community,
>
> We are seeing and issue that manifests as a cross session “bleeding” 
> scenario. The issue is this:
>
> 1. User A make a new request and the request goes to pod A and gets Session1
> 2. User A's next request then gets redirected to pod B. The request is 
> processed using Session1
> 3. User B now makes a new request and the request goes to pod B and instead 
> of getting a new session, User B gets the same Session1 as User A
>
> We are using https://github.com/redisson/redisson for caching with Tomcat 
> 9.0.58. Given the fixed bugs in the Tomcat changelog, I have suggested trying 
> 9.0.66 or later. However, this suggestion has been met with resistance.

Which bugs fixed between 9.0.58 and 9.0.66 do you believe are relevant
to this issue?

The only possibility I could see was "Improve the recycling of Processor
objects to make it more robust" which is the fix for CVE-2021-43980. You
will only hit that issue in specific circumstances that I do not wish to
make public. If you can provide OS/Java version info and the Connector
(and Executor if used) configuration from server.xml I can tell you if
you are likely to be affected by that issue.

> For those unfamiliar with Redisson, I think the most important high-level 
> piece from their docs is this:
> “Redisson's Tomcat Session Manager allows you to store sessions of Apache 
> Tomcat in Redis. It empowers you to distribute requests across a cluster of 
> Tomcat servers. This is all done in non-sticky session management backed by 
> Redis.”
>
> I believe we could take a heap dump and get the answer, but at the moment 
> that isn’t something we want to do.
>
> My question, at the moment, is pretty simple. How does this interact with 
> Tomcat? Would the session management bugs in Tomcat apply?

Almost certainly.

There are lots of ways to trigger response mix-up. The primary cause is
application bugs. This usually takes the form of the application
retaining a reference to the request and/or response object beyond the
end of processing for a single request/response. Tomcat recycles request
and response objects so these objects can be being used for a new
request while the application is still using them for the old request.

The next most frequent cause is Tomcat bugs. Generally, these take the
form of the request/response objects not being recycled correctly and
typically result in the same request and/or response object being used
for multiple concurrent requests/responses. Any bug of this nature will
be treated as a security issue so a CVE reference will be allocated and
it will be listed on the security pages.

Any session manager is going to susceptible to both types of bug
described above.

In theory, session mix-up could occur within a session manager but I
don't recall ever seeing a bug like that either in the Tomcat provided
managers or the various 3rd party managers like Redisson.

HTH,

Mark


>
> Best Regards,
>
> Douglas Whitfield | Enterprise Architect, 
> OpenLogic
> Perforce 
> Software
> P: +1 612.517.2100 
> Visit us on: 
> 

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

[Alexander Ghyoot]

Christopher,

I'm interested in both, how the clients credentials are gathered and verified.

Kind regards,
Alexander

Van: Christopher Schultz 
Verzonden: maandag 9 januari 2023 19:43
Aan: users@tomcat.apache.org 
Onderwerp: Re: Apache Tomcat 10.0.27 - UML sequence diagram of the 
authentication process

Alexander,

On 1/9/23 07:21, Alexander Ghyoot wrote:
> For my thesis, I'm looking into access control in open-source software and am 
> curious how the authentication process works in the Apache Tomcat (10.0.27) 
> architecture. However, the documentation on this seems incomplete. The PNG is 
> a screenshot of the image, only half shown, the link is below.
> Can someone give me a complete picture of the authentication flow in Apache 
> Tomcat? Thanks in advance.
>
> https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess.html
> https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png
> [https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png]

My wild guess is those diagrams are very old and possibly out of date. I
haven't looked at the revision-control history to see ... how old they are.

Which kind of authentication are you interested in? Tomcat supports many
kinds, and some of them work differently than others. Are you interested
in how the credentials are gathered from the client, how they are
verified, or both?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

[Mark Thomas]

On 09/01/2023 18:43, Christopher Schultz wrote:

Alexander,

On 1/9/23 07:21, Alexander Ghyoot wrote:
For my thesis, I'm looking into access control in open-source software 
and am curious how the authentication process works in the Apache 
Tomcat (10.0.27) architecture. However, the documentation on this 
seems incomplete. The PNG is a screenshot of the image, only half 
shown, the link is below.
Can someone give me a complete picture of the authentication flow in 
Apache Tomcat? Thanks in advance.


https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess.html
https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png
[https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png]


My wild guess is those diagrams are very old and possibly out of date. I 
haven't looked at the revision-control history to see ... how old they are.


