On 25.11.2018 21:43, Lou Wallace wrote:
Whew. Just read that link
Warning: If Apache and Tomcat are configured to serve content from the same
file system location then care must be taken to ensure that Apache is not
able to serve inappropriate content such as the contents of the WEB-INF
directory or JSP source code.
This could occur if the Apache DocumentRoot overlaps with a Tomcat Host's
appBase or the docBase of any Context. It could also occur when using the
Apache Alias directive with a Tomcat Host's appBase or the docBase of any
Context.
And I just checked and sure enough I can access from the browser the
contents of the site directory. Now I haven't yet configured httpd-vhosts
to define site yet - could that be why I can access the directory itself
from a browser?
And where do I look to see if Apache DocumentRoot overlaps with a Tomcat
Host's appBase or the docBase?
Make a picture. I'm not kidding.
Presumably, you know what a filesystem directory structure looks like.
So make a little schema of the Apache httpd document directories, starting at what is
indicated in the DocumentRoot of the httpd.conf (or apache2.conf or whatever it is on your
system); and make a similar schema of the directories of Tomcat, starting at the positions
mentioned in the appBase/docBase attributes.
If any of these overlap, you have a problem. It is not a fatal problem, and one can avoid
the problem with a careful httpd configuration. But if there is an overlap, you are always
at risk of forgetting to configure this properly, so better to avoid it altogether.
(Of course, all of this can happen only if Apache httpd and Tomcat are running on the same
host; if not, there is no such risk. Unless of course they share some common network
directories..
browser <- A+B -> httpd + mod_jk <-- B --> tomcat
| |
A B
| |
httpd DocumentRoot webapps
sub-directories |
and files -- webbap-1
- files (1)
|- WEB-INF
|- files (2)
Legend :
- A+B are all requests sent by the browser, to the front-end httpd.
Some of these requests are for documents/applications on the front-end (A).
Some of these requests are for the back-end tomcat's webapps (B).
httpd + mod_jk "know" which requests to proxy to tomcat (B), by the "JkMount"
directives. What is not proxied to tomcat (aka "not B") is served locally by
httpd (A).
As long as "httpd DocumentRoot" and "webapps" are totally separate on disk, there is no
problem.
The problem is when some part of "httpd DocumentRoot" overlaps some part of
"webapps".
Then for example a browser can send something which appears to be directed at
httpd
(iow a URL addressing A), but which in reality accesses something under
"webapps".
Because then, httpd will serve this "raw", and none of the security (or JSP compilation
and execution of (1)) of tomcat will ever even know that httpd is serving things from
under its nose, even forbidden things (2).
Clear ?
On Sun, Nov 25, 2018 at 3:36 PM André Warnier (tomcat) <a...@ice-sa.com>
wrote:
Hi.
I have not been following this in detail, but some of the things I've seen
written made me
think of the warning (in red type) on the page :
http://tomcat.apache.org/connectors-doc/reference/apache.html
In other words, if your front-end Apache httpd is configured in such a way
that, to serve
a request URL from a browser, it /can/ access a directory and files which
really belong to
Tomcat, then all kinds of weird and dangerous things will happen.
Such as JSP pages being served 'as is', and browsers being able to access
directories and
files which Tomcat would normally forbid (such as the content of a
webapps/yourapp/WEB-INF
directory).
On 25.11.2018 21:26, Lou Wallace wrote:
How will selinux help? Not sure what you mean...
On Sun, Nov 25, 2018 at 3:16 PM Loai Abdallatif <
loai.abdalla...@gmail.com>
wrote:
try selinux to permissive mode using #setenforce 0 to exclude it from
analyses
On Sun, Nov 25, 2018 at 8:05 PM Lou Wallace <mrlouwall...@gmail.com>
wrote:
hey Greg,
No obvious errors in mod_jk log. Only has five lines
[Sun Nov 25 15:22:11.637 2018] [14159:139840145266816] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
[Sun Nov 25 15:22:11.657 2018] [14159:139840145266816] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
[Sun Nov 25 15:37:01.930 2018] [15407:140260327409792] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
[Sun Nov 25 15:37:01.951 2018] [15407:140260327409792] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
[Sun Nov 25 18:00:36.252 2018] [26421:139699565041792] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
[Sun Nov 25 18:00:36.276 2018] [26421:139699565041792] [info]
init_jk::mod_jk.c (3591): mod_jk/1.2.46 initialized
error_log
[Sun Nov 25 18:00:36.250346 2018] [core:notice] [pid 26421] SELinux
policy
enabled; httpd running as context system_u:system_r:httpd_t:s0
[Sun Nov 25 18:00:36.251392 2018] [suexec:notice] [pid 26421] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Nov 25 18:00:36.252380 2018] [jk:warn] [pid 26421] No JkLogFile
defined in httpd.conf. Using default /etc/httpd/logs/mod_jk.log
[Sun Nov 25 18:00:36.252466 2018] [jk:warn] [pid 26421] No JkShmFile
defined in httpd.conf. Using default /etc/httpd/logs/jk-runtime-status
[Sun Nov 25 18:00:36.273798 2018] [auth_digest:notice] [pid 26421]
AH01757:
generating secret for digest authentication ...
