Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
So I really can't believe it, but it WORKS, from end to end. I'm extremely grateful. This was definitely becoming a bit stressful until I found this mailing list. I'll have to do some more complete testing but this is looking good. Regarding the next release of Tomcat, I may as well give it a try. Tomcat 9, which I tried first, until I ran into this mystery problem, so backed off to v.8.5.51, has tightened down by forbidding certain characters in the request, which gave me a few bad moments until I figured out how to allow them again. Hopefully not too many new surprises in TC 10. Ellen On Wed, Feb 26, 2020 at 12:29 PM Mark Thomas wrote: > On 26/02/2020 17:15, Ellen Meiselman wrote: > > One more piece of the puzzle: > > Setting allowedRequestAttributesPattern=".*" WORKED. > > So if I get the exact pattern right, that may be the answer. > > You'll all have to forgive me - I really don't know much about this > stuff - > > I'm mostly a front-end developer who is sort of the "last woman standing" > > to support this particular application. So I don't know a lot of the > > basics. > > The specific match setting should be: > > > allowedRequestAttributesPattern="CERT_(ISSUER|SUBJECT|COOKIE|FLAGS|SERIALNUMBER)|HTTPS_(SERVER_(SUBJECT|ISSUER)|(SECRETKEYSIZE|KEYSIZE))" > > All on one line. > > Tested with IIS on Server 2019 and Tomcat 9.0.31. > > You should be able to make it a little more efficient if you re-work the > final two literals. > > Once you upgrade to the next Tomcat release (should be available ewarly > next month), you can remove the allowedRequestAttributesPattern setting. > Those Tomcat versions will do this automatically. > > Mark > > > > > > Thank you, > > Ellen > > > > > > On Wed, Feb 26, 2020 at 9:25 AM > > wrote: > > > >> -Original Message- > >>> From: Mark Thomas > >>> Sent: Wednesday, February 26, 2020 5:19 AM > >>> To: users@tomcat.apache.org > >>> Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > >> andTomcat > >> > >>> On 26/02/2020 09:00, Mark Thomas wrote: > >>> On 25/02/2020 21:47, Ellen Meiselman wrote: > So it turned out that the logs were mostly set at FINE already, so > >>> Johann’s suggestion was already done. > > But I think I now know where the problem lies. Secure IIS request > > >>> to > non-secire AJP. > > I don’t think this was a problem on the other servers before but the > >>> security has probably been tightened, and it just doesn’t produce an > >>> error - it just won’t allow it. > > I have had IIS set to require SSL, but I turned it off to test and it > >>> actually worked all the way through to the simple.html file. so it’s > >>> some sort of policy about downgrading - which seems quite rational in > >>> retrospect > >>> > >>> Thanks for the new information. > >>> > >>> That rules out an issue with the secret settings. > >>> > >>> I wonder if IIS (or more likely the ISAPI redirector) is adding some > >>> unexpected request attributes that is triggering the new protection > >>> for CVE-2020-1938. If that is the case, adding the following to your > >>> AJP connector in server.xml should get things working for SSL as well: > >>> > >>> allowedRequestAttributesPattern=".*" > >>> > >>> Meanwhile, I'll configure my local test environment for IIS with TLS > >>> and see what happens. > >> > >>> Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > >>> works around it. > >> > >>> I need to debug further to find out exactly what the attributes are. I > >> expect we'll add them to the ones Tomcat accepts by default. > >> > >>> Mark > >> > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> Thanks Mark, > >> So, to be clear, add > >> > >> allowedRequestAttributesPattern=".*" > >> > >> to the AJP Connector in server.xml IF you are using IIS as the > Front-End, > >> using the AJP Plugin and having SSL configured in IIS? > >> > >> Thanks, > >> > >> Dream * Excel * Explore * Inspire > >> Jon McAlexander > >> Asst Vice President > >> > >> Middleware Product Engineering > >> Enterprise CIO | Platform Services | Middleware | Infrastructure > Solutions > >> > >> Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, > 12/13, > >> 12/20 – 12/31 > >> > >> 8080 Cobblestone Rd | Urbandale, IA 50322 > >> MAC: F4469-010 > >> Tel 515-988-2508 | Cell 515-988-2508 > >> > >> jonmcalexan...@wellsfargo.com > >> > >> > >> This message may contain confidential and/or privileged information. If > >> you are not the addressee or authorized to receive this for the > addressee, > >> you must not use, copy, disclose, or take any action based on this > message > >> or any information herein. If you have received this message in error, > >> please advise the sender immediately by reply e-mail and delete this > >> message. Thank you for your
RE: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
Thank you sir! Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Christopher Schultz Sent: Wednesday, February 26, 2020 11:18 AM To: users@tomcat.apache.org Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jon, On 2/26/20 09:25, jonmcalexan...@wellsfargo.com.INVALID wrote: > -Original Message- >> From: Mark Thomas Sent: Wednesday, February 26, >> 2020 5:19 AM To: users@tomcat.apache.org Subject: Re: [OT] At wits >> end: Difficulties with IIS ISAPI connector andTomcat > >> On 26/02/2020 09:00, Mark Thomas wrote: On 25/02/2020 21:47, Ellen >> Meiselman wrote: >>> So it turned out that the logs were mostly set at FINE already, so >> Johann’s suggestion was already done. >>> >>> But I think I now know where the problem lies. Secure IIS >>> request > >> to > non-secire AJP. >>> >>> I don’t think this was a problem on the other servers before >>> but the >> security has probably been tightened, and it just doesn’t produce >> an error - it just won’t allow it. >>> >>> I have had IIS set to require SSL, but I turned it off to test >>> and it >> actually worked all the way through to the simple.html file. so >> it’s some sort of policy about downgrading - which seems quite >> rational in retrospect >> >> Thanks for the new information. >> >> That rules out an issue with the secret settings. >> >> I wonder if IIS (or more likely the ISAPI redirector) is adding >> some unexpected request attributes that is triggering the new >> protection for CVE-2020-1938. If that is the case, adding the >> following to your AJP connector in server.xml should get things >> working for SSL as well: >> >> allowedRequestAttributesPattern=".*" >> >> Meanwhile, I'll configure my local test environment for IIS with >> TLS and see what happens. > >> Confirmed. That is the issue and >> allowedRequestAttributesPattern=".*" works around it. > >> I need to debug further to find out exactly what the attributes >> are. I expect we'll add them to the ones Tomcat accepts by >> default. > >> Mark > >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the > Front-End, using the AJP Plugin and having SSL configured in IIS? And also if you can convince yourself that nobody is going to make malicious connections to your AJP port. It looks like Mark found the set of attributes that need to be added to the whitelist; if you look at those patches, you can put just those items into the pattern (e.g. allowedRequestAttributesPattern="(CLIENT_CERT|..." to be as safe as possible. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5WqDoACgkQHPApP6U8 pFhR7w/+IjEhNdUThQtdjfI8AVA/ZhsFTsbnmQq+Ue++fCUmxPbnPPC1alJK1RNx RkaDZTgjUXPZD2H7DgKd0zXpdNEGrDetCY+mOE2UTIyGPM8T9a14nFB7/gOw7hPX +WlnoI5EtV9YaKreM/qniM4kJLY5y//OenzEDKL1MQGqHBm9A7JxkM/L0+5aBn47 tzIKcjX+ZBsDitmyn6rmSGjPnm+7yRsRM84T8uw97LI1mSTNCUhGjTF44kkSbgsf 9nLRRyVXa9/HlJMcbtZm1NOd4UZbsikcP6VHg7RvNxZNrAcWDorCyhlS1xdBMJZe LE+FQKpoE8KLJa9G1bU0ANea7wSo/TSA18HE4Rn7t40XCWsIut3B8cyhXQKoBaoN seoyue1XmqB82YrQAEe31qyINYB9PK/7XV0cznWR80I9CoJa5QQXHKAeDt3Ct/Bx IWHNi5KCOD4c8UwCxnVA05vJIHGsUhsuwDtXDUbcZWD1YkHtL2k6GHXXrWt9xnho jD8WW+wsj1ut85PjyujMAvoYW0aUUAcSsGZF2nqnoIr+2UD+DHAgqfSzrXaNO/BH cjiUbJREjyV7hgsiyWxZBfnxC1825GWfpVEgw1sC7qpC3ik3QdNZJbYbJk1EcK40 blvQ/xxnQ1nb2tdq6Ozn0xX3KlOqhZpl0l+FKs5Wz3QPXbHEqKM= =2eup -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 26/02/2020 17:15, Ellen Meiselman wrote: > One more piece of the puzzle: > Setting allowedRequestAttributesPattern=".*" WORKED. > So if I get the exact pattern right, that may be the answer. > You'll all have to forgive me - I really don't know much about this stuff - > I'm mostly a front-end developer who is sort of the "last woman standing" > to support this particular application. So I don't know a lot of the > basics. The specific match setting should be: allowedRequestAttributesPattern="CERT_(ISSUER|SUBJECT|COOKIE|FLAGS|SERIALNUMBER)|HTTPS_(SERVER_(SUBJECT|ISSUER)|(SECRETKEYSIZE|KEYSIZE))" All on one line. Tested with IIS on Server 2019 and Tomcat 9.0.31. You should be able to make it a little more efficient if you re-work the final two literals. Once you upgrade to the next Tomcat release (should be available ewarly next month), you can remove the allowedRequestAttributesPattern setting. Those Tomcat versions will do this automatically. Mark > > Thank you, > Ellen > > > On Wed, Feb 26, 2020 at 9:25 AM > wrote: > >> -Original Message- >>> From: Mark Thomas >>> Sent: Wednesday, February 26, 2020 5:19 AM >>> To: users@tomcat.apache.org >>> Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector >> andTomcat >> >>> On 26/02/2020 09:00, Mark Thomas wrote: >>> On 25/02/2020 21:47, Ellen Meiselman wrote: So it turned out that the logs were mostly set at FINE already, so >>> Johann’s suggestion was already done. But I think I now know where the problem lies. Secure IIS request > >>> to > non-secire AJP. I don’t think this was a problem on the other servers before but the >>> security has probably been tightened, and it just doesn’t produce an >>> error - it just won’t allow it. I have had IIS set to require SSL, but I turned it off to test and it >>> actually worked all the way through to the simple.html file. so it’s >>> some sort of policy about downgrading - which seems quite rational in >>> retrospect >>> >>> Thanks for the new information. >>> >>> That rules out an issue with the secret settings. >>> >>> I wonder if IIS (or more likely the ISAPI redirector) is adding some >>> unexpected request attributes that is triggering the new protection >>> for CVE-2020-1938. If that is the case, adding the following to your >>> AJP connector in server.xml should get things working for SSL as well: >>> >>> allowedRequestAttributesPattern=".*" >>> >>> Meanwhile, I'll configure my local test environment for IIS with TLS >>> and see what happens. >> >>> Confirmed. That is the issue and allowedRequestAttributesPattern=".*" >>> works around it. >> >>> I need to debug further to find out exactly what the attributes are. I >> expect we'll add them to the ones Tomcat accepts by default. >> >>> Mark >> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> Thanks Mark, >> So, to be clear, add >> >> allowedRequestAttributesPattern=".*" >> >> to the AJP Connector in server.xml IF you are using IIS as the Front-End, >> using the AJP Plugin and having SSL configured in IIS? >> >> Thanks, >> >> Dream * Excel * Explore * Inspire >> Jon McAlexander >> Asst Vice President >> >> Middleware Product Engineering >> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions >> >> Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, >> 12/20 – 12/31 >> >> 8080 Cobblestone Rd | Urbandale, IA 50322 >> MAC: F4469-010 >> Tel 515-988-2508 | Cell 515-988-2508 >> >> jonmcalexan...@wellsfargo.com >> >> >> This message may contain confidential and/or privileged information. If >> you are not the addressee or authorized to receive this for the addressee, >> you must not use, copy, disclose, or take any action based on this message >> or any information herein. If you have received this message in error, >> please advise the sender immediately by reply e-mail and delete this >> message. Thank you for your cooperation. >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jon, On 2/26/20 09:25, jonmcalexan...@wellsfargo.com.INVALID wrote: > -Original Message- >> From: Mark Thomas Sent: Wednesday, February >> 26, 2020 5:19 AM To: users@tomcat.apache.org Subject: Re: [OT] At >> wits end: Difficulties with IIS ISAPI connector andTomcat > >> On 26/02/2020 09:00, Mark Thomas wrote: On 25/02/2020 21:47, >> Ellen Meiselman wrote: >>> So it turned out that the logs were mostly set at FINE already, >>> so >> Johann’s suggestion was already done. >>> >>> But I think I now know where the problem lies. Secure IIS >>> request > >> to > non-secire AJP. >>> >>> I don’t think this was a problem on the other servers before >>> but the >> security has probably been tightened, and it just doesn’t produce >> an error - it just won’t allow it. >>> >>> I have had IIS set to require SSL, but I turned it off to test >>> and it >> actually worked all the way through to the simple.html file. so >> it’s some sort of policy about downgrading - which seems quite >> rational in retrospect >> >> Thanks for the new information. >> >> That rules out an issue with the secret settings. >> >> I wonder if IIS (or more likely the ISAPI redirector) is adding >> some unexpected request attributes that is triggering the new >> protection for CVE-2020-1938. If that is the case, adding the >> following to your AJP connector in server.xml should get things >> working for SSL as well: >> >> allowedRequestAttributesPattern=".*" >> >> Meanwhile, I'll configure my local test environment for IIS with >> TLS and see what happens. > >> Confirmed. That is the issue and >> allowedRequestAttributesPattern=".*" works around it. > >> I need to debug further to find out exactly what the attributes >> are. I expect we'll add them to the ones Tomcat accepts by >> default. > >> Mark > >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the > Front-End, using the AJP Plugin and having SSL configured in IIS? And also if you can convince yourself that nobody is going to make malicious connections to your AJP port. It looks like Mark found the set of attributes that need to be added to the whitelist; if you look at those patches, you can put just those items into the pattern (e.g. allowedRequestAttributesPattern="(CLIENT_CERT|..." to be as safe as possible. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5WqDoACgkQHPApP6U8 pFhR7w/+IjEhNdUThQtdjfI8AVA/ZhsFTsbnmQq+Ue++fCUmxPbnPPC1alJK1RNx RkaDZTgjUXPZD2H7DgKd0zXpdNEGrDetCY+mOE2UTIyGPM8T9a14nFB7/gOw7hPX +WlnoI5EtV9YaKreM/qniM4kJLY5y//OenzEDKL1MQGqHBm9A7JxkM/L0+5aBn47 tzIKcjX+ZBsDitmyn6rmSGjPnm+7yRsRM84T8uw97LI1mSTNCUhGjTF44kkSbgsf 9nLRRyVXa9/HlJMcbtZm1NOd4UZbsikcP6VHg7RvNxZNrAcWDorCyhlS1xdBMJZe LE+FQKpoE8KLJa9G1bU0ANea7wSo/TSA18HE4Rn7t40XCWsIut3B8cyhXQKoBaoN seoyue1XmqB82YrQAEe31qyINYB9PK/7XV0cznWR80I9CoJa5QQXHKAeDt3Ct/Bx IWHNi5KCOD4c8UwCxnVA05vJIHGsUhsuwDtXDUbcZWD1YkHtL2k6GHXXrWt9xnho jD8WW+wsj1ut85PjyujMAvoYW0aUUAcSsGZF2nqnoIr+2UD+DHAgqfSzrXaNO/BH cjiUbJREjyV7hgsiyWxZBfnxC1825GWfpVEgw1sC7qpC3ik3QdNZJbYbJk1EcK40 blvQ/xxnQ1nb2tdq6Ozn0xX3KlOqhZpl0l+FKs5Wz3QPXbHEqKM= =2eup -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