For the request process and server start-up, the original diagrams were 
late 2003. So almost 20 years. The original Rational Rose MDL file is 
available from:


https://svn.apache.org/repos/asf/tomcat/archive/tc5.0.x/trunk/container/webapps/docs/architecture/requestProcess/roseModel.mdl

The diagrams were updated in 2015 (more recently than I thought):

https://bz.apache.org/bugzilla/show_bug.cgi?id=57282

They should be complete (for that era), they just ignore the long series 
of returns at the end.


We should have asked for the MDL file at the time.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

[Christopher Schultz]

Alexander,

On 1/9/23 07:21, Alexander Ghyoot wrote:

For my thesis, I'm looking into access control in open-source software and am 
curious how the authentication process works in the Apache Tomcat (10.0.27) 
architecture. However, the documentation on this seems incomplete. The PNG is a 
screenshot of the image, only half shown, the link is below.
Can someone give me a complete picture of the authentication flow in Apache 
Tomcat? Thanks in advance.

https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess.html
https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png
[https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png]


My wild guess is those diagrams are very old and possibly out of date. I 
haven't looked at the revision-control history to see ... how old they are.


Which kind of authentication are you interested in? Tomcat supports many 
kinds, and some of them work differently than others. Are you interested 
in how the credentials are gathered from the client, how they are 
verified, or both?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Redisson

[Mark Thomas]

Given the disparaging comments OpenLogic makes about obtaining support 
for open source projects from a community forum, it is more than a tad 
ironic to see an OpenLogic Enterprise Architect asking for help here.


I suggest that OpenLogic replace the text on their home page with 
something rather more honest that reflects that OpenLogic turns to the 
community forum when their Enterprise Architects need answers (which 
you'll find in-line below).


On 09/01/2023 16:55, Doug Whitfield wrote:

Hi Tomcat Community,

We are seeing and issue that manifests as a cross session “bleeding” scenario. 
The issue is this:

1. User A make a new request and the request goes to pod A and gets Session1
2. User A's next request then gets redirected to pod B. The request is 
processed using Session1
3. User B now makes a new request and the request goes to pod B and instead of 
getting a new session, User B gets the same Session1 as User A

We are using https://github.com/redisson/redisson for caching with Tomcat 
9.0.58. Given the fixed bugs in the Tomcat changelog, I have suggested trying 
9.0.66 or later. However, this suggestion has been met with resistance.


Which bugs fixed between 9.0.58 and 9.0.66 do you believe are relevant 
to this issue?


The only possibility I could see was "Improve the recycling of Processor 
objects to make it more robust" which is the fix for CVE-2021-43980. You 
will only hit that issue in specific circumstances that I do not wish to 
make public. If you can provide OS/Java version info and the Connector 
(and Executor if used) configuration from server.xml I can tell you if 
you are likely to be affected by that issue.



For those unfamiliar with Redisson, I think the most important high-level piece 
from their docs is this:
“Redisson's Tomcat Session Manager allows you to store sessions of Apache 
Tomcat in Redis. It empowers you to distribute requests across a cluster of 
Tomcat servers. This is all done in non-sticky session management backed by 
Redis.”

I believe we could take a heap dump and get the answer, but at the moment that 
isn’t something we want to do.

My question, at the moment, is pretty simple. How does this interact with 
Tomcat? Would the session management bugs in Tomcat apply?


Almost certainly.

There are lots of ways to trigger response mix-up. The primary cause is 
application bugs. This usually takes the form of the application 
retaining a reference to the request and/or response object beyond the 
end of processing for a single request/response. Tomcat recycles request 
and response objects so these objects can be being used for a new 
request while the application is still using them for the old request.


The next most frequent cause is Tomcat bugs. Generally, these take the 
form of the request/response objects not being recycled correctly and 
typically result in the same request and/or response object being used 
for multiple concurrent requests/responses. Any bug of this nature will 
be treated as a security issue so a CVE reference will be allocated and 
it will be listed on the security pages.


