catalina.out on AWS Linux 2 (resolved) (was: stdout / stderr on AWS Linux)

[Jerry Malcolm]

I finally figured out what is going on.  One point of confusion was that 
the catalina.out processing is different on AWS Linux 1 vs AWS Linux 2.  
In AWS Linux 1, catalina.out exists and is actively being written to.  
When TC is installed on AWS Linux 2, a catalina.out file is created in 
the /var/log/tomcat folder.  But it's an old file with one line that 
says "Tomcat installed...". catalina.out on AWS linux 2 is never touched 
again.  Erase it, and it never comes back.


The reason for all of this is linux's journalctl service that came into 
play in AWS Linux 2.  Apparently, there's no options on whether to use 
this or not.  All 'system level' logs (i.e. catalina.out) get routed to 
journalctl.  The only way to access it is using the journalctl command:  
"#journalctl -u tomcat.service --since today".


The good news is that I finally found the output I've been desperately 
looking for.  The bad news is that I realized I've been getting a bunch 
of exception stack traces in my code that I was not aware of that I now 
have to investigate and fix... :-(


Thanks for the info that got me directed into the right area to figure 
this out.


Jerry

On 3/9/2020 4:58 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 3/9/20 16:35, Jerry Malcolm wrote:

On 3/3/2020 2:45 PM, Christopher Schultz wrote: Jerry,

On 3/3/20 11:46, Jerry Malcolm wrote:

Where are the stdout and stderr log files written for tomcat
in AWS Linux?

Are you talking about a Tomcat installed from the package-manager
(yum), or one you installed yourself from an ASF distribution?

I installed Tomcat on AWS Linux2 EC2 instance using yum.  I
didn't do any type of customization of the install.  Basically
out-of-the-box TC 8.5 via yum.

On windows, they are just part of the logs folder. But in AWS
Linux /var/log/Tomcat I get all of the other log files.  But
no stdout/stderr.

On *NIX systems, this file is usually just called catalina.out


Most of the info is also in Catalina.out.

That's everything.


Thanks for the info.  But I'm not seeing what you are
describing.
I looked in context.xml for 'swallow output'.  No reference to
'swallow output' there.
I started looking for catalina.sh per Calder's suggestion.
Apparently this installation doesn't use a catalina.sh. Couldn't
find it anywhere in the EC2 instance.
When I run TC, I get sometimes a catalina.out in the log
directory.  At the same time, I get a catalina.2020.03.09.out.
When they are both there, the dated version is always smaller.
Never really paid much attention to it.  Now for some reason,
catalina.out is not even appearing in the log folder.
catalina.2020.03.09.out contains all of the TC startup stuff in
it.  But it does not have any of my System.out.println() or
System.err.println() output.
When I was looking for catalina.sh, I found a post on the web
that suggested running: "systemctl status tomcat.service  -l"  I
ran that and got a dump of the java startup command.  But very
strangely, after that, it dumped all of my missing System.out and
System.err println output. Apparently, all of those println
statements were being buffered somewhere.  But I have no clue
what is going on.

It's systemd hand-wavy magic. Isn't is great?


If catalina.out stops disappearing and/or not appearing at all,
hopefully I can find the println output that I need there.  But
if catalina.out continues to not be created, I guess I could run
the systemctl status command to see my output.  But this it
pretty convoluted.
I guess my real question now is what is causing catalina.out to
not be created (I've restarted TC several times).  It used to be
there.  But even when it was there for a while, I would notice it
would disappear kinda like a log-rotation thing.  This may be
some sort of linux activity.  But I still need guidance on what
is going wrong.  I need a reliable way to see my System.out and
System.err output. (I have another tomcat installation on a
separate EC2... It has a catalina.out with all of System.out and
System.err output.  It also has a catalina.2020.03.09.out that
doesn't have my own println output.
How do I get catalina.out to be written?

Tomcat doesn't ship with a systemd control file, so this is likely to
be either a RedHat- or Amazon-sourced control file. Coty lurks here,
and manages those packages for RedHat. I'm not sure what happens
downstream. I'm not aware of any Amazon folks who hang out around
here, but I think you might have to ask them directly.