One more piece of the puzzle: Setting allowedRequestAttributesPattern=".*" WORKED. So if I get the exact pattern right, that may be the answer. You'll all have to forgive me - I really don't know much about this stuff - I'm mostly a front-end developer who is sort of the "last woman standing" to support this particular application. So I don't know a lot of the basics. Thank you, Ellen On Wed, Feb 26, 2020 at 9:25 AM wrote: > -Original Message- > > From: Mark Thomas > > Sent: Wednesday, February 26, 2020 5:19 AM > > To: users@tomcat.apache.org > > Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > > On 26/02/2020 09:00, Mark Thomas wrote: > > On 25/02/2020 21:47, Ellen Meiselman wrote: > >> So it turned out that the logs were mostly set at FINE already, so > > Johann’s suggestion was already done. > >> > >> But I think I now know where the problem lies. Secure IIS request > > > to > non-secire AJP. > >> > >> I don’t think this was a problem on the other servers before but the > > security has probably been tightened, and it just doesn’t produce an > > error - it just won’t allow it. > >> > >> I have had IIS set to require SSL, but I turned it off to test and it > > actually worked all the way through to the simple.html file. so it’s > > some sort of policy about downgrading - which seems quite rational in > > retrospect > > > > Thanks for the new information. > > > > That rules out an issue with the secret settings. > > > > I wonder if IIS (or more likely the ISAPI redirector) is adding some > > unexpected request attributes that is triggering the new protection > > for CVE-2020-1938. If that is the case, adding the following to your > > AJP connector in server.xml should get things working for SSL as well: > > > > allowedRequestAttributesPattern=".*" > > > > Meanwhile, I'll configure my local test environment for IIS with TLS > > and see what happens. > > > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > > works around it. > > > I need to debug further to find out exactly what the attributes are. I > expect we'll add them to the ones Tomcat accepts by default. > > > Mark > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, > So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the Front-End, > using the AJP Plugin and having SSL configured in IIS? > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. >
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi, For all those of you helping me with the AJP connector allowedRequestAttributesPattern, I've spent some time carefully sanitizing 2 sets of isapi_redirect,log entries and put them up at the link below. These logs were generated from exactly two requests (sanitized version shown) https://myserver.com/MyExposedApplication/simple.html and http://myserver.com/MyExposedApplication/simple.html In other words SSL, and non-SSL. I believe these show the request and headers, and hopefully will help with a discussion of allowed request attributes. Here's the link: https://docs.google.com/document/d/1Y4NNrshG_4_sV4hArP2G0xoAzdxjMvivL_0IVJKE5SM/edit?usp=sharing They'll be up for about 1 day, so please copy the text if you find them useful Ellen On Wed, Feb 26, 2020 at 9:25 AM wrote: > -Original Message- > > From: Mark Thomas > > Sent: Wednesday, February 26, 2020 5:19 AM > > To: users@tomcat.apache.org > > Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > > On 26/02/2020 09:00, Mark Thomas wrote: > > On 25/02/2020 21:47, Ellen Meiselman wrote: > >> So it turned out that the logs were mostly set at FINE already, so > > Johann’s suggestion was already done. > >> > >> But I think I now know where the problem lies. Secure IIS request > > > to > non-secire AJP. > >> > >> I don’t think this was a problem on the other servers before but the > > security has probably been tightened, and it just doesn’t produce an > > error - it just won’t allow it. > >> > >> I have had IIS set to require SSL, but I turned it off to test and it > > actually worked all the way through to the simple.html file. so it’s > > some sort of policy about downgrading - which seems quite rational in > > retrospect > > > > Thanks for the new information. > > > > That rules out an issue with the secret settings. > > > > I wonder if IIS (or more likely the ISAPI redirector) is adding some > > unexpected request attributes that is triggering the new protection > > for CVE-2020-1938. If that is the case, adding the following to your > > AJP connector in server.xml should get things working for SSL as well: > > > > allowedRequestAttributesPattern=".*" > > > > Meanwhile, I'll configure my local test environment for IIS with TLS > > and see what happens. > > > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > > works around it. > > > I need to debug further to find out exactly what the attributes are. I > expect we'll add them to the ones Tomcat accepts by default. > > > Mark > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, > So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the Front-End, > using the AJP Plugin and having SSL configured in IIS? > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. >
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi, On Wed, Feb 26, 2020 at 4:25 PM wrote: > -Original Message- > > From: Mark Thomas > > Sent: Wednesday, February 26, 2020 5:19 AM > > To: users@tomcat.apache.org > > Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > > On 26/02/2020 09:00, Mark Thomas wrote: > > On 25/02/2020 21:47, Ellen Meiselman wrote: > >> So it turned out that the logs were mostly set at FINE already, so > > Johann’s suggestion was already done. > >> > >> But I think I now know where the problem lies. Secure IIS request > > > to > non-secire AJP. > >> > >> I don’t think this was a problem on the other servers before but the > > security has probably been tightened, and it just doesn’t produce an > > error - it just won’t allow it. > >> > >> I have had IIS set to require SSL, but I turned it off to test and it > > actually worked all the way through to the simple.html file. so it’s > > some sort of policy about downgrading - which seems quite rational in > > retrospect > > > > Thanks for the new information. > > > > That rules out an issue with the secret settings. > > > > I wonder if IIS (or more likely the ISAPI redirector) is adding some > > unexpected request attributes that is triggering the new protection > > for CVE-2020-1938. If that is the case, adding the following to your > > AJP connector in server.xml should get things working for SSL as well: > > > > allowedRequestAttributesPattern=".*" > > > > Meanwhile, I'll configure my local test environment for IIS with TLS > > and see what happens. > > > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > > works around it. > > > I need to debug further to find out exactly what the attributes are. I > expect we'll add them to the ones Tomcat accepts by default. > > > Mark > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks Mark, > So, to be clear, add > > allowedRequestAttributesPattern=".*" > > to the AJP Connector in server.xml IF you are using IIS as the Front-End, > using the AJP Plugin and having SSL configured in IIS? > Using ".*" as a value was helpful just for the debugging of the problem. Mark documented the IIS specific attributes in AJP Connector documentation. It would be better to whitelist only them, not everything. Martin > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. >
RE: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
-Original Message- > From: Mark Thomas > Sent: Wednesday, February 26, 2020 5:19 AM > To: users@tomcat.apache.org > Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat > On 26/02/2020 09:00, Mark Thomas wrote: > On 25/02/2020 21:47, Ellen Meiselman wrote: >> So it turned out that the logs were mostly set at FINE already, so > Johann’s suggestion was already done. >> >> But I think I now know where the problem lies. Secure IIS request > > to > non-secire AJP. >> >> I don’t think this was a problem on the other servers before but the > security has probably been tightened, and it just doesn’t produce an > error - it just won’t allow it. >> >> I have had IIS set to require SSL, but I turned it off to test and it > actually worked all the way through to the simple.html file. so it’s > some sort of policy about downgrading - which seems quite rational in > retrospect > > Thanks for the new information. > > That rules out an issue with the secret settings. > > I wonder if IIS (or more likely the ISAPI redirector) is adding some > unexpected request attributes that is triggering the new protection > for CVE-2020-1938. If that is the case, adding the following to your > AJP connector in server.xml should get things working for SSL as well: > > allowedRequestAttributesPattern=".*" > > Meanwhile, I'll configure my local test environment for IIS with TLS > and see what happens. > Confirmed. That is the issue and allowedRequestAttributesPattern=".*" > works around it. > I need to debug further to find out exactly what the attributes are. I expect > we'll add them to the ones Tomcat accepts by default. > Mark > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Thanks Mark, So, to be clear, add allowedRequestAttributesPattern=".*" to the AJP Connector in server.xml IF you are using IIS as the Front-End, using the AJP Plugin and having SSL configured in IIS? Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi Chris, Thank you very much for the suggestion and all the help. Ellen > On Feb 25, 2020, at 3:42 PM, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Ellen, > > On 2/25/20 13:10, Ellen Meiselman wrote: >> No, just that I don't know how to set this particular connector up >> another way. I based this on the instructions on the >> isapi_connector site >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html >> and on the 2 older servers we have which are working.> I'm sort of >> thinking of suggesting that we get rid of IIS entirely and switch >> to Tomcat. Then we can run the necessary Java application and also >> serve all the HTML items we need to using the same web server. > Tomcat is a perfectly good "plain old" web server. Some security > people get all freaked-out when you suggest that Tomcat be exposed > "directly" but IMHO it can't be any worse than IIS. > > But also IMHO there are always reasons to use a reverse proxy: > flexibility and availability. When you are restarting Tomcat for > whatever reason, what will clients see if they try to access your > application? CONNECTION REFUSED? :( With the proxy in the way, that is > much less likely. Also, if you want to serve Java web applications, > python web applications, .NET whatevers, you'll be able to do that > much more flexibly with a reverse-proxy in the mix. > > - -chris > >> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> Ellen, >> >> On 2/25/20 12:55, Ellen Meiselman wrote: >>>>> Sorry - no, the quotes were not there except for a 5 minute >>>>> test of a hopeless theory that they might be needed. Right >>>>> now there is no secret at all in the workers.properties, and >> in the >>>>> ajp connector, i have secretRequired ="false". >>>>> Workers.properties: worker.worker1.type=ajp13 >>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>> >>>>> Server.xml: >>>> address="127.0.0.1" port="8009" secretRequired="false" >>>>> redirectPort="8443" /> >> >> Hmm. I think we've all been operating under the assumption that >> the "secret" (by whatever name) was the source of the problem. It >> appears that was incorrect. >> >> Have a look at Jon's question about file permissions. >> >> Was this a configuration that had been working until recently, or >> is this a new configuration that you haven't (yet) been able to get >> working ? >> >> Any reason not to use HTTP(S) for your protocol instead of AJP? >> >> -chris >> >>>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < >>>>> ch...@christopherschultz.net> wrote: >>>>> >>>>> Ellen, >>>>> >>>>> On 2/25/20 12:06, Ellen Meiselman wrote: >>>>>>>> Yes, everything is on the same server. >>>>>>>> >>>>>>>> workers.properties: # Set properties for worker1 >>>>>>>> (ajp13) worker.worker1.type=ajp13 >>>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>>>>> worker.worker1.secret="mySecret". >>>>> >>>>> Just so there is no confusion: your "mySecret" should have >>>>> neither quotes nor the trailing period. >>>>> >>>>> Are those literally in your ISS config file? >>>>> >>>>> -chris >>>>> >>>>>>>> On Tue, Feb 25, 2020 at 11:27 AM >>>>>>>> wrote: >>>>>>>> >>>>>>>>> -Original Message- From: Ellen Meiselman >>>>>>>>> Sent: Tuesday, February 25, 2020 >>>>>>>>> 10:01 AM To: Tomcat Users List >>>>>>>>> Subject: Re: At wits end: >>>>>>>>> Difficulties with IIS ISAPI connector and Tomcat >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> I've been testing, and so far, there is no change >>>>>>>>>> in the behavior. I am >>>>>>>>> still getting the same tomcat->based 403 error. >>>>>>>>> &
Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ellen, On 2/25/20 13:10, Ellen Meiselman wrote: > No, just that I don't know how to set this particular connector up > another way. I based this on the instructions on the > isapi_connector site > http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html > and on the 2 older servers we have which are working.> I'm sort of > thinking of suggesting that we get rid of IIS entirely and switch > to Tomcat. Then we can run the necessary Java application and also > serve all the HTML items we need to using the same web server. Tomcat is a perfectly good "plain old" web server. Some security people get all freaked-out when you suggest that Tomcat be exposed "directly" but IMHO it can't be any worse than IIS. But also IMHO there are always reasons to use a reverse proxy: flexibility and availability. When you are restarting Tomcat for whatever reason, what will clients see if they try to access your application? CONNECTION REFUSED? :( With the proxy in the way, that is much less likely. Also, if you want to serve Java web applications, python web applications, .NET whatevers, you'll be able to do that much more flexibly with a reverse-proxy in the mix. - -chris > On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Ellen, > > On 2/25/20 12:55, Ellen Meiselman wrote: >>>> Sorry - no, the quotes were not there except for a 5 minute >>>> test of a hopeless theory that they might be needed. Right >>>> now there is no secret at all in the workers.properties, and > in the >>>> ajp connector, i have secretRequired ="false". >>>> Workers.properties: worker.worker1.type=ajp13 >>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>> >>>> Server.xml: >>> address="127.0.0.1" port="8009" secretRequired="false" >>>> redirectPort="8443" /> > > Hmm. I think we've all been operating under the assumption that > the "secret" (by whatever name) was the source of the problem. It > appears that was incorrect. > > Have a look at Jon's question about file permissions. > > Was this a configuration that had been working until recently, or > is this a new configuration that you haven't (yet) been able to get > working ? > > Any reason not to use HTTP(S) for your protocol instead of AJP? > > -chris > >>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Ellen, >>>> >>>> On 2/25/20 12:06, Ellen Meiselman wrote: >>>>>>> Yes, everything is on the same server. >>>>>>> >>>>>>> workers.properties: # Set properties for worker1 >>>>>>> (ajp13) worker.worker1.type=ajp13 >>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>>>> worker.worker1.secret="mySecret". >>>> >>>> Just so there is no confusion: your "mySecret" should have >>>> neither quotes nor the trailing period. >>>> >>>> Are those literally in your ISS config file? >>>> >>>> -chris >>>> >>>>>>> On Tue, Feb 25, 2020 at 11:27 AM >>>>>>> wrote: >>>>>>> >>>>>>>> -Original Message- From: Ellen Meiselman >>>>>>>> Sent: Tuesday, February 25, 2020 >>>>>>>> 10:01 AM To: Tomcat Users List >>>>>>>> Subject: Re: At wits end: >>>>>>>> Difficulties with IIS ISAPI connector and Tomcat >>>>>>>> >>>>>>>>> Hi, >>>>>>>> >>>>>>>>> I've been testing, and so far, there is no change >>>>>>>>> in the behavior. I am >>>>>>>> still getting the same tomcat->based 403 error. >>>>>>>> >>>>>>>>> Based on what you said above... >>>>>>>>> >>>>>>>>> secretRequired="true" (which is the default, so it >>>>>>>>> can be removed) secret="xxx" >>>>>>>> >>>>>>>> >>>>>>>>> ...I removed secretRequired="true" and left secret. >>>>>>>>> So the connector >>>>>>>> definition now looks like this: >>&
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi, Requests directly to Tomcat on port 8080 to pages within the connector-exposed web application work fine. For example, both of these work: localhost:8080/exposedApplication/simple.html. (viewed on the server’s browser) my.servers.domain.com:8080/exposedApplication/simple.html <http://my.servers.domain.com:8080/exposedApplication/simple.html> (viewed anywhere else) Requests that go through IIS and the connector to the connector-exposed application result in a 403 error. For example, this does not work: https:my.servers.domain.com/exposedApplication/simple.html <http://my.servers.domain.com/exposedApplication/simple.html> This Windows 2019 setup has the following versions of tomcat, windows, etc: Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS 10/Windows server 2019 I also have two older, similar Windows Server environments that work perfectly. They both use these versions: Tomcat version 8.5.3 (64 bit) as a service Isapi_redirect.dll version 1.2.40.0 64 bit IIS 8/Windows server 2012R2 Thanks, Ellen > On Feb 25, 2020, at 2:29 PM, > wrote: > > -Original Message- >> From: Ellen Meiselman >> Sent: Tuesday, February 25, 2020 12:27 PM >> To: Tomcat Users List >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > >> Hi Jon, > >> The best information I have about the error is from the localhost log: > >> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET >> /exposedApplication/simple.html HTTP/1.1" >> 403 618 >> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET >> /exposedApplication/simple.html HTTP/1.1" 403 618 >> 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET >> //exposedApplication/simple.html HTTP/1.1" >> 403 618 > >> On Tue, Feb 25, 2020 at 1:19 PM >> wrote: > > > What do you get if you go to the Tomcat Instance directly, via the HTTP/HTTPS > Port, bypassing IIS? > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org>
RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-Original Message- > From: Ellen Meiselman > Sent: Tuesday, February 25, 2020 12:27 PM > To: Tomcat Users List > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > Hi Jon, > The best information I have about the error is from the localhost log: > 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET > /exposedApplication/simple.html HTTP/1.1" > 403 618 > 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET > /exposedApplication/simple.html HTTP/1.1" 403 618 > 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET > //exposedApplication/simple.html HTTP/1.1" > 403 618 > On Tue, Feb 25, 2020 at 1:19 PM > wrote: What do you get if you go to the Tomcat Instance directly, via the HTTP/HTTPS Port, bypassing IIS?
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi Jon, The best information I have about the error is from the localhost log: 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET //exposedApplication/simple.html HTTP/1.1" 403 618 On Tue, Feb 25, 2020 at 1:19 PM wrote: > -Original Message- > From: Ellen Meiselman > Sent: Tuesday, February 25, 2020 12:04 PM > To: Tomcat Users List > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > > The directory containing the dll is at $TomcatHome/isapi/ > > I opened that wide up for testing after more secure configurations did not > work. Don't worry - this will absolutely NOT be used for production: > IUSR, I_USRS, and USERS all have full control. > DefaultAppPool has everything but full control - Modify, execute, write. > > However, the isapi_redirect.dll's logs show that it is not getting tomcat > errors the way it used to, so I do think it is connecting but then being > banned by Tomcat itself. > For example the logs used to have messages that tomcat wasn't listening on > 8009 until I figured out that the AJP connector is now commented out by > default in server.xml. After fixing that and a few other things, the logs > suddenly started spitting back the complete html of the 403 error pages - > in other words I do think it is now connecting. > > > > > On Tue, Feb 25, 2020 at 12:54 PM > wrote: > > > What permissions are on the file containing the DLL, and Worker files? > > > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Asst Vice President > > > > Middleware Product Engineering > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > Solutions > > > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, > > 12/13, > > 12/20 – 12/31 > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > > > This message may contain confidential and/or privileged information. > > If you are not the addressee or authorized to receive this for the > > addressee, you must not use, copy, disclose, or take any action based > > on this message or any information herein. If you have received this > > message in error, please advise the sender immediately by reply e-mail > > and delete this message. Thank you for your cooperation. > > > > > > -Original Message- > > From: Ellen Meiselman > > Sent: Tuesday, February 25, 2020 11:51 AM > > To: Tomcat Users List > > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > > Tomcat > > > > Thank you - when I remove the secret line, save and restart Tomcat, it > > results in the same 403 error. > > > > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < > > a...@ice-sa.com> > > wrote: > > > > > The workers.properties below look good to me at first sight. > > > > > > Just to eliminate something, could you try the following changes : > > > > > > 1) workers.properties : > > > remove the line > > > > worker.worker1.secret="mySecret". > > > > > > 2) AJP Connector in tomcat : > > > > > > > > address="127.0.0.1" > > > port="8009" > > > secretRequired="false" > > > redirectPort="8443" /> > > > > > > then restart tomcat and IIS. > > > What's happening then ? > > > > > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > > > earlier. > > > Before, by default, the "secret" was disabled. Since 8.5.51, by > > > default, the secret is enabled, and you have to disable it > > > explicitly if you don't want it (as I did above). > > > > > > With the settings above, we are just trying to get back to a > > > configuration without secret, to check if that works in your case. > > > As indicated in the documentation > > > ( > > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp > > > le > > > mentations) > > > you can > > > do that in your case, because the communication between IIS and > > > Tomcat is fairly secure, since it happens all
RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-Original Message- From: Ellen Meiselman Sent: Tuesday, February 25, 2020 12:04 PM To: Tomcat Users List Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat The directory containing the dll is at $TomcatHome/isapi/ I opened that wide up for testing after more secure configurations did not work. Don't worry - this will absolutely NOT be used for production: IUSR, I_USRS, and USERS all have full control. DefaultAppPool has everything but full control - Modify, execute, write. However, the isapi_redirect.dll's logs show that it is not getting tomcat errors the way it used to, so I do think it is connecting but then being banned by Tomcat itself. For example the logs used to have messages that tomcat wasn't listening on 8009 until I figured out that the AJP connector is now commented out by default in server.xml. After fixing that and a few other things, the logs suddenly started spitting back the complete html of the 403 error pages - in other words I do think it is now connecting. On Tue, Feb 25, 2020 at 12:54 PM wrote: > What permissions are on the file containing the DLL, and Worker files? > > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure > Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, > 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation. > > > -Original Message- > From: Ellen Meiselman > Sent: Tuesday, February 25, 2020 11:51 AM > To: Tomcat Users List > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > Tomcat > > Thank you - when I remove the secret line, save and restart Tomcat, it > results in the same 403 error. > > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < > a...@ice-sa.com> > wrote: > > > The workers.properties below look good to me at first sight. > > > > Just to eliminate something, could you try the following changes : > > > > 1) workers.properties : > > remove the line > > > worker.worker1.secret="mySecret". > > > > 2) AJP Connector in tomcat : > > > > > address="127.0.0.1" > > port="8009" > > secretRequired="false" > > redirectPort="8443" /> > > > > then restart tomcat and IIS. > > What's happening then ? > > > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > > earlier. > > Before, by default, the "secret" was disabled. Since 8.5.51, by > > default, the secret is enabled, and you have to disable it > > explicitly if you don't want it (as I did above). > > > > With the settings above, we are just trying to get back to a > > configuration without secret, to check if that works in your case. > > As indicated in the documentation > > ( > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp > > le > > mentations) > > you can > > do that in your case, because the communication between IIS and > > Tomcat is fairly secure, since it happens all within the same host. > > > > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > > Yes, everything is on the same server. > > > > > > workers.properties: > > > # Set properties for worker1 (ajp13) > > > worker.worker1.type=ajp13 > > > worker.worker1.host=127.0.0.1 > > > worker.worker1.port=8009 > > > worker.worker1.secret="mySecret". > > > > > > On Tue, Feb 25, 2020 at 11:27 AM > > > > > > wrote: > > > > > >> -Original Message- > > >> From: Ellen Meiselman > > >> Sent: Tuesday, February 25, 2020 10:01 AM > > >> To: Tomcat Users List > > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector > > >> and > > Tomcat > > >> > > >>> Hi, > > >> > > >>> I