Any session manager is going to susceptible to both types of bug 
described above.


In theory, session mix-up could occur within a session manager but I 
don't recall ever seeing a bug like that either in the Tomcat provided 
managers or the various 3rd party managers like Redisson.


HTH,

Mark




Best Regards,

Douglas Whitfield | Enterprise Architect, 
OpenLogic
Perforce 
Software
P: +1 612.517.2100 
Visit us on: 
LinkedIn
 | 
Twitter
 | 
Facebook
 | 
YouTube

The Star Tribune recognizes Perforce as a Top Workplace in Minnesota. Read more 
>



This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional 

Re: Having two servers and controlling my secondary server with the primary server

[Mark Thomas]

Your mentor is wrong.

Mark


On 09/01/2023 14:56, Manisha Chermadurai wrote:

Thanks for this.

I have set up the solution for failover using nginx as a proxy server
between my two tomcat servers. But my mentor told with only using tomcat
server's configuration files, you can redirect the requests to another
server if and only if the particular server is down. So I am searching for
this solution, and came to know about this group. So I requested about this
, may be I will get some ideas.

Really thanks for response.

On Mon, 9 Jan 2023, 8:21 pm Olaf Kock,  wrote:


On 09.01.23 15:22, Manisha Chermadurai wrote:

Good evening Sir,


I am trying to control my secondary server with the primary server of

mine.

Bothe are of versions 9.0. Primary server has been available in my

physical

machine and my secondary server is in virtual machine. Both are of

windows

10. I am connecting the vm's 8080 port through the ip address from

primary

machine. It works fine. But I have a doubt like , Can I create my

secondary

server without allocating port ? I have tried it works fine, but there is
no entry point for my server. I have doubt of creating a comnector for my
vm's server from my primary server and the condition is also like I have

to

create a connector for my secondary server and it can be accessible only
when my primary server is down. I have researched and tried many things

for

literally 2 weeks. But I got stuck in this. So, once again I repeat my
question,  it's I have to create a connector for my secondary server by

my

primary server and it will be only accessible when my primary server is
down.So my client won't get chance to connect my secondary server through
the ip and port. I have tried failover with nginx. But I want to try this
only with my server.xml file.


If I understand your use case correctly, I'd recommend to set up a load
balancer that handles the failover.

Other options depend on the scenario you're looking for: Should your
secondary server be a hot-backup for the primary one (e.g. immediate
failover with no downtime?) or a cold backup that get started only when
some component determines that the primary server went down?

You will need to configure a Connector (with a port) on both servers if
you want to be able to access them.

And I'd recommend to either use some orchestration for it, or just
manually configure your second server. Tomcat itself is not the tool of
choice to configure one server through another one. There are components
that allow you to distribute deployed web applications (e.g.
https://tomcat.apache.org/tomcat-9.0-doc/config/cluster-deployer.html),
but that's a different use case than what you're asking for.

If you absolutely want to work around a load balancer, you might be able
to do some trickery with firewall-level redirection, but I'd say that
this is less transparent than explicitly configuring a load balancer.

Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Redisson

[Doug Whitfield]

Hi Tomcat Community,

We are seeing and issue that manifests as a cross session “bleeding” scenario. 
The issue is this:

1. User A make a new request and the request goes to pod A and gets Session1
2. User A's next request then gets redirected to pod B. The request is 
processed using Session1
3. User B now makes a new request and the request goes to pod B and instead of 
getting a new session, User B gets the same Session1 as User A

We are using https://github.com/redisson/redisson for caching with Tomcat 
9.0.58. Given the fixed bugs in the Tomcat changelog, I have suggested trying 
9.0.66 or later. However, this suggestion has been met with resistance.

For those unfamiliar with Redisson, I think the most important high-level piece 
from their docs is this:
“Redisson's Tomcat Session Manager allows you to store sessions of Apache 
Tomcat in Redis. It empowers you to distribute requests across a cluster of 
Tomcat servers. This is all done in non-sticky session management backed by 
Redis.”

I believe we could take a heap dump and get the answer, but at the moment that 
isn’t something we want to do.