Not a satisfying answer, I know, but an accurate one.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5mvAsACgkQHPApP6U8
pFhjdQ/9EklsKbnex9N1xT3MgyoPtI/MotGdCATHTxunSaNvAon36fvXcK1tZL55
sCJlKoX16ZN4cqCxfdAbf/0OUdprfimCwN+4OsDFjNSblo75wJgspvVsyGCc2P3T
lGYv8+FmogZa4zlZgRFaSjolDehRxIITo2GGnnJZWyVbz4kGOCd+jBJ2gS2PppcC
mvGUhWNopsXn0aK9ni7fFp9CtTdKMsdL3Hlry8cAg8Vcs1/pF4ky0vqiOBAOikXU

Re: stdout / stderr on AWS Linux

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 3/9/20 16:35, Jerry Malcolm wrote:
> On 3/3/2020 2:45 PM, Christopher Schultz wrote: Jerry,
>
> On 3/3/20 11:46, Jerry Malcolm wrote:
 Where are the stdout and stderr log files written for tomcat
 in AWS Linux?
> Are you talking about a Tomcat installed from the package-manager
> (yum), or one you installed yourself from an ASF distribution?
>> I installed Tomcat on AWS Linux2 EC2 instance using yum.  I
>> didn't do any type of customization of the install.  Basically
>> out-of-the-box TC 8.5 via yum.
>
 On windows, they are just part of the logs folder. But in AWS
 Linux /var/log/Tomcat I get all of the other log files.  But
 no stdout/stderr.
> On *NIX systems, this file is usually just called catalina.out
>
 Most of the info is also in Catalina.out.
> That's everything.
>
>> Thanks for the info.  But I'm not seeing what you are
>> describing.
>
>> I looked in context.xml for 'swallow output'.  No reference to
>> 'swallow output' there.
>
>> I started looking for catalina.sh per Calder's suggestion.
>> Apparently this installation doesn't use a catalina.sh. Couldn't
>> find it anywhere in the EC2 instance.
>
>> When I run TC, I get sometimes a catalina.out in the log
>> directory.  At the same time, I get a catalina.2020.03.09.out.
>> When they are both there, the dated version is always smaller.
>> Never really paid much attention to it.  Now for some reason,
>> catalina.out is not even appearing in the log folder.
>> catalina.2020.03.09.out contains all of the TC startup stuff in
>> it.  But it does not have any of my System.out.println() or
>> System.err.println() output.
>
>> When I was looking for catalina.sh, I found a post on the web
>> that suggested running: "systemctl status tomcat.service  -l"  I
>> ran that and got a dump of the java startup command.  But very
>> strangely, after that, it dumped all of my missing System.out and
>> System.err println output. Apparently, all of those println
>> statements were being buffered somewhere.  But I have no clue
>> what is going on.

It's systemd hand-wavy magic. Isn't is great?

>> If catalina.out stops disappearing and/or not appearing at all,
>> hopefully I can find the println output that I need there.  But
>> if catalina.out continues to not be created, I guess I could run
>> the systemctl status command to see my output.  But this it
>> pretty convoluted.
>
>> I guess my real question now is what is causing catalina.out to
>> not be created (I've restarted TC several times).  It used to be
>> there.  But even when it was there for a while, I would notice it
>> would disappear kinda like a log-rotation thing.  This may be
>> some sort of linux activity.  But I still need guidance on what
>> is going wrong.  I need a reliable way to see my System.out and
>> System.err output. (I have another tomcat installation on a
>> separate EC2... It has a catalina.out with all of System.out and
>> System.err output.  It also has a catalina.2020.03.09.out that
>> doesn't have my own println output.
>
>> How do I get catalina.out to be written?

Tomcat doesn't ship with a systemd control file, so this is likely to
be either a RedHat- or Amazon-sourced control file. Coty lurks here,
and manages those packages for RedHat. I'm not sure what happens
downstream. I'm not aware of any Amazon folks who hang out around
here, but I think you might have to ask them directly.