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
No, just that I don't know how to set this particular connector up another way. I based this on the instructions on the isapi_connector site http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html and on the 2 older servers we have which are working. I'm sort of thinking of suggesting that we get rid of IIS entirely and switch to Tomcat. Then we can run the necessary Java application and also serve all the HTML items we need to using the same web server. On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Ellen, > > On 2/25/20 12:55, Ellen Meiselman wrote: > > Sorry - no, the quotes were not there except for a 5 minute test of > > a hopeless theory that they might be needed. Right now there is no > > secret at all in the workers.properties, and > in the > > ajp connector, i have secretRequired ="false". Workers.properties: > > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 > > worker.worker1.port=8009 > > > > Server.xml: > port="8009" secretRequired="false" redirectPort="8443" /> > > Hmm. I think we've all been operating under the assumption that the > "secret" (by whatever name) was the source of the problem. It appears > that was incorrect. > > Have a look at Jon's question about file permissions. > > Was this a configuration that had been working until recently, or is > this a new configuration that you haven't (yet) been able to get working > ? > > Any reason not to use HTTP(S) for your protocol instead of AJP? > > - -chris > > > On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Ellen, > > > > On 2/25/20 12:06, Ellen Meiselman wrote: > >>>> Yes, everything is on the same server. > >>>> > >>>> workers.properties: # Set properties for worker1 (ajp13) > >>>> worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 > >>>> worker.worker1.port=8009 worker.worker1.secret="mySecret". > > > > Just so there is no confusion: your "mySecret" should have neither > > quotes nor the trailing period. > > > > Are those literally in your ISS config file? > > > > -chris > > > >>>> On Tue, Feb 25, 2020 at 11:27 AM > >>>> wrote: > >>>> > >>>>> -Original Message- From: Ellen Meiselman > >>>>> Sent: Tuesday, February 25, 2020 10:01 > >>>>> AM To: Tomcat Users List Subject: > >>>>> Re: At wits end: Difficulties with IIS ISAPI connector and > >>>>> Tomcat > >>>>> > >>>>>> Hi, > >>>>> > >>>>>> I've been testing, and so far, there is no change in the > >>>>>> behavior. I am > >>>>> still getting the same tomcat->based 403 error. > >>>>> > >>>>>> Based on what you said above... > >>>>>> > >>>>>> secretRequired="true" (which is the default, so it can > >>>>>> be removed) secret="xxx" > >>>>> > >>>>> > >>>>>> ...I removed secretRequired="true" and left secret. So > >>>>>> the connector > >>>>> definition now looks like this: > >>>>>> >>>>>> port="8009" secret="mySecret" redirectPort="8443" /> > >>>>> > >>>>> > >>>>> > >>>>> I'm assuming that your web-front-end is on the same server > >>>>> as your Tomcat instance, based on you having the address > >>>>> set to 127.0.0.1, correct? What do you have in your > >>>>> workers.properties file? > >>>>> > >>>> > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VYQQACgkQHPApP6U8 > pFgLuw/8Dheh8K4XrQpcktN1BK0A9pKCeWg44uWfU9RgCgWZg4b4VSjIaftE4Bv0 > WF8Vt6WhnzjIDp6XKgaH69KXIwIZrXVbmWbkjkYlTtMAgrqKrvX/fd5XdTP4lJYX > /gG6Zl2dqJeBGwg9maZgBLdQVXDRF3WnHVEvVfbnMl1UKxqNmVPdjODAhDCjzTqv > h6kMPSDTqAdEW1Na7UF+4JgpI5owAoP4oXoy3YCpCi18jYwu3axHwse62hBi/UwR > vWiQ8nQuV+6NcZ00A/K8d9OMpg+nheFbWJBTerxzDfHHelCbm17id7Em+XlOZ3aW > QPYmWx1ERcNbyf8cpSEXeRFNJ4IhYE/QZJVw541WNzveKRJzEVuActTC735fmgd/ > QOt9ECsu+0wXRgR09FNhUChcoCbxQbOqqvkvdwa87DA1pevEBP6j7emG0YDx2YTC > UKRjnk1OkajimSWRtsbnRoB2vdSF7tRurcNaveybIpkHn1xtcH76v7MvCTp1da4G > zPkVNn9e65cscN4K0HbtHd8Won+AlHBVZWe2iZ19XrCHsebFVwdz3CwaLBHIF3XN > O67SBp9Kdxof3Mt3SaDNrHYyOrmsWjSL3IKx5SSN48kNlEnk1acIFrHzmbIUD3n5 > IIVZk3HwvNqwkTH4f5UasVOUsO0i3+1JAe7f7Cft6RsuBOchRxM= > =qIFw > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
The directory containing the dll is at $TomcatHome/isapi/ I opened that wide up for testing after more secure configurations did not work. Don't worry - this will absolutely NOT be used for production: IUSR, I_USRS, and USERS all have full control. DefaultAppPool has everything but full control - Modify, execute, write. However, the isapi_redirect.dll's logs show that it is not getting tomcat errors the way it used to, so I do think it is connecting but then being banned by Tomcat itself. For example the logs used to have messages that tomcat wasn't listening on 8009 until I figured out that the AJP connector is now commented out by default in server.xml. After fixing that and a few other things, the logs suddenly started spitting back the complete html of the 403 error pages - in other words I do think it is now connecting. On Tue, Feb 25, 2020 at 12:54 PM wrote: > What permissions are on the file containing the DLL, and Worker files? > > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > > > -Original Message- > From: Ellen Meiselman > Sent: Tuesday, February 25, 2020 11:51 AM > To: Tomcat Users List > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > > Thank you - when I remove the secret line, save and restart Tomcat, it > results in the same 403 error. > > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < > a...@ice-sa.com> > wrote: > > > The workers.properties below look good to me at first sight. > > > > Just to eliminate something, could you try the following changes : > > > > 1) workers.properties : > > remove the line > > > worker.worker1.secret="mySecret". > > > > 2) AJP Connector in tomcat : > > > > > address="127.0.0.1" > > port="8009" > > secretRequired="false" > > redirectPort="8443" /> > > > > then restart tomcat and IIS. > > What's happening then ? > > > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > > earlier. > > Before, by default, the "secret" was disabled. Since 8.5.51, by > > default, the secret is enabled, and you have to disable it explicitly > > if you don't want it (as I did above). > > > > With the settings above, we are just trying to get back to a > > configuration without secret, to check if that works in your case. > > As indicated in the documentation > > ( > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imple > > mentations) > > you can > > do that in your case, because the communication between IIS and Tomcat > > is fairly secure, since it happens all within the same host. > > > > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > > Yes, everything is on the same server. > > > > > > workers.properties: > > > # Set properties for worker1 (ajp13) > > > worker.worker1.type=ajp13 > > > worker.worker1.host=127.0.0.1 > > > worker.worker1.port=8009 > > > worker.worker1.secret="mySecret". > > > > > > On Tue, Feb 25, 2020 at 11:27 AM > > > > > > wrote: > > > > > >> -Original Message- > > >> From: Ellen Meiselman > > >> Sent: Tuesday, February 25, 2020 10:01 AM > > >> To: Tomcat Users List > > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > > Tomcat > > >> > > >>> Hi, > > >> > > >>> I've been testing, and so far, there is no change in the behavior. > > >>> I am > > >> still getting the same tomcat->based 403 error. > > >&g
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ellen, On 2/25/20 12:55, Ellen Meiselman wrote: > Sorry - no, the quotes were not there except for a 5 minute test of > a hopeless theory that they might be needed. Right now there is no > secret at all in the workers.properties, and in the > ajp connector, i have secretRequired ="false". Workers.properties: > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > > Server.xml: port="8009" secretRequired="false" redirectPort="8443" /> Hmm. I think we've all been operating under the assumption that the "secret" (by whatever name) was the source of the problem. It appears that was incorrect. Have a look at Jon's question about file permissions. Was this a configuration that had been working until recently, or is this a new configuration that you haven't (yet) been able to get working ? Any reason not to use HTTP(S) for your protocol instead of AJP? - -chris > On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Ellen, > > On 2/25/20 12:06, Ellen Meiselman wrote: >>>> Yes, everything is on the same server. >>>> >>>> workers.properties: # Set properties for worker1 (ajp13) >>>> worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 >>>> worker.worker1.port=8009 worker.worker1.secret="mySecret". > > Just so there is no confusion: your "mySecret" should have neither > quotes nor the trailing period. > > Are those literally in your ISS config file? > > -chris > >>>> On Tue, Feb 25, 2020 at 11:27 AM >>>> wrote: >>>> >>>>> -Original Message- From: Ellen Meiselman >>>>> Sent: Tuesday, February 25, 2020 10:01 >>>>> AM To: Tomcat Users List Subject: >>>>> Re: At wits end: Difficulties with IIS ISAPI connector and >>>>> Tomcat >>>>> >>>>>> Hi, >>>>> >>>>>> I've been testing, and so far, there is no change in the >>>>>> behavior. I am >>>>> still getting the same tomcat->based 403 error. >>>>> >>>>>> Based on what you said above... >>>>>> >>>>>> secretRequired="true" (which is the default, so it can >>>>>> be removed) secret="xxx" >>>>> >>>>> >>>>>> ...I removed secretRequired="true" and left secret. So >>>>>> the connector >>>>> definition now looks like this: >>>>>> >>>>> port="8009" secret="mySecret" redirectPort="8443" /> >>>>> >>>>> >>>>> >>>>> I'm assuming that your web-front-end is on the same server >>>>> as your Tomcat instance, based on you having the address >>>>> set to 127.0.0.1, correct? What do you have in your >>>>> workers.properties file? >>>>> >>>> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VYQQACgkQHPApP6U8 pFgLuw/8Dheh8K4XrQpcktN1BK0A9pKCeWg44uWfU9RgCgWZg4b4VSjIaftE4Bv0 WF8Vt6WhnzjIDp6XKgaH69KXIwIZrXVbmWbkjkYlTtMAgrqKrvX/fd5XdTP4lJYX /gG6Zl2dqJeBGwg9maZgBLdQVXDRF3WnHVEvVfbnMl1UKxqNmVPdjODAhDCjzTqv h6kMPSDTqAdEW1Na7UF+4JgpI5owAoP4oXoy3YCpCi18jYwu3axHwse62hBi/UwR vWiQ8nQuV+6NcZ00A/K8d9OMpg+nheFbWJBTerxzDfHHelCbm17id7Em+XlOZ3aW QPYmWx1ERcNbyf8cpSEXeRFNJ4IhYE/QZJVw541WNzveKRJzEVuActTC735fmgd/ QOt9ECsu+0wXRgR09FNhUChcoCbxQbOqqvkvdwa87DA1pevEBP6j7emG0YDx2YTC UKRjnk1OkajimSWRtsbnRoB2vdSF7tRurcNaveybIpkHn1xtcH76v7MvCTp1da4G zPkVNn9e65cscN4K0HbtHd8Won+AlHBVZWe2iZ19XrCHsebFVwdz3CwaLBHIF3XN O67SBp9Kdxof3Mt3SaDNrHYyOrmsWjSL3IKx5SSN48kNlEnk1acIFrHzmbIUD3n5 IIVZk3HwvNqwkTH4f5UasVOUsO0i3+1JAe7f7Cft6RsuBOchRxM= =qIFw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Sorry - no, the quotes were not there except for a 5 minute test of a hopeless theory that they might be needed. Right now there is no secret at all in the workers.properties, and in the ajp connector, i have secretRequired ="false". Workers.properties: worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Server.xml: On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Ellen, > > On 2/25/20 12:06, Ellen Meiselman wrote: > > Yes, everything is on the same server. > > > > workers.properties: # Set properties for worker1 (ajp13) > > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 > > worker.worker1.port=8009 worker.worker1.secret="mySecret". > > Just so there is no confusion: your "mySecret" should have neither > quotes nor the trailing period. > > Are those literally in your ISS config file? > > - -chris > > > On Tue, Feb 25, 2020 at 11:27 AM > > wrote: > > > >> -Original Message- From: Ellen Meiselman > >> Sent: Tuesday, February 25, 2020 10:01 AM To: > >> Tomcat Users List Subject: Re: At wits > >> end: Difficulties with IIS ISAPI connector and Tomcat > >> > >>> Hi, > >> > >>> I've been testing, and so far, there is no change in the > >>> behavior. I am > >> still getting the same tomcat->based 403 error. > >> > >>> Based on what you said above... > >>> > >>> secretRequired="true" (which is the default, so it can be > >>> removed) secret="xxx" > >> > >> > >>> ...I removed secretRequired="true" and left secret. So the > >>> connector > >> definition now looks like this: > >>> >>> secret="mySecret" redirectPort="8443" /> > >> > >> > >> > >> I'm assuming that your web-front-end is on the same server as > >> your Tomcat instance, based on you having the address set to > >> 127.0.0.1, correct? What do you have in your workers.properties > >> file? > >> > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VWtkACgkQHPApP6U8 > pFjIXA//caIbYn+Z9lDBNzpD6RDhEuSPw0Aq3pxGgSlI4sHFsIvA4PzJG1aAFYb0 > TzN2gms6GmTgeGDeIXgNub+ae7Pgers7ZVsJ9HDKTlT9uYEEShI5g7xfOzXTwc3z > iKh9PlNXmjonmKL+MLlt+pUL42s0Du43skIH0JLpP2UiDgC3WHs9hk3KHy8OfTpj > pfxDpMip2eMxsEjrXy0K1vJ012X1o4UDkb1GwUHoRAbEwqVpTfTYyHzAJqwpXAIr > Ab9z1LDFP0w7NwaPzmcCJK5qbgC3Ry85Y07BwcaClVOKszckqexR55bEKtJchRFe > MI/bbr0eDzndxZKpzmaJnrqyu5xZpH895Ww7/lwsO8hmBaH7rEd9LvCVZFbyIGvP > 4ww2Sv3FuJcSLBG+MnoXzH5I01G1GzH6MYCH0OW0+bkQEMMPDe3InQiavqoqCM08 > U8CM0TBRYkT0H5dCaplGWTyjmbhEU5c1SPLiwdj4eEEFhUGv+EsZHXToczLGim7y > wrV97sKF92UWkYDe6lkp4Va9kQ0kIiJr+VO3BLVKV9ZWxYWzgdQirIiJjIic/HjV > obDWW6c9w5EvYOaCqMWliV9g063TOvZYNQm8cm+oORCdR9NYLJgG1g0OxGWDQUGm > YhwIVngqP2m8mlg3jE1Z4y3vgM8cdh2vXzOZnb0WTsyjl9KrPYw= > =lPDH > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat
What permissions are on the file containing the DLL, and Worker files? Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Ellen Meiselman Sent: Tuesday, February 25, 2020 11:51 AM To: Tomcat Users List Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat Thank you - when I remove the secret line, save and restart Tomcat, it results in the same 403 error. On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) wrote: > The workers.properties below look good to me at first sight. > > Just to eliminate something, could you try the following changes : > > 1) workers.properties : > remove the line > > worker.worker1.secret="mySecret". > > 2) AJP Connector in tomcat : > > address="127.0.0.1" > port="8009" > secretRequired="false" > redirectPort="8443" /> > > then restart tomcat and IIS. > What's happening then ? > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > earlier. > Before, by default, the "secret" was disabled. Since 8.5.51, by > default, the secret is enabled, and you have to disable it explicitly > if you don't want it (as I did above). > > With the settings above, we are just trying to get back to a > configuration without secret, to check if that works in your case. > As indicated in the documentation > ( > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imple > mentations) > you can > do that in your case, because the communication between IIS and Tomcat > is fairly secure, since it happens all within the same host. > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > Yes, everything is on the same server. > > > > workers.properties: > > # Set properties for worker1 (ajp13) > > worker.worker1.type=ajp13 > > worker.worker1.host=127.0.0.1 > > worker.worker1.port=8009 > > worker.worker1.secret="mySecret". > > > > On Tue, Feb 25, 2020 at 11:27 AM > > > > wrote: > > > >> -Original Message- > >> From: Ellen Meiselman > >> Sent: Tuesday, February 25, 2020 10:01 AM > >> To: Tomcat Users List > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > Tomcat > >> > >>> Hi, > >> > >>> I've been testing, and so far, there is no change in the behavior. > >>> I am > >> still getting the same tomcat->based 403 error. > >> > >>> Based on what you said above... > >>> > >>> secretRequired="true" (which is the default, so it can be removed) > >>> secret="xxx" > >> > >> > >>> ...I removed secretRequired="true" and left secret. So the > >>> connector > >> definition now looks like this: > >>> >>>address="127.0.0.1" > >>>port="8009" > >>>secret="mySecret" > >>>redirectPort="8443" /> > >> > >> > >> > >> I'm assuming that your web-front-end is on the same server as your > Tomcat > >> instance, based on you having the address set to 127.0.0.1, correct? > What > >> do you have in your workers.properties file? > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Thank you - when I remove the secret line, save and restart Tomcat, it results in the same 403 error. On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) wrote: > The workers.properties below look good to me at first sight. > > Just to eliminate something, could you try the following changes : > > 1) workers.properties : > remove the line > > worker.worker1.secret="mySecret". > > 2) AJP Connector in tomcat : > > address="127.0.0.1" > port="8009" > secretRequired="false" > redirectPort="8443" /> > > then restart tomcat and IIS. > What's happening then ? > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > earlier. > Before, by default, the "secret" was disabled. Since 8.5.51, by default, > the secret is > enabled, and you have to disable it explicitly if you don't want it (as I > did above). > > With the settings above, we are just trying to get back to a configuration > without secret, > to check if that works in your case. > As indicated in the documentation > ( > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations) > you can > do that in your case, because the communication between IIS and Tomcat is > fairly secure, > since it happens all within the same host. > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > Yes, everything is on the same server. > > > > workers.properties: > > # Set properties for worker1 (ajp13) > > worker.worker1.type=ajp13 > > worker.worker1.host=127.0.0.1 > > worker.worker1.port=8009 > > worker.worker1.secret="mySecret". > > > > On Tue, Feb 25, 2020 at 11:27 AM > > wrote: > > > >> -Original Message- > >> From: Ellen Meiselman > >> Sent: Tuesday, February 25, 2020 10:01 AM > >> To: Tomcat Users List > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > Tomcat > >> > >>> Hi, > >> > >>> I've been testing, and so far, there is no change in the behavior. I am > >> still getting the same tomcat->based 403 error. > >> > >>> Based on what you said above... > >>> > >>> secretRequired="true" (which is the default, so it can be removed) > >>> secret="xxx" > >> > >> > >>> ...I removed secretRequired="true" and left secret. So the connector > >> definition now looks like this: > >>> >>>address="127.0.0.1" > >>>port="8009" > >>>secret="mySecret" > >>>redirectPort="8443" /> > >> > >> > >> > >> I'm assuming that your web-front-end is on the same server as your > Tomcat > >> instance, based on you having the address set to 127.0.0.1, correct? > What > >> do you have in your workers.properties file? > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
I *think* that this would be covered by the workers.properties used by the isapi_redirect.dll, correct? On Tue, Feb 25, 2020 at 11:42 AM André Warnier (tomcat/perl) wrote: > On 25.02.2020 17:26, jonmcalexan...@wellsfargo.com.INVALID wrote: > > -Original Message- > > From: Ellen Meiselman > > Sent: Tuesday, February 25, 2020 10:01 AM > > To: Tomcat Users List > > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > Tomcat > > > >> Hi, > > > >> I've been testing, and so far, there is no change in the behavior. I am > still getting the same tomcat->based 403 error. > > > >> Based on what you said above... > >> > >> secretRequired="true" (which is the default, so it can be removed) > >> secret="xxx" > > > > > >> ...I removed secretRequired="true" and left secret. So the connector > definition now looks like this: > >> >>address="127.0.0.1" > >>port="8009" > >>secret="mySecret" > >>redirectPort="8443" /> > > > > > > > > I'm assuming that your web-front-end is on the same server as your > Tomcat instance, based on you having the address set to 127.0.0.1, correct? > What do you have in your workers.properties file? > > addendum : .. on the IIS side of things. > There should be the same "secret" there. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ellen, On 2/25/20 12:06, Ellen Meiselman wrote: > Yes, everything is on the same server. > > workers.properties: # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 worker.worker1.secret="mySecret". Just so there is no confusion: your "mySecret" should have neither quotes nor the trailing period. Are those literally in your ISS config file? - -chris > On Tue, Feb 25, 2020 at 11:27 AM > wrote: > >> -Original Message- From: Ellen Meiselman >> Sent: Tuesday, February 25, 2020 10:01 AM To: >> Tomcat Users List Subject: Re: At wits >> end: Difficulties with IIS ISAPI connector and Tomcat >> >>> Hi, >> >>> I've been testing, and so far, there is no change in the >>> behavior. I am >> still getting the same tomcat->based 403 error. >> >>> Based on what you said above... >>> >>> secretRequired="true" (which is the default, so it can be >>> removed) secret="xxx" >> >> >>> ...I removed secretRequired="true" and left secret. So the >>> connector >> definition now looks like this: >>> >> secret="mySecret" redirectPort="8443" /> >> >> >> >> I'm assuming that your web-front-end is on the same server as >> your Tomcat instance, based on you having the address set to >> 127.0.0.1, correct? What do you have in your workers.properties >> file? >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VWtkACgkQHPApP6U8 pFjIXA//caIbYn+Z9lDBNzpD6RDhEuSPw0Aq3pxGgSlI4sHFsIvA4PzJG1aAFYb0 TzN2gms6GmTgeGDeIXgNub+ae7Pgers7ZVsJ9HDKTlT9uYEEShI5g7xfOzXTwc3z iKh9PlNXmjonmKL+MLlt+pUL42s0Du43skIH0JLpP2UiDgC3WHs9hk3KHy8OfTpj pfxDpMip2eMxsEjrXy0K1vJ012X1o4UDkb1GwUHoRAbEwqVpTfTYyHzAJqwpXAIr Ab9z1LDFP0w7NwaPzmcCJK5qbgC3Ry85Y07BwcaClVOKszckqexR55bEKtJchRFe MI/bbr0eDzndxZKpzmaJnrqyu5xZpH895Ww7/lwsO8hmBaH7rEd9LvCVZFbyIGvP 4ww2Sv3FuJcSLBG+MnoXzH5I01G1GzH6MYCH0OW0+bkQEMMPDe3InQiavqoqCM08 U8CM0TBRYkT0H5dCaplGWTyjmbhEU5c1SPLiwdj4eEEFhUGv+EsZHXToczLGim7y wrV97sKF92UWkYDe6lkp4Va9kQ0kIiJr+VO3BLVKV9ZWxYWzgdQirIiJjIic/HjV obDWW6c9w5EvYOaCqMWliV9g063TOvZYNQm8cm+oORCdR9NYLJgG1g0OxGWDQUGm YhwIVngqP2m8mlg3jE1Z4y3vgM8cdh2vXzOZnb0WTsyjl9KrPYw= =lPDH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
The workers.properties below look good to me at first sight. Just to eliminate something, could you try the following changes : 1) workers.properties : remove the line > worker.worker1.secret="mySecret". 2) AJP Connector in tomcat : then restart tomcat and IIS. What's happening then ? Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and earlier. Before, by default, the "secret" was disabled. Since 8.5.51, by default, the secret is enabled, and you have to disable it explicitly if you don't want it (as I did above). With the settings above, we are just trying to get back to a configuration without secret, to check if that works in your case. As indicated in the documentation (http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations) you can do that in your case, because the communication between IIS and Tomcat is fairly secure, since it happens all within the same host. On 25.02.2020 18:06, Ellen Meiselman wrote: Yes, everything is on the same server. workers.properties: # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 worker.worker1.secret="mySecret". On Tue, Feb 25, 2020 at 11:27 AM wrote: -Original Message- From: Ellen Meiselman Sent: Tuesday, February 25, 2020 10:01 AM To: Tomcat Users List Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat Hi, I've been testing, and so far, there is no change in the behavior. I am still getting the same tomcat->based 403 error. Based on what you said above... secretRequired="true" (which is the default, so it can be removed) secret="xxx" ...I removed secretRequired="true" and left secret. So the connector definition now looks like this: I'm assuming that your web-front-end is on the same server as your Tomcat instance, based on you having the address set to 127.0.0.1, correct? What do you have in your workers.properties file? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Yes, everything is on the same server. workers.properties: # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 worker.worker1.secret="mySecret". On Tue, Feb 25, 2020 at 11:27 AM wrote: > -Original Message- > From: Ellen Meiselman > Sent: Tuesday, February 25, 2020 10:01 AM > To: Tomcat Users List > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > > >Hi, > > >I've been testing, and so far, there is no change in the behavior. I am > still getting the same tomcat->based 403 error. > > >Based on what you said above... > > > > secretRequired="true" (which is the default, so it can be removed) > > secret="xxx" > > > >...I removed secretRequired="true" and left secret. So the connector > definition now looks like this: > > > address="127.0.0.1" > > port="8009" > > secret="mySecret" > > redirectPort="8443" /> > > > > I'm assuming that your web-front-end is on the same server as your Tomcat > instance, based on you having the address set to 127.0.0.1, correct? What > do you have in your workers.properties file? >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 25.02.2020 17:26, jonmcalexan...@wellsfargo.com.INVALID wrote: -Original Message- From: Ellen Meiselman Sent: Tuesday, February 25, 2020 10:01 AM To: Tomcat Users List Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat Hi, I've been testing, and so far, there is no change in the behavior. I am still getting the same tomcat->based 403 error. Based on what you said above... secretRequired="true" (which is the default, so it can be removed) secret="xxx" ...I removed secretRequired="true" and left secret. So the connector definition now looks like this: I'm assuming that your web-front-end is on the same server as your Tomcat instance, based on you having the address set to 127.0.0.1, correct? What do you have in your workers.properties file? addendum : .. on the IIS side of things. There should be the same "secret" there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-Original Message- From: Ellen Meiselman Sent: Tuesday, February 25, 2020 10:01 AM To: Tomcat Users List Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat >Hi, >I've been testing, and so far, there is no change in the behavior. I am still >getting the same tomcat->based 403 error. >Based on what you said above... > > secretRequired="true" (which is the default, so it can be removed) > secret="xxx" >...I removed secretRequired="true" and left secret. So the connector >definition now looks like this: > address="127.0.0.1" > port="8009" > secret="mySecret" > redirectPort="8443" /> I'm assuming that your web-front-end is on the same server as your Tomcat instance, based on you having the address set to 127.0.0.1, correct? What do you have in your workers.properties file?