My question, at the moment, is pretty simple. How does this interact with 
Tomcat? Would the session management bugs in Tomcat apply?

Best Regards,

Douglas Whitfield | Enterprise Architect, 
OpenLogic
Perforce 
Software
P: +1 612.517.2100 
Visit us on: 
LinkedIn
 | 
Twitter
 | 
Facebook
 | 
YouTube

The Star Tribune recognizes Perforce as a Top Workplace in Minnesota. Read more 
>



This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.

Re: Having two servers and controlling my secondary server with the primary server

[Manisha Chermadurai]

Thanks for this.

I have set up the solution for failover using nginx as a proxy server
between my two tomcat servers. But my mentor told with only using tomcat
server's configuration files, you can redirect the requests to another
server if and only if the particular server is down. So I am searching for
this solution, and came to know about this group. So I requested about this
, may be I will get some ideas.

Really thanks for response.

On Mon, 9 Jan 2023, 8:21 pm Olaf Kock,  wrote:

> On 09.01.23 15:22, Manisha Chermadurai wrote:
> > Good evening Sir,
> >
> >
> > I am trying to control my secondary server with the primary server of
> mine.
> > Bothe are of versions 9.0. Primary server has been available in my
> physical
> > machine and my secondary server is in virtual machine. Both are of
> windows
> > 10. I am connecting the vm's 8080 port through the ip address from
> primary
> > machine. It works fine. But I have a doubt like , Can I create my
> secondary
> > server without allocating port ? I have tried it works fine, but there is
> > no entry point for my server. I have doubt of creating a comnector for my
> > vm's server from my primary server and the condition is also like I have
> to
> > create a connector for my secondary server and it can be accessible only
> > when my primary server is down. I have researched and tried many things
> for
> > literally 2 weeks. But I got stuck in this. So, once again I repeat my
> > question,  it's I have to create a connector for my secondary server by
> my
> > primary server and it will be only accessible when my primary server is
> > down.So my client won't get chance to connect my secondary server through
> > the ip and port. I have tried failover with nginx. But I want to try this
> > only with my server.xml file.
>
> If I understand your use case correctly, I'd recommend to set up a load
> balancer that handles the failover.
>
> Other options depend on the scenario you're looking for: Should your
> secondary server be a hot-backup for the primary one (e.g. immediate
> failover with no downtime?) or a cold backup that get started only when
> some component determines that the primary server went down?
>
> You will need to configure a Connector (with a port) on both servers if
> you want to be able to access them.
>
> And I'd recommend to either use some orchestration for it, or just
> manually configure your second server. Tomcat itself is not the tool of
> choice to configure one server through another one. There are components
> that allow you to distribute deployed web applications (e.g.
> https://tomcat.apache.org/tomcat-9.0-doc/config/cluster-deployer.html),
> but that's a different use case than what you're asking for.
>
> If you absolutely want to work around a load balancer, you might be able
> to do some trickery with firewall-level redirection, but I'd say that
> this is less transparent than explicitly configuring a load balancer.
>
> Olaf
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Having two servers and controlling my secondary server with the primary server

[Olaf Kock]

On 09.01.23 15:22, Manisha Chermadurai wrote:

Good evening Sir,


I am trying to control my secondary server with the primary server of mine.
Bothe are of versions 9.0. Primary server has been available in my physical
machine and my secondary server is in virtual machine. Both are of windows
10. I am connecting the vm's 8080 port through the ip address from primary
machine. It works fine. But I have a doubt like , Can I create my secondary
server without allocating port ? I have tried it works fine, but there is
no entry point for my server. I have doubt of creating a comnector for my
vm's server from my primary server and the condition is also like I have to
create a connector for my secondary server and it can be accessible only
when my primary server is down. I have researched and tried many things for
literally 2 weeks. But I got stuck in this. So, once again I repeat my
question,  it's I have to create a connector for my secondary server by my
primary server and it will be only accessible when my primary server is
down.So my client won't get chance to connect my secondary server through
the ip and port. I have tried failover with nginx. But I want to try this
only with my server.xml file.


If I understand your use case correctly, I'd recommend to set up a load 
balancer that handles the failover.