Not a satisfying answer, I know, but an accurate one.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5mvAsACgkQHPApP6U8
pFhjdQ/9EklsKbnex9N1xT3MgyoPtI/MotGdCATHTxunSaNvAon36fvXcK1tZL55
sCJlKoX16ZN4cqCxfdAbf/0OUdprfimCwN+4OsDFjNSblo75wJgspvVsyGCc2P3T
lGYv8+FmogZa4zlZgRFaSjolDehRxIITo2GGnnJZWyVbz4kGOCd+jBJ2gS2PppcC
mvGUhWNopsXn0aK9ni7fFp9CtTdKMsdL3Hlry8cAg8Vcs1/pF4ky0vqiOBAOikXU
ofZuvNVE3ClvsdNWfL9saE6KGRWV8Z6RSchQvYqaf4nvyowNfMG7bMig0YpE4ivR
8ja0yoh0OP3KsA0gD5FB+3s4MnZK/IozVADji2dPQzO8Uhyh7TeU7ZeKwmp2bdco
wYI7lsutR/5FbxlBygtIaERPNRVBUn4taxpbrPuT/zlVdH0wb5C+nLQS1b4Lai3d
3dF6rlWMt6f2SQLcjti1Kp9HbCKSCCoG8eKPMvfIuCpCihHVMNolpKrV4yS+2qgM
9U9btK3PVlwmkhNzeuwRshMb2OiwmhV8K1JjduKMRYOTRlBdZ5D+VGOdCYVtxovF
5ioAp7Ufr12WwXsThgMqT2Qd1qlPBHBFKEpt+JhURQyJFa0jg24XwEVcEyx9fCaP
w0ENwygbMyKu2PXw8iATjXYH1Ep+VfJwIv6TF47CEVY2uL8pG4I=
=StYv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Piyush,

On 3/9/20 15:34, Piyush Kumar Nayak wrote:
> There appears to be a change in the behavior of AJP connector in
Tomcat, with respect to the protocol stack of the loopback address it
binds to.
> With older versions it binds to both IPv6 and IPv4 interface, but
with 9.0.31 it appears to bind to IPv4 only, if the address attribute
is removed from the connector config
>
> Tomcat 9.0.16 - default config  protocol="AJP/1.3" redirectPort="8443" /> netstat -ano | findstr
> 8009 TCP0.0.0.0:8009   0.0.0.0:0
> LISTENING
   19832
> TCP[::]:8009  [::]:0 LISTENING
   19832
>
> Tomcat 9.0.31 - note that address attribute is removed... in the
standard config it is set to "::1".
> 
> netstat -ano | findstr 8009 TCP127.0.0.1:8009 0.0.0.0:0
> LISTENING
   8964
>
> Even if the default is used it listens to IPv6 only  protocol="AJP/1.3" address="::1" port="8009"
redirectPort="8443" secret="seckey" />
> TCP[::1]:8009 [::]:0 LISTENING
 3880
>
> As per the docs, the default for ipv6v6only attribute is false.
Should it not listen to both the protocol stacks.

The old default was "no address specified" and so Java would generally
bind to all interfaces.

The new default is "localhost", so it may be sensitive to the
name-resolution that your system performs when you ask it for the
interface for "localhost". If it gives only an IPv4 address, you'll
get IPv4. If only IPv6, then only IPv6. If both, then probably both.
Actually, maybe not. I don't think you can bind to two interfaces at
the same time, unless those interfaces are the "all interfaces"
metainterface.