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi, I've been testing, and so far, there is no change in the behavior. I am still getting the same tomcat-based 403 error. Based on what you said above... > > secretRequired="true" (which is the default, so it can be removed) > secret="xxx" ...I removed secretRequired="true" and left secret. So the connector definition now looks like this: I've also carefully checked the workers.properties and server.xml to be sure that "mySecret" is exactly the same in both places, and that the correct worker is mapped to that directory. The only difference is that there are no quotes around the secret password in workers.properties. I also tried adding secretRequired="false" - wouldn't that eliminate the secret as an issue? But I still get the 403 error. The only really odd thing - at least I think it is odd - is that the error shows up in what I think is the wrong log. I set up logs for both hosts - one is called localhost_access_log.2020-02-25.txt which is used for hits to localhost, at least as I understand it. The other, 127_0_01_access_log.2020-02-25.txt, should be used for the AJP connector, but is empty. Here's a sample. 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET //exposedApplication/simple.html HTTP/1.1" 403 618 One person requested a trace, but I'm not sure how to do that. Thank you, Ellen On Mon, Feb 24, 2020 at 4:04 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 2/24/20 15:53, Chris Cheshire wrote: > > On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman > > wrote: > >> > >> Hi, > >> > >> I’m having a lot of trouble configuring the isapi_redirect > >> connector between IIS and Tomcat. I am running out of ideas so > >> it’s time to ask for help from the experts. I think the problems > >> remaining are in the tomcat configuration area, not the IIS area > >> anymore. > >> > >> What’s wrong: The ISAPI module appears to be working and > >> correctly sending AJP requests to Tomcat on port 8009, at which > >> point Tomcat refuses those requests with a 403 error. The > >> isapi_redirect.log shows the complete content of the tomcat > >> response, and no longer shows any errors - in other words, it > >> thinks it is working. > >> > >> Text of the 403 error: > >> > >> HTTP Status 403 – Forbidden Type Status Report Description The > >> server understood the request but refuses to authorize it. Apache > >> Tomcat/8.5.51 > >> > >> > >> What does work: Requests directly to Tomcat on port 8080 to pages > >> within the connector-exposed web application work fine. For > >> example, both of these work: > >> localhost:8080/exposedApplication/simple.html. (viewed on the > >> server’s browser) > >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed > >> anywhere else) > >> > >> > >> What does not work: Requests that go through IIS and the > >> connector to the connector-exposed application result in a 403 > >> error. For example, this does not work: > >> https:my.servers.domain.com/exposedApplication/simple.html > >> > >> > >> This Windows 2019 setup has the following versions of tomcat, > >> windows, etc: > >> > >> Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS > >> 10/Windows server 2019 > >> > >> I also have two older, similar Windows Server environments that > >> work perfectly. They both use these versions: > >> > >> Tomcat version 8.5.3 (64 bit) as a service Isapi_redirect.dll > >> version 1.2.40.0 64 bit IIS 8/Windows server 2012R2 > >> > >> > >> The component versions between the working and non-working > >> environments are slightly different, and I think that might be > >> the source of the problem - there are probably new configuration > >> requirements that I need to be aware of. I started with the > >> settings used in the working environments and found that some > >> things needed to be changed to get the connector to work at alll. > >> For example I had to specify an iPv4 address for the connector > >> where I didn’t need to before. > >> > >> My theories at the moment: 1. Maybe > >> allowedRequestAttributesPattern is a problem? I saw a note about > >> the allowedRequestAttributesPattern attribute for the AJP > >> connector possibly causing a 403 error, but I don’t understand > >> how to use it or if it is needed. 2. It’s possible that something > >> in the Tomcat permissions settings are wrong, but I really don’t > >> know where to look. > >> > >> > >> Relevant configuration settings in server.xml, workers.properties > >> and uriworkermap.properties: > >> > >> server.xml > >> > >> >> protocol="AJP/1.3” address=“127.0.0.1" port="8009" > >> requiredSecret="true" secret=“" redirectPort="8443" /> > >> > >> >> autoDeploy="true"> >>
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ellen, On 2/24/20 17:33, Ellen Meiselman wrote: > Wow, I think I’ve gotten more help in 10 minutes from this users > group than in 2 weeks from anywhere else I’ve tried. Welcome to the community :) There are tons of real people here who want others to succeed. So please stick around. Thanks, - -chris >> On Feb 24, 2020, at 3:42 PM, Mark Thomas >> wrote: >> >> On 24/02/2020 20:19, Ellen Meiselman wrote: >>> Hi, >>> >>> I’m having a lot of trouble configuring the isapi_redirect >>> connector between IIS and Tomcat. I am running out of ideas so >>> it’s time to ask for help from the experts. I think the >>> problems remaining are in the tomcat configuration area, not >>> the IIS area anymore. >>> >>> What’s wrong: The ISAPI module appears to be working and >>> correctly sending AJP requests to Tomcat on port 8009, at which >>> point Tomcat refuses those requests with a 403 error. The >>> isapi_redirect.log shows the complete content of the tomcat >>> response, and no longer shows any errors - in other words, it >>> thinks it is working. >> >> I'd agree. If you see a response back from Tomcat then IIS is >> working. >> >> You should also see an entry in the access log. >> >>> Text of the 403 error: >>> >>> HTTP Status 403 – Forbidden Type Status Report Description The >>> server understood the request but refuses to authorize it. >>> Apache Tomcat/8.5.51 >> >> OK. That also indicates that IIS is passing the request to >> Tomcat correctly processing the response. >> >> >> >>> This Windows 2019 setup has the following versions of tomcat, >>> windows, etc: >>> >>> Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS >>> 10/Windows server 2019 >> >> Thank you. It really helps when people provide that information. >> It saves a lot of time. >> >> >> >>> My theories at the moment: 1. Maybe >>> allowedRequestAttributesPattern is a problem? I saw a note >>> about the allowedRequestAttributesPattern attribute for the AJP >>> connector possibly causing a 403 error, but I don’t understand >>> how to use it or if it is needed. 2. It’s possible that >>> something in the Tomcat permissions settings are wrong, but I >>> really don’t know where to look. >> >> You shouldn't need to set allowedRequestAttributesPattern. >> >> I think it might be Tomcat configuration. Any again, very >> helpfully, we have ... >> >>> Relevant configuration settings in server.xml, >>> workers.properties and uriworkermap.properties: >>> >>> server.xml >>> >>> >> protocol="AJP/1.3” address=“127.0.0.1" port="8009" >>> requiredSecret="true" secret=“" redirectPort="8443" /> >>> >>> >>> >> autoDeploy="true"> >> className="org.apache.catalina.valves.AccessLogValve" >>> directory="logs" prefix="localhost_access_log" suffix=".txt" >>> pattern="%h %l %u %t %r %s %b" /> >>> >>> >> autoDeploy="true"> >> className="org.apache.catalina.valves.AccessLogValve" >>> directory="logs" prefix="127_0_01_access_log" suffix=".txt" >>> pattern="%h %l %u %t %r %s %b" /> >>> >>> >>> workers.properties >>> >>> # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 >>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>> worker.worker1.secret= >>> >>> >>> uriworkermap.properties /exposedApplication/*=worker1 >>> >>> >>> Any suggestions or new directions will be welcome. >> >> My best guess would be that the value for secret is not the same >> between workers.properties and Tomcat. >> >> I have a 2019 server test environment. I'll try and replicate >> what you have with a clean 8.5.51 install and the examples >> application and see what happens. >> >> Mark >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VO80ACgkQHPApP6U8 pFhuzQ/+JYVtD1P1XglBw9xwRFIXNS7oQDQshHuVctwciI9oWmxwAUJLixcQf1/y /fZhGvFmPlxZEELkgPiISqnS5jQja7MgbXZupX4wFFnC0gi6SxFJ+i7z6XOwwFt7 C8tN43rlmALrkUDTaGsbZrIJ/E7hS5SSizk1c+HadY8jimbC+tQ0uR9gQIDhbiiP nW0MHlRgv7DRZzQcfzFIzLOxTt6hcpeM6FDnmH4I0E47l2224zwlWD5vYGtqZ4jU F7tk1WDr6BSUXi5s8jJrTeGtoOjTQvvKiQfrCi3N8YGqnqDrl6BJG736Dpdv2yYH Hq/+nPgw6DAR4kBccTdHS+1AFAIp3g+NzbcK9Mgh0YJbE5F8WvNxpqYGeRv0JQkW dDDw4FwCZlyJva8eyqUiPd2nUwPlDaRWKTZUrEnRJH7om5Ke+AZ7LCWBWSrm6+q+ sqUt0uOLO0BAu+KBZbJc6i47+501Wm2VBX06xvRMFgoXldgFVTuI+44VnpS5blZ3 lC34b4XvqJgRbZ8IBdwVUky1R5ny8ae08pWXDr4bzniWcSxnbc6uFj07q4JfFaMw eNDmWNLwT5OxHQYwqQCAYgGp9CV+njCUSXJdP3vW4kWoRK1rz+HrBP66XSmiLNdO XGSBPffgEBe0Oi3eybaE9KmIYE75pyNZwOlea6YmFwOr5K5egYk= =mHOe -END PGP SIGNATURE-
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
Wow, I think I’ve gotten more help in 10 minutes from this users group than in 2 weeks from anywhere else I’ve tried. I’ll try to respond as quickly as I can but I want to test your various suggestions, so it might be tomorrow before I can do them justice. Thank you all so much! Ellen Meiselman elle...@gmail.com > On Feb 24, 2020, at 3:42 PM, Mark Thomas wrote: > > On 24/02/2020 20:19, Ellen Meiselman wrote: >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector between >> IIS and Tomcat. I am running out of ideas so it’s time to ask for help from >> the experts. I think the problems remaining are in the tomcat configuration >> area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests to >> Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 >> error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. > > I'd agree. If you see a response back from Tomcat then IIS is working. > > You should also see an entry in the access log. > >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to authorize >> it. >> Apache Tomcat/8.5.51 > > OK. That also indicates that IIS is passing the request to Tomcat > correctly processing the response. > > > >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 > > Thank you. It really helps when people provide that information. It > saves a lot of time. > > > >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector possibly >> causing a 403 error, but I don’t understand how to use it or if it is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. > > You shouldn't need to set allowedRequestAttributesPattern. > > I think it might be Tomcat configuration. Any again, very helpfully, we > have ... > >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >>> redirectPort="8443" /> >>> requiredSecret="true" secret=“" redirectPort="8443" /> >> >> > autoDeploy="true"> >>> directory="logs" >> prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> > autoDeploy="true"> >> > directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret= >> >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> >> Any suggestions or new directions will be welcome. > > My best guess would be that the value for secret is not the same between > workers.properties and Tomcat. > > I have a 2019 server test environment. I'll try and replicate what you > have with a clean 8.5.51 install and the examples application and see > what happens. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-Original Message- From: André Warnier (tomcat/perl) Sent: Monday, February 24, 2020 3:33 PM To: users@tomcat.apache.org Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat On 24.02.2020 22:04, Christopher Schultz wrote: > With 8.5.51, requiredSecret is renamed "secret" but "requiredSecret" > is still an alias of the same configuration property. If #2 happens > after #1 above, then your actual secret will be the literal string > "true" (oops). > > We apologize for this confusion. We are trying to clarify things and > make them more secure. > Nobody is saying that the new configuration and attributes are not better, > from a security point of > view. The latest on-line documentation, when taken > in isolation, is also pretty clear and understandable. So people installing > tomcat for the first time should have no problem. > But I think that quite a few recent posts show that these changes could have > been made a bit more > visible for people who have running tomcats, and are > just updating from one minor version to the > next minor version. > Even the on-line documentation for the Connector, shows the current > attributes and defaults, but > without any mention that they have just > changed compared to the previous minor version. That has apparently caught a > lot of people unaware. > Now how to make this more noticeable, without also alerting the bad guys > about the pre-existing vulnerabilities, is probably not so easy.. > How about adding a note on top of the migration guide pages, saying : "If you > are just updating from 8.5.50 or lower, to 8.5.51 or higher, you *really* > should look at the AJP Connector attributes again". > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org My .02 worth, I would think that the configuration change would be on the Tomcat side, not the ISAPI Connector side as a new version of the Connector wasn't released, so everything would stay the same on the IIS side. Only the info in the server.xml would change, i.e. RequiredSecret to Secret, etc. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 24.02.2020 22:04, Christopher Schultz wrote: With 8.5.51, requiredSecret is renamed "secret" but "requiredSecret" is still an alias of the same configuration property. If #2 happens after #1 above, then your actual secret will be the literal string "true" (oops). We apologize for this confusion. We are trying to clarify things and make them more secure. Nobody is saying that the new configuration and attributes are not better, from a security point of view. The latest on-line documentation, when taken in isolation, is also pretty clear and understandable. So people installing tomcat for the first time should have no problem. But I think that quite a few recent posts show that these changes could have been made a bit more visible for people who have running tomcats, and are just updating from one minor version to the next minor version. Even the on-line documentation for the Connector, shows the current attributes and defaults, but without any mention that they have just changed compared to the previous minor version. That has apparently caught a lot of people unaware. Now how to make this more noticeable, without also alerting the bad guys about the pre-existing vulnerabilities, is probably not so easy.. How about adding a note on top of the migration guide pages, saying : "If you are just updating from 8.5.50 or lower, to 8.5.51 or higher, you *really* should look at the AJP Connector attributes again". - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/24/20 15:53, Chris Cheshire wrote: > On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman > wrote: >> >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect >> connector between IIS and Tomcat. I am running out of ideas so >> it’s time to ask for help from the experts. I think the problems >> remaining are in the tomcat configuration area, not the IIS area >> anymore. >> >> What’s wrong: The ISAPI module appears to be working and >> correctly sending AJP requests to Tomcat on port 8009, at which >> point Tomcat refuses those requests with a 403 error. The >> isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it >> thinks it is working. >> >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden Type Status Report Description The >> server understood the request but refuses to authorize it. Apache >> Tomcat/8.5.51 >> >> >> What does work: Requests directly to Tomcat on port 8080 to pages >> within the connector-exposed web application work fine. For >> example, both of these work: >> localhost:8080/exposedApplication/simple.html. (viewed on the >> server’s browser) >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed >> anywhere else) >> >> >> What does not work: Requests that go through IIS and the >> connector to the connector-exposed application result in a 403 >> error. For example, this does not work: >> https:my.servers.domain.com/exposedApplication/simple.html >> >> >> This Windows 2019 setup has the following versions of tomcat, >> windows, etc: >> >> Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS >> 10/Windows server 2019 >> >> I also have two older, similar Windows Server environments that >> work perfectly. They both use these versions: >> >> Tomcat version 8.5.3 (64 bit) as a service Isapi_redirect.dll >> version 1.2.40.0 64 bit IIS 8/Windows server 2012R2 >> >> >> The component versions between the working and non-working >> environments are slightly different, and I think that might be >> the source of the problem - there are probably new configuration >> requirements that I need to be aware of. I started with the >> settings used in the working environments and found that some >> things needed to be changed to get the connector to work at alll. >> For example I had to specify an iPv4 address for the connector >> where I didn’t need to before. >> >> My theories at the moment: 1. Maybe >> allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP >> connector possibly causing a 403 error, but I don’t understand >> how to use it or if it is needed. 2. It’s possible that something >> in the Tomcat permissions settings are wrong, but I really don’t >> know where to look. >> >> >> Relevant configuration settings in server.xml, workers.properties >> and uriworkermap.properties: >> >> server.xml >> >> > protocol="AJP/1.3” address=“127.0.0.1" port="8009" >> requiredSecret="true" secret=“" redirectPort="8443" /> >> >> > autoDeploy="true"> > className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> > autoDeploy="true"> > className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >> worker.worker1.secret= >> >> >> uriworkermap.properties /exposedApplication/*=worker1 >> >> >> Any suggestions or new directions will be welcome. >> >> Thank you, >> >> Ellen Meiselman >> > > Change requiredSecret="true" to secretRequired="true" in your AJP > connector definition. +1 These configuration attributes have names which are easily confused. In the past, "requiredSecret" was the name of the configuration property where the secret should have been set (e.g. requiredSecret="tiger"). In Tomcat 8.5.51, this configuration attribute changed to "secret" and the boolean "secretRequired" attribute was added. So you need: secretRequired="true" (which is the default, so it can be removed) secret="xxx" If you use requiredSecret="true" then it's very possible that the XML parser will fire these two events (in this order): 1: attribute [ name=secret value=x ] 2: attribute [ name=requiredSecret value=true ] With 8.5.51, requiredSecret is renamed "secret" but "requiredSecret" is still an alias of the same configuration property. If #2 happens after #1 above, then your actual secret will be the literal string "true" (oops). We apologize for this confusion. We are trying to clarify things and make them more secure. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird -
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 24/02/2020 20:53, Chris Cheshire wrote: > On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman wrote: >> >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector between >> IIS and Tomcat. I am running out of ideas so it’s time to ask for help from >> the experts. I think the problems remaining are in the tomcat configuration >> area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests to >> Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 >> error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. >> >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to authorize >> it. >> Apache Tomcat/8.5.51 >> >> >> What does work: >> Requests directly to Tomcat on port 8080 to pages within the >> connector-exposed web application work fine. >> For example, both of these work: >> localhost:8080/exposedApplication/simple.html. (viewed on the server’s >> browser) >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere >> else) >> >> >> What does not work: >> Requests that go through IIS and the connector to the connector-exposed >> application result in a 403 error. >> For example, this does not work: >> https:my.servers.domain.com/exposedApplication/simple.html >> >> >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 >> >> I also have two older, similar Windows Server environments that work >> perfectly. They both use these versions: >> >> Tomcat version 8.5.3 (64 bit) as a service >> Isapi_redirect.dll version 1.2.40.0 64 bit >> IIS 8/Windows server 2012R2 >> >> >> The component versions between the working and non-working environments are >> slightly different, and I think that might be the source of the problem - >> there are probably new configuration requirements that I need to be aware >> of. I started with the settings used in the working environments and found >> that some things needed to be changed to get the connector to work at alll. >> For example I had to specify an iPv4 address for the connector where I >> didn’t need to before. >> >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector possibly >> causing a 403 error, but I don’t understand how to use it or if it is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. >> >> >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >> > redirectPort="8443" /> >> > requiredSecret="true" secret=“" redirectPort="8443" /> >> >> > autoDeploy="true"> >> > directory="logs" >>prefix="localhost_access_log" suffix=".txt" >>pattern="%h %l %u %t %r %s %b" /> >> >> >> > autoDeploy="true"> >> > directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret= >> >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> >> Any suggestions or new directions will be welcome. >> >> Thank you, >> >> Ellen Meiselman >> > > Change requiredSecret="true" to secretRequired="true" in your AJP > connector definition. Well spotted Chris. I'd missed that. requiredSecret==secret The order attributes are processed in is not always the order in which they are defined. The value of secret is probably being over-written with "true". Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman wrote: > > Hi, > > I’m having a lot of trouble configuring the isapi_redirect connector between > IIS and Tomcat. I am running out of ideas so it’s time to ask for help from > the experts. I think the problems remaining are in the tomcat configuration > area, not the IIS area anymore. > > What’s wrong: > The ISAPI module appears to be working and correctly sending AJP requests to > Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 > error. The isapi_redirect.log shows the complete content of the tomcat > response, and no longer shows any errors - in other words, it thinks it is > working. > > Text of the 403 error: > > HTTP Status 403 – Forbidden > Type Status Report > Description The server understood the request but refuses to authorize > it. > Apache Tomcat/8.5.51 > > > What does work: > Requests directly to Tomcat on port 8080 to pages within the > connector-exposed web application work fine. > For example, both of these work: > localhost:8080/exposedApplication/simple.html. (viewed on the server’s > browser) > my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere > else) > > > What does not work: > Requests that go through IIS and the connector to the connector-exposed > application result in a 403 error. > For example, this does not work: > https:my.servers.domain.com/exposedApplication/simple.html > > > This Windows 2019 setup has the following versions of tomcat, windows, etc: > > Tomcat version 8.5.51 > Isapi_redirect.dll version 1.2.46.0 > IIS 10/Windows server 2019 > > I also have two older, similar Windows Server environments that work > perfectly. They both use these versions: > > Tomcat version 8.5.3 (64 bit) as a service > Isapi_redirect.dll version 1.2.40.0 64 bit > IIS 8/Windows server 2012R2 > > > The component versions between the working and non-working environments are > slightly different, and I think that might be the source of the problem - > there are probably new configuration requirements that I need to be aware of. > I started with the settings used in the working environments and found that > some things needed to be changed to get the connector to work at alll. For > example I had to specify an iPv4 address for the connector where I didn’t > need to before. > > My theories at the moment: > 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about the > allowedRequestAttributesPattern attribute for the AJP connector possibly > causing a 403 error, but I don’t understand how to use it or if it is needed. > 2. It’s possible that something in the Tomcat permissions settings are wrong, > but I really don’t know where to look. > > > Relevant configuration settings in server.xml, workers.properties and > uriworkermap.properties: > > server.xml > > redirectPort="8443" /> > requiredSecret="true" secret=“" redirectPort="8443" /> > > autoDeploy="true"> > directory="logs" >prefix="localhost_access_log" suffix=".txt" >pattern="%h %l %u %t %r %s %b" /> > > > autoDeploy="true"> > directory="logs" > prefix="127_0_01_access_log" suffix=".txt" > pattern="%h %l %u %t %r %s %b" /> > > > > workers.properties > > # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 > worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > worker.worker1.secret= > > > uriworkermap.properties > /exposedApplication/*=worker1 > > > Any suggestions or new directions will be welcome. > > Thank you, > > Ellen Meiselman > Change requiredSecret="true" to secretRequired="true" in your AJP connector definition. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 24/02/2020 20:44, calder wrote: > On Mon, Feb 24, 2020, 14:19 Ellen Meiselman wrote: > >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector >> between IIS and Tomcat. I am running out of ideas so it’s time to ask for >> help from the experts. I think the problems remaining are in the tomcat >> configuration area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests >> to Tomcat on port 8009, at which point Tomcat refuses those requests with a >> 403 error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. >> >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to >> authorize it. >> Apache Tomcat/8.5.51 >> > > > Is IIS returning the 403? If yes, we should see a "dot error" number, such > as 403.1 or 403.2, and so on. All the evidence indicates that Tomcat, not IIS, is generating the 403 so the user will see a "proper" 403 rather than one of the IIS variants. > What does work: >> Requests directly to Tomcat on port 8080 to pages within the >> connector-exposed web application work fine. >> For example, both of these work: >> localhost:8080/exposedApplication/simple.html. (viewed on the server’s >> browser) >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed >> anywhere else) >> >> >> What does not work: >> Requests that go through IIS and the connector to the connector-exposed >> application result in a 403 error. >> For example, this does not work: >> https:my.servers.domain.com/exposedApplication/simple.html >> >> >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 >> >> I also have two older, similar Windows Server environments that work >> perfectly. They both use these versions: >> >> Tomcat version 8.5.3 (64 bit) as a service >> Isapi_redirect.dll version 1.2.40.0 64 bit >> IIS 8/Windows server 2012R2 >> >> >> The component versions between the working and non-working environments >> are slightly different, and I think that might be the source of the problem >> - there are probably new configuration requirements that I need to be aware >> of. I started with the settings used in the working environments and found >> that some things needed to be changed to get the connector to work at alll. >> For example I had to specify an iPv4 address for the connector where I >> didn’t need to before. >> >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector >> possibly causing a 403 error, but I don’t understand how to use it or if it >> is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. >> >> >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >> > redirectPort="8443" /> >> > requiredSecret="true" secret=“" redirectPort="8443" /> >> >> > autoDeploy="true"> >> > directory="logs" >>prefix="localhost_access_log" suffix=".txt" >>pattern="%h %l %u %t %r %s %b" /> >> >> >> > autoDeploy="true"> >> > directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t %r %s %b" /> >> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret= >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> Any suggestions or new directions will be welcome. >> > > > A full stack trace (including any "caused by" statements) from Tomcat > *and* IIS would be helpful. There won't be any. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On Mon, Feb 24, 2020, 14:19 Ellen Meiselman wrote: > Hi, > > I’m having a lot of trouble configuring the isapi_redirect connector > between IIS and Tomcat. I am running out of ideas so it’s time to ask for > help from the experts. I think the problems remaining are in the tomcat > configuration area, not the IIS area anymore. > > What’s wrong: > The ISAPI module appears to be working and correctly sending AJP requests > to Tomcat on port 8009, at which point Tomcat refuses those requests with a > 403 error. The isapi_redirect.log shows the complete content of the tomcat > response, and no longer shows any errors - in other words, it thinks it is > working. > > Text of the 403 error: > > HTTP Status 403 – Forbidden > Type Status Report > Description The server understood the request but refuses to > authorize it. > Apache Tomcat/8.5.51 > Is IIS returning the 403? If yes, we should see a "dot error" number, such as 403.1 or 403.2, and so on. What does work: > Requests directly to Tomcat on port 8080 to pages within the > connector-exposed web application work fine. > For example, both of these work: > localhost:8080/exposedApplication/simple.html. (viewed on the server’s > browser) > my.servers.domain.com:8080/exposedApplication/simple.html (viewed > anywhere else) > > > What does not work: > Requests that go through IIS and the connector to the connector-exposed > application result in a 403 error. > For example, this does not work: > https:my.servers.domain.com/exposedApplication/simple.html > > > This Windows 2019 setup has the following versions of tomcat, windows, etc: > > Tomcat version 8.5.51 > Isapi_redirect.dll version 1.2.46.0 > IIS 10/Windows server 2019 > > I also have two older, similar Windows Server environments that work > perfectly. They both use these versions: > > Tomcat version 8.5.3 (64 bit) as a service > Isapi_redirect.dll version 1.2.40.0 64 bit > IIS 8/Windows server 2012R2 > > > The component versions between the working and non-working environments > are slightly different, and I think that might be the source of the problem > - there are probably new configuration requirements that I need to be aware > of. I started with the settings used in the working environments and found > that some things needed to be changed to get the connector to work at alll. > For example I had to specify an iPv4 address for the connector where I > didn’t need to before. > > My theories at the moment: > 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about > the allowedRequestAttributesPattern attribute for the AJP connector > possibly causing a 403 error, but I don’t understand how to use it or if it > is needed. > 2. It’s possible that something in the Tomcat permissions settings are > wrong, but I really don’t know where to look. > > > Relevant configuration settings in server.xml, workers.properties and > uriworkermap.properties: > > server.xml > > redirectPort="8443" /> > requiredSecret="true" secret=“" redirectPort="8443" /> > > autoDeploy="true"> > directory="logs" >prefix="localhost_access_log" suffix=".txt" >pattern="%h %l %u %t %r %s %b" /> > > > autoDeploy="true"> > directory="logs" > prefix="127_0_01_access_log" suffix=".txt" > pattern="%h %l %u %t %r %s %b" /> > > > > workers.properties > > # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 > worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > worker.worker1.secret= > > uriworkermap.properties > /exposedApplication/*=worker1 > > Any suggestions or new directions will be welcome. > A full stack trace (including any "caused by" statements) from Tomcat *and* IIS would be helpful. >
Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 24/02/2020 20:19, Ellen Meiselman wrote: > Hi, > > I’m having a lot of trouble configuring the isapi_redirect connector between > IIS and Tomcat. I am running out of ideas so it’s time to ask for help from > the experts. I think the problems remaining are in the tomcat configuration > area, not the IIS area anymore. > > What’s wrong: > The ISAPI module appears to be working and correctly sending AJP requests to > Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 > error. The isapi_redirect.log shows the complete content of the tomcat > response, and no longer shows any errors - in other words, it thinks it is > working. I'd agree. If you see a response back from Tomcat then IIS is working. You should also see an entry in the access log. > Text of the 403 error: > > HTTP Status 403 – Forbidden > Type Status Report > Description The server understood the request but refuses to authorize > it. > Apache Tomcat/8.5.51 OK. That also indicates that IIS is passing the request to Tomcat correctly processing the response. > This Windows 2019 setup has the following versions of tomcat, windows, etc: > > Tomcat version 8.5.51 > Isapi_redirect.dll version 1.2.46.0 > IIS 10/Windows server 2019 Thank you. It really helps when people provide that information. It saves a lot of time. > My theories at the moment: > 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about the > allowedRequestAttributesPattern attribute for the AJP connector possibly > causing a 403 error, but I don’t understand how to use it or if it is needed. > 2. It’s possible that something in the Tomcat permissions settings are wrong, > but I really don’t know where to look. You shouldn't need to set allowedRequestAttributesPattern. I think it might be Tomcat configuration. Any again, very helpfully, we have ... > Relevant configuration settings in server.xml, workers.properties and > uriworkermap.properties: > > server.xml > > redirectPort="8443" /> > requiredSecret="true" secret=“" redirectPort="8443" /> > > autoDeploy="true"> > directory="logs" >prefix="localhost_access_log" suffix=".txt" >pattern="%h %l %u %t %r %s %b" /> > > > autoDeploy="true"> >directory="logs" > prefix="127_0_01_access_log" suffix=".txt" > pattern="%h %l %u %t %r %s %b" /> > > > > workers.properties > > # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 > worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > worker.worker1.secret= > > > uriworkermap.properties > /exposedApplication/*=worker1 > > > Any suggestions or new directions will be welcome. My best guess would be that the value for secret is not the same between workers.properties and Tomcat. I have a 2019 server test environment. I'll try and replicate what you have with a clean 8.5.51 install and the examples application and see what happens. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
At wits end: Difficulties with IIS ISAPI connector and Tomcat
Hi, I’m having a lot of trouble configuring the isapi_redirect connector between IIS and Tomcat. I am running out of ideas so it’s time to ask for help from the experts. I think the problems remaining are in the tomcat configuration area, not the IIS area anymore. What’s wrong: The ISAPI module appears to be working and correctly sending AJP requests to Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 error. The isapi_redirect.log shows the complete content of the tomcat response, and no longer shows any errors - in other words, it thinks it is working. Text of the 403 error: HTTP Status 403 – Forbidden Type Status Report Description The server understood the request but refuses to authorize it. Apache Tomcat/8.5.51 What does work: Requests directly to Tomcat on port 8080 to pages within the connector-exposed web application work fine. For example, both of these work: localhost:8080/exposedApplication/simple.html. (viewed on the server’s browser) my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere else) What does not work: Requests that go through IIS and the connector to the connector-exposed application result in a 403 error. For example, this does not work: https:my.servers.domain.com/exposedApplication/simple.html This Windows 2019 setup has the following versions of tomcat, windows, etc: Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS 10/Windows server 2019 I also have two older, similar Windows Server environments that work perfectly. They both use these versions: Tomcat version 8.5.3 (64 bit) as a service Isapi_redirect.dll version 1.2.40.0 64 bit IIS 8/Windows server 2012R2 The component versions between the working and non-working environments are slightly different, and I think that might be the source of the problem - there are probably new configuration requirements that I need to be aware of. I started with the settings used in the working environments and found that some things needed to be changed to get the connector to work at alll. For example I had to specify an iPv4 address for the connector where I didn’t need to before. My theories at the moment: 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about the allowedRequestAttributesPattern attribute for the AJP connector possibly causing a 403 error, but I don’t understand how to use it or if it is needed. 2. It’s possible that something in the Tomcat permissions settings are wrong, but I really don’t know where to look. Relevant configuration settings in server.xml, workers.properties and uriworkermap.properties: server.xml workers.properties # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 worker.worker1.secret= uriworkermap.properties /exposedApplication/*=worker1 Any suggestions or new directions will be welcome. Thank you, Ellen Meiselman - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