Other options depend on the scenario you're looking for: Should your 
secondary server be a hot-backup for the primary one (e.g. immediate 
failover with no downtime?) or a cold backup that get started only when 
some component determines that the primary server went down?


You will need to configure a Connector (with a port) on both servers if 
you want to be able to access them.


And I'd recommend to either use some orchestration for it, or just 
manually configure your second server. Tomcat itself is not the tool of 
choice to configure one server through another one. There are components 
that allow you to distribute deployed web applications (e.g. 
https://tomcat.apache.org/tomcat-9.0-doc/config/cluster-deployer.html), 
but that's a different use case than what you're asking for.


If you absolutely want to work around a load balancer, you might be able 
to do some trickery with firewall-level redirection, but I'd say that 
this is less transparent than explicitly configuring a load balancer.


Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Having two servers and controlling my secondary server with the primary server

[Manisha Chermadurai]

Good evening Sir,


I am trying to control my secondary server with the primary server of mine.
Bothe are of versions 9.0. Primary server has been available in my physical
machine and my secondary server is in virtual machine. Both are of windows
10. I am connecting the vm's 8080 port through the ip address from primary
machine. It works fine. But I have a doubt like , Can I create my secondary
server without allocating port ? I have tried it works fine, but there is
no entry point for my server. I have doubt of creating a comnector for my
vm's server from my primary server and the condition is also like I have to
create a connector for my secondary server and it can be accessible only
when my primary server is down. I have researched and tried many things for
literally 2 weeks. But I got stuck in this. So, once again I repeat my
question,  it's I have to create a connector for my secondary server by my
primary server and it will be only accessible when my primary server is
down.So my client won't get chance to connect my secondary server through
the ip and port. I have tried failover with nginx. But I want to try this
only with my server.xml file.



Kindly help me with this question.



Thank You for your support

Re: Problems with requests without trailing slash Tomcat 9.0.65

[Christopher Schultz]

Fedor,

On 1/9/23 03:43, Fedor Makarov wrote:
We have to webapps lundase and vvsguiden therefore, the options you 
have suggested do not look applicable

Why not?


on debug I saw that RequestURI in request looks like
lundase/lundase/...

Probably because of this:

>>> RewriteRule ^(.*)$ http://localhost:9090/lundase/$1 [NC,P,L]

You are taking /lundase and turning it into /lundase/lundase

I think you should do this:

RewriteRule ^/rpc/invoker/(.*)$ http://localhost:9090/rpc/invoker/$1 
[NC,P,L]

RewriteRule ^/api/(.*)$ http://localhost:9090/api/$1 [NC,P,L]
RewriteRule ^/mapi/(.*)$ http://localhost:9090/mapi/$1 [NC,P,L]
RewriteRule ^/lundase/(.*)$ http://localhost:9090/lundase/$1 [NC,P,L]
RewriteRule ^/vvsguiden/(.*)$ http://localhost:9090/vvsguiden/$1 [NC,P,L]

You can always rewrite /(not api|mapi|lundase|vvsguiden) to /lundase/$1 
-- or, better yet, use a "permanent redirect".


But you need to remove the mangling of that URL or you will fight 
against it for years.


-chris


Вторник, 27 декабря 2022, 22:06 +03:00 от Christopher Schultz 
:
  
Fedor,


On 12/27/22 05:55, Fedor Makarov wrote:


proxy for local environment we use the js conf:
proxy: {
     '/api/': {
       target: 'http://localhost:8080/',
       changeOrigin: false,
     },
     '/': {
       target: 'http://localhost:8080/lundase',
       changeOrigin: false
     }
   },

for normal lunch we use apache2.conf:

RewriteCond %{REQUEST_URI} ^(/api/|/mapi/|/binary/|/rpc/invoker/)

RewriteRule ^/rpc/invoker/(.*)$ http://localhost:9090/rpc/invoker/$1 [NC,P,L]
RewriteRule ^/api/(.*)$ http://localhost:9090/api/$1 [NC,P,L]
RewriteRule ^/mapi/(.*)$ http://localhost:9090/mapi/$1 [NC,P,L]
RewriteRule ^(.*)$ http://localhost:9090/lundase/$1 [NC,P,L]


What you are doing is trying to remove the context-path of the
application through URL re-writing which will probably cause endless
problems during the life of your application.