- -chris

> -Original Message- From: Piyush Kumar Nayak
>  Sent: Saturday, March 7, 2020 5:29 PM
> To: Tomcat Users List  Subject: RE: bind
> Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> Chris, In both the cases, ISAPI and mod_jk, the hostname is set to
> "localhost" Tomcat and webserver are on the same host machine.
>
>
> -Original Message- From: Christopher Schultz
>  Sent: Friday, March 6, 2020 8:20 PM
> To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and
> IPv6 loopback, Tomcat 9.0.31
>
> Piyush,
>
> On 3/5/20 14:40, Piyush Kumar Nayak wrote:
>> Thanks Mark, Two connector configs works. Any ideas, on why the
>> behavior if different for ISAPI and mod_jk modules?
>
> What do your configurations look like for each module?
>
> -chris
>
>> -Original Message- From: Mark H. Wood 
>> Sent: Thursday, March 5, 2020 10:28 PM To:
>> users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6
>> loopback, Tomcat 9.0.31
>
>> On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak
>> wrote:
>>> Is there a way to get Tomcat's AJP connector to bind to both
>>> IPv4 and IPv6 loopback addresses.
>>>
>>> By default, it seems that Tomcat binds to IPv4 loopback Default
>>>  connector config : >> redirectPort="8447" packetSize="65535" secret="xxx"
>>> tomcatAuthentication="false"/>
>>>
>>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0
>>> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>>
>>> Introducing the address attribute like so  : >> protocol="AJP/1.3" address="::1" port="8014"
>>> redirectPort="8447" packetSize="65535" secret="xxx"
>>> tomcatAuthentication="false"/> binds it to IPv6 loopback TCP
>>> [::1]:8014 [::]:0 LISTENING 8616 TCP [::1]:8014 [::1]:57522
>>> ESTABLISHED 8616 TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
>>>
>>> Is there a way to make it bind to both the loopbacks. The
>>> problem we are facing is our Tomcat installations can have
>>> connector configured with IIS or Apache HTTPD. Apache
>>> connector, by default seems to make a socket connection using
>>> the address ::1 (IPv6 loop back address), whereas IIS connector
>>> tries to bind to the IPv4 loopback.
>
>> Two things I would try:
>
>> 1.  Two connectors, one with address='::1' and the other with
>> address='127.0.0.1', both with port='8014'.
>
>> 2.  Configure the other end explicitly:  tell HTTPD and IIS which
>>  address to use, and then configure your AJP Connector to match.
>
>> -- Mark H. Wood Lead Technology Analyst
>
>> University Library Indiana University - Purdue University
>> Indianapolis 755 W. Michigan Street Indianapolis, IN 46202
>> 317-274-0749 www.ulib.iupui.edu
>
>> -
>
>>
>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> B
CB 
[  X  ܚX KK[XZ[
> \ \  ][  X  ܚX P X ] \X K ܙ B  

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Matthias,

On 3/9/20 09:43, Matthias Fechner wrote:
> Am 04.03.2020 um 09:17 schrieb Martin Grigorov:
>> Please read this discussion:
>> https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7
d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E
>>
>>

>> The problem and a workaround are explained here:
>> https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18
fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E
>
>>
> thanks, adding this fixed it:
>
> allowedRequestAttributesPattern=".*"

That's not a super-secure solution. You really should specify a
correct whitelist pattern instead of "accept all".

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muhAACgkQHPApP6U8
pFiQjw//Sqv17ybqBJGsZaMynXAA/fFAfPyf+PknN6p+h+LMc8grPiSxM2Dpc6Tq
ISTYPT+4Pg2GDNBw3kkCTB2+7Z1t4hoetliprnDNJgtdR6WqhgcGhLv57RN+E18Z
fBN9S3gQMCGBwznSMqXnXtXMBJn/ayUIdjJDhwFC/BY++OcObh9UmNM8fkCRDwfy
7OcrP33oqY0Okhl+lYceb5700Yd6kTAbNP657UPjYXrQmbODIIbGmPlcmtOEU0T+
Re7UFpyYZBvBPqNc2DFI94A2EEn1Q/EhWCZvM2bOWdOyxCi0dZ4CVkQdH9VvNiUZ
X3hH4kCAK4NSa7N9Wfci/WOiiYDCHrkOPLyv38ZlsUA0HE2DHmr4c/bgvYLSGNB1
jZha5MuGlp7e80Xrj+ywR8TM+n8XkjX1t2phpVI3V9Lgcw+xa76DySCcIwHy3PZ3
eV1WEX7fAAhVJA4rp+WK1WuBoJ3wmio4wAKZ++5SbWhh8CR0dPXxSrDb2hextIKl
Ey+zz2mjNYIuz/DkaWbsTLzkL5DOfdWbjnOvKLLkZ/GoHsY9MDCpyKkCg/Pz1oky
jgEBX/s5hmqgBwF7TIbg3rEV2LLaR0A9XnUIau7UlCxgRSXYagWsKLy9NWZt1PkR
2sb37n/1z4MK9v2NUh6bM2N9/pOkRJQv9jEMvV47iAOJMnBMeEs=
=27B7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nitin,

