Re: [semi-OT] tomcat 7.0.100 AJP connector with mod_jk on another host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas, On 3/4/20 19:37, Thomas Glanzmann wrote: > allowedRequestAttributesPattern=JK_LB_ACTIVATION Note that JK_LB_ACTIVATION is already in the list of white-listed attribute names. You should probably not have to set this configuration attribute. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iaHIACgkQHPApP6U8 pFhBjg//Un1JwuTVjpcLHOi+Tat3alJg4X4wGUuLs0N99OX7SHhum7O6WAOw0h0H 0onbgHAk8AKuCOJgJnndh5pcV5iFIF45fSMd5exhq1SBOAdKf01LHqqeuL7FuIpk 37nTduULel8KOqb7i05eGBrelcZAJTu1MoeL6+4DGAFGWHb9IgD1R7CxhYCSVvIf Ud1QtwRpr2SBpQVTmu54FFJhhGJfe48UPGge4Pu/i/r7ahAL/0Y26OMJ53xMN7Q3 sYPjF1/HUJSG4ogyxWatVw1w02bY0mwtbzcaeHnv5ItOJzzxzdweRgpKJUgPUC+y ungG3cYcUeNCsT9aJcPt6m3OEivK3emuOWPhgnEtRUH09WG5XmuRkvOGa7+krxEj xCEa4XDq2OK32NWJFDyGJHfvVv42mgKCcPNupVUZ8ap35T4RqccMzGLfkvi14Hmn mLxYgHz9f5nb0T95fPSu+R7jzSEYy3jiwzjAcVte27fvCyJhTTGQep95FXOacp34 Efxrt+w9p1P5yzzExK99WQ9IYp/gA94GiXz+jv5lJIt4Zc0PSyTnUcH8ZAslSF8Z ZKp73664o04RnKHNYF6TiyQEtZtsq4i2W0HhcAgOoGL3S0KU35G8h4B2oQnRKwrS sUGG7cVhNGbuDdpShqgak3iw3U0Hdui9FNfS0YYI3ZFHSdIGvnE= =V+Hw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
On 06/03/2020 06:46, Thomas Glanzmann wrote: > the issue seems to be that mod_jk no longer works without a password > with tomcat7. So you need to set a password on both sites, and than > everything works again. This is not the case. Tomcat can be configured so a secret is not required. > server.xml: > > secret="verysecure" secretRequired="true"/> > > workers.properties of mod_jk > > worker.tomcat-06.secret=verysecure That won't work when httpd/mod_jk is on a separate host to Tomcat (as per the subject of this thread). > If I do _not_ set a password I'm getting a 403 no matter what I do. That is a configuration issue. The equivalent Tomcat configuration to that quoted above that will not require a password is: Note: With 7.0.100 if you specify a secret, even an empty string, the client must provide a matching secret irrespective of the setting of secretRequired. secretRequired determines if the secret attribute must be set in the configuration, not whether the client has to provide a secret. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello, > If you don't set secretRequired="false" properly then at start time Tomcat > will complain if there is no specified "secret" attribute. > If it doesn't complain then most probably you are testing again with the > wrong server.xml or old version of Tomcat. the issue seems to be that mod_jk no longer works without a password with tomcat7. So you need to set a password on both sites, and than everything works again. server.xml: workers.properties of mod_jk worker.tomcat-06.secret=verysecure If I do _not_ set a password I'm getting a 403 no matter what I do. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
On Thu, Mar 5, 2020 at 10:05 AM Thomas Glanzmann wrote: > Hello Martin, > > > > This should be: secretRequired="false". > > > This attribute has been renamed recently. > > I just looked at my notes, and I tried that already yesterday night. > Still facing the same problem with 403. Might it be possible that I need > to use a secret in order to access ajp from mod_jk? > If you don't set secretRequired="false" properly then at start time Tomcat will complain if there is no specified "secret" attribute. If it doesn't complain then most probably you are testing again with the wrong server.xml or old version of Tomcat. > > Cheers, > Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello Martin, > > This should be: secretRequired="false". > > This attribute has been renamed recently. I just looked at my notes, and I tried that already yesterday night. Still facing the same problem with 403. Might it be possible that I need to use a secret in order to access ajp from mod_jk? Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello Martin, > This should be: secretRequired="false". > This attribute has been renamed recently. thanks. I'll test later and let you know how it went. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hi Thomas, On Thu, Mar 5, 2020 at 3:53 AM Thomas Glanzmann wrote: > Hello, > the problem was that I edited the wrong server.xml. The one that was not > used. So now that I figured that out, settings these two settings help. > > > > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > > type="org.apache.catalina.UserDatabase" > description="User database that can be updated and > saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > connectionTimeout="3000" > URIEncoding="UTF-8" > redirectPort="8443" > maxHttpHeaderSize="8192" > maxThreads="400" > processorCache="400" > minSpareThreads="40" > enableLookups="false" > acceptCount="100" > disableUploadTimeout="true" > /> > address="0.0.0.0" > requiredSecret="false" > This should be: secretRequired="false". This attribute has been renamed recently. Martin > redirectPort="8443" > URIEncoding="UTF-8" > connectionTimeout="3000" > maxThreads="400" > processorCache="400" > minSpareThreads="40" > maxConnections="400" > enableLookups="false" > acceptCount="100" > /> > jvmRoute="tomcat-06" > > className="org.apache.catalina.realm.LockOutRealm"> > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > > unpackWARs="true" autoDeploy="true"> > className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log." > suffix=".txt" > pattern="%h %l %u %t %r %s %b" > /> > > > > > > However when I try to access this using mod_jk, I get a 403. I used a > sniffer > and it is coming from the AJP connector. So I tried to set > allowedRequestAttributesPattern=".*" but that did not solve my problems, > any > ideas? > > Setup is: > > apache with mod_jk 1.2.46 load balances over 4 tomcats on seperate hosts. > > Cheers, > Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello, the problem was that I edited the wrong server.xml. The one that was not used. So now that I figured that out, settings these two settings help. However when I try to access this using mod_jk, I get a 403. I used a sniffer and it is coming from the AJP connector. So I tried to set allowedRequestAttributesPattern=".*" but that did not solve my problems, any ideas? Setup is: apache with mod_jk 1.2.46 load balances over 4 tomcats on seperate hosts. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat 7.0.100 AJP connector with mod_jk on another host
Hello, I've just upgraded to tomcat7 (7.0.100) afterwards I'm unable to reconfigure it to the pre 7.0.100 behaviour where AJP connector listens on the public ip address in order to use it with mod_jk. Can someone help me out to make it works again? My server.xml is: The issue seems to be, that even when I add the address property to the above AJP connector, it does not listen on its internal ip address so it can not be reached from mod_jk which is running on another host: (tomcat-06) [/etc/tomcat7] lsof -P -i -n | grep -i tomcat java 29094 tomcat7 16u IPv6 4315605 0t0 TCP *:46937 (LISTEN) java 29094 tomcat7 17u IPv6 4315606 0t0 TCP *:3000 (LISTEN) java 29094 tomcat7 19u IPv6 4316198 0t0 TCP *:42795 (LISTEN) java 29094 tomcat7 56u IPv6 4278035 0t0 TCP *:8080 (LISTEN) java 29094 tomcat7 57u IPv6 4278036 0t0 TCP 127.0.0.1:8009 (LISTEN) java 29094 tomcat7 238u IPv6 4316200 0t0 TCP 127.0.0.1:8005 (LISTEN) Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