I have two possible suggestions for you:

1. Re-name your application from lundase to ROOT (to deploy it to /
instead of /lundase).

or

2. Don't try to remove the /lundase URL prefix as part of your URL
rewriting.

If you don't choose one or the other of these options, you will find
that you have many years of debugging and trying to fix up every little
weird thing that happens with cookies, redirects, and in-page links.

-chris


-
To unsubscribe, e-mail:  users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:  users-h...@tomcat.apache.org
  
  
---

Fedor Makarov
  


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate that 
it's one of the only ways to get information out of the TLS stack. It 
would have been great if Java had started using its own logging system 
once it was introduced, but no.


That debugging tool always dumps to stdout (or stderr?) and you have 
very little control over where it goes.


You would never want to use it for ongoing logging. It truly is for 
debugging-only.


The good news is that application code should be able to get the 
information you are looking for.


Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming connections" thinking that you wanted to log which cert was 
used for a particular request. But it sounds like maybe you are asking 
for something to just be logged one-time during startup?


-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes
things a little more complicated but we should be able to do something.
What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was chosen.
Then it can trivially be added to e.g. access_log or even to application code
which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508



jonmcalexan...@wellsfargo.com

This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

[Alexander Ghyoot]

Dear,

For my thesis, I'm looking into access control in open-source software and am 
curious how the authentication process works in the Apache Tomcat (10.0.27) 
architecture. However, the documentation on this seems incomplete. The PNG is a 
screenshot of the image, only half shown, the link is below.
Can someone give me a complete picture of the authentication flow in Apache 
Tomcat? Thanks in advance.

https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess.html
https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png
[https://tomcat.apache.org/tomcat-10.0-doc/architecture/requestProcess/authentication-process.png]


Kind regards,
Alexander

Antwort: Re: Update form 8.5.56 to newer 8.5.x

[Andreas . Moroder]

Thank you very much

Andreas
 



Von:"Mark Thomas" 
An: users@tomcat.apache.org
Datum:  09.01.2023 10:51
Betreff:Re: Update form 8.5.56 to newer 8.5.x



On 09/01/2023 09:47, andreas.moro...@wobi.bz.it wrote:
> Hello,
> 
> we have Tomcat 8.5.56  on a Windows server.
> We woul like to update to a newer 8.6.x release, but I found only 
> documents on how to migrate from 8.x to 9.x.
> Can anyone please send me a link to documentation on how to update in 
> the same release

https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x

Mark


> 
> Thank you very much
> Andreas
> 
> Institut für den sozialen Wohnbau des Landes Südtirol
> Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
> 39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14*_
> _**_wobi.bz.it_* ***_ipes.bz.it_* 

> *
> 
> 
> **
> 
> *
> Dies ist eine vertrauliche Nachricht und nur für den Adressaten 
> bestimmt. Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten 
> wir um Ihre diesbezügliche Benachrichtigung und um die Löschung der 
> Nachricht. Eine Veröffentlichung oder Verbreitung des Inhaltes sowie 
> jegliche anderweitige Verwendung sind untersagt.
> 
> Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
> della stessa e deve intendersi riservato e personale. Laddove questa 
> e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci 
> l’errata notifica e di cancellarne il contenuto. Sono sempre vietate la 
> pubblicazione o diffusione del contenuto, nonché l'utilizzo per 
> qualsiasi altro scopo.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14
wobi.bz.it   ipes.bz.it 





Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. 
Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten wir um Ihre 
diesbezügliche Benachrichtigung und um die Löschung der Nachricht. Eine 
Veröffentlichung oder Verbreitung des Inhaltes sowie jegliche anderweitige 
Verwendung sind untersagt.

Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci l’errata 
notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per qualsiasi 
altro scopo.