On 3/7/20 00:02, Nitin Kadam wrote:
> Hello Team,
>
> We received  vulnerability alert from Security team for "Apache
> Tomcat AJP File Inclusion Vulnerability (unauthenticated check)"
> and for remediation they suggested to updated tomcat with latest
> version.
>
> Can you please help to resolve same without upgrading the existing
> version i.e tomcat 8.5


1. Are you using the AJP protocol at all?

If not, then you can ignore CVE-2020-1938. Just make sure that all AJP
 have been completely removed from your conf/server.xml file
.

2. Are you securing your endpoints against arbitrary connections?

If so, then you can ignore CVE-2020-1938. If you haven't secured your
endpoints, then you were going to be vulnerable to other hi-jinx in
the first place.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muWoACgkQHPApP6U8
pFg4ng/9GeIYmBYiaYvw3qN61eY1xK7qZrVdckf2sdqQjcFdQ+Cuw9nSPsQCvsMl
9gZpx8Cgz55pS197lZn5Fns22GZJMqXqGtjH3JO7fGiysjb3KKbJ8qiLOaRZT+OR
DDocCKC31GJHIql9GiE5wgWlYP6JFaOUmNm4NFYkcWJm0fAZRB/9w0ptsbWkxWYU
UCBjP7Fe825WQ3djr0w21K4jk2Ed8l7eIhALy3XKRt4GMQtWdmlTJnRFhjq2mA0R
slf6KrDwnoXnP/ffvmBJnVhSF8rtFMlncakfqanWZEWntlaxbzWqF1lpBsyKQur3
mFpvA2wpEI5zBFZrEXXDsKv+AQbAZ7ldnD2IrP79J4MaNJNY9G1yfILwWGqZEZFQ
CoKpZi9rmcTX8OKZx+Sl6y+/8ZwlRqh1geNs0fYxrhWyBZSzbdkJmNSSXqndoa2m
KWEz7xc+O0+DXdf4BR1zVHDqI5Mdz31FH84rQQlV6dgIBkr1n8Yn5ivuz6EdJJoM
GfSsfdGIG46Acjh5mznY3sE6s+1rog6JBQEMJy82V/3J2epnRHJRdO3QGxBa6Vlk
02dS/9TpZLnqE8HnILBRUk5fx5nkgpZqdzrdWeSYOFoaI+ZMFTOXyJJTnVvw/HC3
hyX74IoL0uFuiCYqmftQiVRPckXDe5srmYmTBVlUUGl8vgoNK8c=
=HdVx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_proxy_ajp equivalent for JK_LB_ACTIVATION?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rainer,

On 3/6/20 13:44, Rainer Jung wrote:
> Hi Chris,
>
> no, the status unfortunately is not available as an Apache env
> var.
>
> mod_proxy_ajp has a builtin provision for automatic env var
> forwarding: alle env vars named AJP_SOMETHING will be forwarded as
> request attribute SOMETHING. But I see no easy way of detecting
> drain mode and setting an env var and there seems to be nothing
> builtin. I remember having added the forwarding for the LB
> activation to mod_jk many years ago but well after mod_proxy_ajp
> was done by Mladen. It seems to be one of the missing features in
> mod_proxy_ajp.

I'd of course want this to be available in mod_proxy_balancer so any
protocol would get it.

> But of course it could be added ...

:)

I'll happily buy a round of drinks at ApacheCon if someone would look
into this. Without it, my "how to easily move from mod_jk to
mod_proxy_http" presentation is going to have a bit of a hole in it. :(

Thanks,
- -chris

> Am 06.03.2020 um 16:34 schrieb Christopher Schultz:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> All,
>>
>> At $work, we use mod_jk for proxying and I'd like to move to
>> mod_proxy_ajp with an eye toward moving to mod_proxy_http
>> eventually.
>>
>> We use the JK_LB_ACTIVATION state to perform load-balanced
>> node-draining[1] for maintenance and I'm trying to find out how
>> to get mod_proxy to give me its current status.
>>
>> I don't see anything in the documentation for mod_proxy_balancer
>> or mod_proxy_ajp.
>>
>> - From the balancer-manager, I can see that there are several
>> items of status metadata that might be useful:
>>
>> - - worker "draining mode" - - worker "disabled" state - - worker
>> "hot standby" state - - worker "stopped" state
>>
>> Each worker has a "status" value, which can be any of
>> D/S/I/R/H/E/N but it also looks like each of those can be set
>> independently. So the worker can be in "hot standby" + "error"
>> states. Hmm.
>>
>> Is that state available in an environment variable I can
>> forward-over to the origin node?
>>
>> - -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muMEACgkQHPApP6U8
pFhNfw//c0JqDs7CQoCpc9u7eYZUU86yMr1Nlj/IXabIuyU0hfiwCWpmxpOgex+3
iPEXoO0qje0+lOW/D61FfzIJ+zZqIBJpq/e2MixLVntvfsDjfVpFZF7TpdHAwEfy
rZx0k7ErNP3vNJT089sCyu7+XxPJocY5avk7b5va5z9TTOHNT136wqphRf4ka9yc
AimmKhTNs3SsGiy7CJp47BXvyl5Nybhm5i1NkJF39oEXdiAVodUTThexjedTjwoi
VESvX1K5A+ST5Zt8dw/teJmJPn3pV70LJz/JFnvTqIZ1aa0xB+niTqw/B4jTVW6W
FUdnuRH9Z1choh7n9ipop62/suJpLaIwCXjm1n4iWKVhEDKntT1WtfUrp1BTr5UQ
3Z6BQX2TkAIVQ1rE3oMYbT7fSHCmEp86XQCg1tCm9cu9T2xlA4Ab09mpSrdEInQg
+IPaUnvuHXmMghdULxjKuKGYGwdNTGfOTkLz9hMh3ghplZpZwg0lugba4+tN2z1y
bp0pN+FaeSDTGwkF12xwSftr0+kt20WRO2l0MdbU9/xAQtf1tOgzH8CR1yxh1j0L
YX3J8iHm7N6OzOL6vCbXDoYV0AL6KSbfeYboJu8fnvUEre6aw+ERz7RdWpaoGzYI
uRO69QJpBE/fqoS7LIor4VTaFXU8khhO+KwwGObmfuYApT78Css=
=jM3C
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: stdout / stderr on AWS Linux

[Jerry Malcolm]

On 3/3/2020 2:45 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 3/3/20 11:46, Jerry Malcolm wrote:

Where are the stdout and stderr log files written for tomcat in
AWS Linux?

Are you talking about a Tomcat installed from the package-manager
(yum), or one you installed yourself from an ASF distribution?
I installed Tomcat on AWS Linux2 EC2 instance using yum.  I didn't do 
any type of customization of the install.  Basically out-of-the-box TC 
8.5 via yum.



On windows, they are just part of the logs folder. But in AWS Linux
/var/log/Tomcat I get all of the other log files.  But no
stdout/stderr.

On *NIX systems, this file is usually just called catalina.out


Most of the info is also in Catalina.out.

That's everything.


Thanks for the info.  But I'm not seeing what you are describing.

I looked in context.xml for 'swallow output'.  No reference to 'swallow 
output' there.


I started looking for catalina.sh per Calder's suggestion. Apparently 
this installation doesn't use a catalina.sh. Couldn't find it anywhere 
in the EC2 instance.