Re: Update form 8.5.56 to newer 8.5.x

[Mark Thomas]

On 09/01/2023 09:47, andreas.moro...@wobi.bz.it wrote:

Hello,

we have Tomcat 8.5.56  on a Windows server.
We woul like to update to a newer 8.6.x release, but I found only 
documents on how to migrate from 8.x to 9.x.
Can anyone please send me a link to documentation on how to update in 
the same release


https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x

Mark




Thank you very much
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14*_
_**_wobi.bz.it_* ***_ipes.bz.it_* 
*



**

*
Dies ist eine vertrauliche Nachricht und nur für den Adressaten 
bestimmt. Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten 
wir um Ihre diesbezügliche Benachrichtigung und um die Löschung der 
Nachricht. Eine Veröffentlichung oder Verbreitung des Inhaltes sowie 
jegliche anderweitige Verwendung sind untersagt.


Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci 
l’errata notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per 
qualsiasi altro scopo.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Update form 8.5.56 to newer 8.5.x

[Andreas . Moroder]

Hello,

we have Tomcat 8.5.56  on a Windows server.
We woul like to update to a newer 8.6.x release, but I found only 
documents on how to migrate from 8.x to 9.x.
Can anyone please send me a link to documentation on how to update in the 
same release

Thank you very much
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14
wobi.bz.it   ipes.bz.it 





Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. 
Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten wir um Ihre 
diesbezügliche Benachrichtigung und um die Löschung der Nachricht. Eine 
Veröffentlichung oder Verbreitung des Inhaltes sowie jegliche anderweitige 
Verwendung sind untersagt.

Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci l’errata 
notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per qualsiasi 
altro scopo.

Re: how to block bad request?

[Jason Wee]

Hi Mark,

Thank you. I enabled debugging and able to reproduce (close to
matching, but not exact same output)

send null byte




$ echo -e '\x00' | nc myhost.com 80
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1939
Date: Mon, 09 Jan 2023 08:58:52 GMT
Connection: close

HTTP Status 400 – Bad
Requestbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP
Status 400 – Bad RequestType
Exception ReportMessage Invalid character found in
method name [0x00...]. HTTP method names must be
tokensDescription The server cannot or will not process
the request due to something that is perceived to be a client error
(e.g., malformed request syntax, invalid request message framing, or
deceptive request
routing).Exceptionjava.lang.IllegalArgumentException:
Invalid character found in method name [0x00...]. HTTP method names
must be tokens
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.basejava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.basejava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.basejava.lang.Thread.run(Thread.java:834)
Note The full stack trace of the root cause is
available in the server logs.CustomServer


the log file


09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in:
[OPEN_READ], State out: [OPEN]
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
java.lang.IllegalArgumentException: Invalid character found in method
name [0x00...]. HTTP method names must be tokens
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1
request did not provide a host header
09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status
in: [OPEN_READ], State out: [CLOSED]



==> .access_log.2023-01-09.txt <==
210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +] '-'
400 1939 '-' '-' 686 -



in production

206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +] '-'
400 - '-' '-' 0 -



The different is

%b - Bytes sent, excluding HTTP headers, or '-' if zero
%D - Time taken to process the request in microseconds


so I guess the attacker check if the port is opened without sending
any bytes and tomcat took 0 second to process.


Christopher,

no, X-Forwarded-For and %h values are not the same.

On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz
 wrote:
>
> Mark, Jason,
>
> On 1/4/23 09:07, Mark Thomas wrote:
> > On 04/01/2023 04:09, Jason Wee wrote:
> >> Hi,
> >>
> >> Happy new year everyone.
> >>
> >> Background of my production setup. Using tomcat 10 and in linux
> >> 

Re: Tomcat support RHEL9

[Mark Thomas]

On 09/01/2023 06:12, Deepti Sharma S wrote:

Hello Tomcat Team,

Can you please confirm, if any Tomcat version is supported on/with RHEL9?


As far as the Tomcat community is concerned, Tomcat is supported on any 
platform an appropriate version of Java is available.


As far the official RedHat position, you'll have to ask RedHat.

I will note that if the JVM and/or OS you choose is not readily 
available to the Tomcat committers then you will need to do more of the 
work (or provide a committer with access to a suitable test system) if 
you have a platform specific issue.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problems with requests without trailing slash Tomcat 9.0.65

[Fedor Makarov]

We have to webapps lundase and vvsguiden therefore, the options you have 
suggested do not look applicable on debug I saw that RequestURI in request 
looks like lundase/lundase/...
  