When I run TC, I get sometimes a catalina.out in the log directory.  At 
the same time, I get a catalina.2020.03.09.out. When they are both 
there, the dated version is always smaller. Never really paid much 
attention to it.  Now for some reason, catalina.out is not even 
appearing in the log folder. catalina.2020.03.09.out contains all of the 
TC startup stuff in it.  But it does not have any of my 
System.out.println() or System.err.println() output.


When I was looking for catalina.sh, I found a post on the web that 
suggested running: "systemctl status tomcat.service  -l"  I ran that and 
got a dump of the java startup command.  But very strangely, after that, 
it dumped all of my missing System.out and System.err println output.  
Apparently, all of those println statements were being buffered 
somewhere.  But I have no clue what is going on.


If catalina.out stops disappearing and/or not appearing at all, 
hopefully I can find the println output that I need there.  But if 
catalina.out continues to not be created, I guess I could run the 
systemctl status command to see my output.  But this it pretty convoluted.


I guess my real question now is what is causing catalina.out to not be 
created (I've restarted TC several times).  It used to be there.  But 
even when it was there for a while, I would notice it would disappear 
kinda like a log-rotation thing.  This may be some sort of linux 
activity.  But I still need guidance on what is going wrong.  I need a 
reliable way to see my System.out and System.err output. (I have another 
tomcat installation on a separate EC2... It has a catalina.out with all 
of System.out and System.err output.  It also has a 
catalina.2020.03.09.out that doesn't have my own println output.


How do I get catalina.out to be written?

Thanks.

Jerry




But just curious where stdout and stderr files have gone.

Away, because they really don't need to exist.

If you want them back, you can run jsvc and get separate streams.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5ewfAACgkQHPApP6U8
pFg+9Q//Zo0XB/QQF9//0F8DQtc86dBKrpkexM9LDvnyVRXluSQOze104oR2wiBs
jqHCwgwmXvvH4y7Q8lxCtUXlTFGqxcr6otZLjKUztlkb++gMYRtuj974WasTIJbI
4DPOJiuRQMQ4AlTQMXQB0sAbdjDzOiYP0Q1RjFRBgWoMS5JXgtv2SJFnHhonV8M8
/UfBwYUS0NoIYiPPshgPdu/LXVVZwyrjLOiV/4ngTtTMyBFvzI3zN7HwAdVEuMf5
JUz5fcvI7qR2sgAleRWn1cyYRNdsz37IqwMri363FZitCHRvCfp0h3hJBSukcbny
a53001IPrN/kU7exIrhO3TM5FvJExj+OsDXgeX6sOvS5roWKsnrXRqgbQxY3I65v
lcS+2al8nBn0wpv3kkTJ1wDNW+jTnN4GxA1WvGrXRPmbZG1+mmPl9iOr207MDWCO
GYr3sVe4EHxV8hFhR9AfcIJ5A7IjhcdkIlOhPAxdctUFWUS1KvHcX/Cb8cS6vPRe
79v/HlBw2QYB2M3N/8GgYFaKT44E0feQKRDTxmJogreVRyIcDUTkM8W2JN43Hmrb
Hdlr2h9b2enOhhCDnWJAjIIvXU70hHmmvJz3gyZduuKFrh2l9yau6ktp6wi6CgmG
6SoVSiWh0tEKskbYNNFElPkEKc/uxFu+qPnP3GwYlgieCjnDjNE=
=dukw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31

[Piyush Kumar Nayak]

There appears to be a change in the behavior of AJP connector in Tomcat, with 
respect to the protocol stack of the loopback address it binds to.
With older versions it binds to both IPv6 and IPv4 interface, but with 9.0.31 
it appears to bind to IPv4 only, if the address attribute is removed from the 
connector config

Tomcat 9.0.16 - default config

netstat -ano | findstr 8009
  TCP0.0.0.0:8009   0.0.0.0:0  LISTENING   19832
  TCP[::]:8009  [::]:0 LISTENING   19832
  
Tomcat 9.0.31 - note that address attribute is removed... in the standard 
config it is set to "::1". 

netstat -ano | findstr 8009
  TCP127.0.0.1:8009 0.0.0.0:0  LISTENING   8964

Even if the default is used it listens to IPv6 only
 
TCP[::1]:8009 [::]:0 LISTENING   3880

As per the docs, the default for ipv6v6only attribute is false. Should it not 
listen to both the protocol stacks.