>Вторник, 27 декабря 2022, 22:06 +03:00 от Christopher Schultz 
>:
> 
>Fedor,
>
>On 12/27/22 05:55, Fedor Makarov wrote:
>>
>> proxy for local environment we use the js conf:
>> proxy: {
>>     '/api/': {
>>       target: 'http://localhost:8080/',
>>       changeOrigin: false,
>>     },
>>     '/': {
>>       target: 'http://localhost:8080/lundase',
>>       changeOrigin: false
>>     }
>>   },
>>
>> for normal lunch we use apache2.conf:
>>
>> RewriteCond %{REQUEST_URI} ^(/api/|/mapi/|/binary/|/rpc/invoker/)
>>
>> RewriteRule ^/rpc/invoker/(.*)$ http://localhost:9090/rpc/invoker/$1 [NC,P,L]
>> RewriteRule ^/api/(.*)$ http://localhost:9090/api/$1 [NC,P,L]
>> RewriteRule ^/mapi/(.*)$ http://localhost:9090/mapi/$1 [NC,P,L]
>> RewriteRule ^(.*)$ http://localhost:9090/lundase/$1 [NC,P,L]
>
>What you are doing is trying to remove the context-path of the
>application through URL re-writing which will probably cause endless
>problems during the life of your application.
>
>I have two possible suggestions for you:
>
>1. Re-name your application from lundase to ROOT (to deploy it to /
>instead of /lundase).
>
>or
>
>2. Don't try to remove the /lundase URL prefix as part of your URL
>rewriting.
>
>If you don't choose one or the other of these options, you will find
>that you have many years of debugging and trying to fix up every little
>weird thing that happens with cookies, redirects, and in-page links.
>
>-chris
>
>
>-
>To unsubscribe, e-mail:  users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail:  users-h...@tomcat.apache.org 
 
 
---
Fedor Makarov
 

RE: Problems with requests without trailing slash Tomcat 9.0.65

[alik alikov]

We have to webapps  lundase and vvsguiden therefore, the options you have 
suggested do not look applicable on debug I saw that RequestURI in request 
looks like lundase/lundase/...
27.12.2022, 22:07, Christopher Schultz < mailto:ch...@christopherschultz.net 
ch...@christopherschultz.net >
Fedor, On 12/27/22 05:55, Fedor Makarov wrote: > > proxy for local environment 
we use the js conf: > proxy: { >      '/api/': { >        target: ' 
http://localhost:8080 http://localhost:8080 /', >        changeOrigin: false, > 
     }, >      '/': { >        target: ' http://localhost:8080/lundase 
http://localhost:8080/lundase', >        changeOrigin: false >      } >    }, > 
> for normal lunch we use apache2.conf: > > RewriteCond %{REQUEST_URI} 
^(/api/|/mapi/|/binary/|/rpc/invoker/) > > RewriteRule ^/rpc/invoker/(.*)$ 
http://localhost:9090/rpc/invoker/$1 http://localhost:9090/rpc/invoker/$1 
[NC,P,L] > RewriteRule ^/api/(.*)$ http://localhost:9090/api/$1 
http://localhost:9090/api/$1 [NC,P,L] > RewriteRule ^/mapi/(.*)$ 
http://localhost:9090/mapi/$1 http://localhost:9090/mapi/$1 [NC,P,L] > 
RewriteRule ^(.*)$ http://localhost:9090/lundase/$1 
http://localhost:9090/lundase/$1 [NC,P,L] What you are doing is trying to 
remove the context-path of the application through URL re-writing which will 
probably cause endless problems during the life of your application. I have two 
possible suggestions for you: 1. Re-name your application from lundase to ROOT 
(to deploy it to / instead of /lundase). or 2. Don't try to remove the /lundase 
URL prefix as part of your URL rewriting. If you don't choose one or the other 
of these options, you will find that you have many years of debugging and 
trying to fix up every little weird thing that happens with cookies, redirects, 
and in-page links. -chris 
- To 
unsubscribe, e-mail: /compose/ users-unsubscr...@tomcat.apache.org For 
additional commands, e-mail: /compose/ users-h...@tomcat.apache.org