-Piyush.

-Original Message-
From: Piyush Kumar Nayak  
Sent: Saturday, March 7, 2020 5:29 PM
To: Tomcat Users List 
Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31

Chris,
In both the cases, ISAPI and mod_jk, the hostname is set to "localhost"
Tomcat and webserver are on the same host machine.


-Original Message-
From: Christopher Schultz 
Sent: Friday, March 6, 2020 8:20 PM
To: users@tomcat.apache.org
Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Piyush,

On 3/5/20 14:40, Piyush Kumar Nayak wrote:
> Thanks Mark, Two connector configs works. Any ideas, on why the 
> behavior if different for ISAPI and mod_jk modules?

What do your configurations look like for each module?

- -chris

> -Original Message- From: Mark H. Wood 
> Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak
> wrote:
>> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and
>> IPv6 loopback addresses.
>>
>> By default, it seems that Tomcat binds to IPv4 loopback Default 
>> connector config : > redirectPort="8447" packetSize="65535" secret="xxx"
>> tomcatAuthentication="false"/>
>>
>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING
>> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>
>> Introducing the address attribute like so  : > protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447"
>> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds 
>> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP
>> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522
>> [::1]:8014 ESTABLISHED 6564
>>
>> Is there a way to make it bind to both the loopbacks. The problem we 
>> are facing is our Tomcat installations can have connector configured 
>> with IIS or Apache HTTPD. Apache connector, by default seems to make 
>> a socket connection using the address ::1 (IPv6 loop back address), 
>> whereas IIS connector tries to bind to the
>> IPv4 loopback.
>
> Two things I would try:
>
> 1.  Two connectors, one with address='::1' and the other with 
> address='127.0.0.1', both with port='8014'.
>
> 2.  Configure the other end explicitly:  tell HTTPD and IIS which 
> address to use, and then configure your AJP Connector to match.
>
> -- Mark H. Wood Lead Technology Analyst
>
> University Library Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street Indianapolis, IN 46202
> 317-274-0749 www.ulib.iupui.edu
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8
pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA
VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe
5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk
FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl
E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp
kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC
rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH
OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9
XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch
QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm
TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8=
=/AOd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: 

unsubscripe

[Alexandre Adao]

users@tomcat.apache.org

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

[Matthias Fechner]

Am 04.03.2020 um 09:17 schrieb Martin Grigorov:
> Please read this discussion:
> https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E
> 
> The problem and a workaround are explained here:
> https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E

thanks, adding this fixed it:

allowedRequestAttributesPattern=".*"

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)

[Martin Grigorov]

Hi,

On Sat, Mar 7, 2020 at 7:02 AM Nitin Kadam  wrote:

> Hello Team,
>
> We received  vulnerability alert from Security team for "Apache Tomcat AJP
> File Inclusion Vulnerability (unauthenticated check)" and for
> remediation they suggested to updated tomcat with latest version.
>
> Can you please help to resolve same without upgrading the existing version
> i.e tomcat 8.5
>

Why you don't want to upgrade to latest 8.5.x ?
Which version exactly do you use ?

Martin


>
>
> --
> Regards,
> NK
>

[ANN] Apache Tomcat Connectors 1.2.48 released

[Mark Thomas]

The Apache Tomcat Connectors project is part of the Tomcat project and
provides web server plugins for httpd (mod_jk), IIS (ISAPI) and Netscape
(NSAPI) to connect those web servers with Tomcat and other backends.

The Apache Tomcat Project is proud to announce the release of version
1.2.48 of the Apache Tomcat Connectors.
This version fixes a number of bugs found in previous releases.

Full details of these changes and new features,
are available in the Apache Tomcat Connectors changelog:
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html

In addition to the usual source release, this release includes Windows
binaries for the JK ISAPI connector for IIS.

Downloads:
https://tomcat.apache.org/download-connectors.cgi

Thank you,
-- 
The Apache Tomcat Team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org