[Sun Nov 25 18:00:36.275236 2018] [lbmethod_heartbeat:notice] [pid
26421]
AH02282: No slotmem from mod_heartmonitor
[Sun Nov 25 18:00:36.276120 2018] [jk:warn] [pid 26421] No JkLogFile
defined in httpd.conf. Using default /etc/httpd/logs/mod_jk.log
[Sun Nov 25 18:00:36.276179 2018] [jk:warn] [pid 26421] No JkShmFile
defined in httpd.conf. Using default /etc/httpd/logs/jk-runtime-status
[Sun Nov 25 18:00:36.280163 2018] [mpm_prefork:notice] [pid 26421]
AH00163:
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_jk/1.2.46 configured --
resuming normal operations
[Sun Nov 25 18:00:36.280201 2018] [core:notice] [pid 26421] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
On Sun, Nov 25, 2018 at 12:42 PM Greg Huber <gregh3...@gmail.com>
wrote:
OK, sorry, if you are remote then 8080 port may not be open.
You need to check tomcat app actually shows the page correctly.
If the page http://IP/index.jsp <http://IP:8080/index.jsp>
just shows the jsp, have a look at the /var/log/httpd logs to see what
its
doing,
eg access.log
xxx.xxx.xxx.xxx.xxx - - [25/Nov/2018:07:28:08 +0000] "GET /index.jsp
HTTP/1.1" 200 27080 "
also look in the error.log for errors
mod_jk.log
[Sun Nov 25 07:27:10 2018][1452:140132954712192] [info]
init_jk::mod_jk.c
(3591): mod_jk/1.2.46 initialized
You could try yum package links which is a command line browser.
Name : links
Arch : x86_64
Epoch : 1
Version : 2.13
Release : 1.el7
Size : 2.8 M
Repo : epel/x86_64
Summary : Web browser running in both graphics and text mode
URL : http://links.twibright.com/
Licence : GPLv2+
Description : Links is a web browser capable of running in either
graphics
or text mode.
: It provides a pull-down menu system, renders complex
pages,
has partial HTML
: 4.0 support (including tables, frames and support for
multiple character sets
: and UTF-8), supports color and monochrome terminals and
allows horizontal
: scrolling.
On Sun, 25 Nov 2018 at 17:07, Lou Wallace <mrlouwall...@gmail.com>
wrote:
How can I do that from the command line shell? I tried it from
browser
and
it timed out using http://IP:8080/index.jsp
On Sun, Nov 25, 2018 at 11:54 AM Greg Huber <gregh3...@gmail.com>
wrote:
But my .jsp web page is still showing as plain text
With tomcat running does it show correctly ie
http://127.0.0.1:8080/../mypage.jsp
then try http://127.0.0.1/../mypage.jsp
######
tomcat server.xml using default port
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
On Sun, 25 Nov 2018 at 15:28, Lou Wallace <mrlouwall...@gmail.com>
wrote:
hmm this is weird
After adding
#Options Indexes FollowSymLinks
#No folders/files listed
Options -Indexes -FollowSymLinks
I decided to allow httpd.conf to try and load mod_jk.so again so
I
added
back LoadModule jk_module /etc/httpd/modules/mod_jk.so and
restarted
httpd
then when I do apachectl -M I see as last entry in the list
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbd_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cache_module (shared)
cache_disk_module (shared)
data_module (shared)
dbd_module (shared)
deflate_module (shared)
dir_module (shared)
dumpio_module (shared)
echo_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
info_module (shared)
log_config_module (shared)
logio_module (shared)
mime_magic_module (shared)
mime_module (shared)
negotiation_module (shared)
remoteip_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_plain_module (shared)
slotmem_shm_module (shared)
socache_dbm_module (shared)
socache_memcache_module (shared)
socache_shmcb_module (shared)
status_module (shared)
substitute_module (shared)
suexec_module (shared)
unique_id_module (shared)
unixd_module (shared)
userdir_module (shared)
version_module (shared)
vhost_alias_module (shared)
dav_module (shared)
dav_fs_module (shared)
dav_lock_module (shared)
lua_module (shared)
mpm_prefork_module (shared)
proxy_module (shared)
lbmethod_bybusyness_module (shared)
lbmethod_byrequests_module (shared)
lbmethod_bytraffic_module (shared)
lbmethod_heartbeat_module (shared)
proxy_ajp_module (shared)
proxy_balancer_module (shared)
proxy_connect_module (shared)
proxy_express_module (shared)
proxy_fcgi_module (shared)
proxy_fdpass_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_scgi_module (shared)
proxy_wstunnel_module (shared)
ssl_module (shared)
systemd_module (shared)
cgi_module (shared)
jk_module (shared)
So it says mod_jk is loaded
But my .jsp web page is still showing as plain text
On Sun, Nov 25, 2018 at 5:28 AM Greg Huber <gregh3...@gmail.com>
wrote:
There's the problem, make sure you have copied mod_jk.so to
/etc/httpd/modules/mod_jk.so
My file size 1,556,816 bytes permission owner root and execute
ls -l /etc/httpd/modules/mod_jk.so
-rwxrwxr-x 1 root root
also check the x executable
And apachectl -M (sorry not -S)
...
jk_module (shared)
...
10-my.conf and my.conf are preferred as when yum updates httpd
it
also
updates /etc/httpd/conf/httpd.conf. If you change httpd.conf
you
then
have
to merge the httpd.conf.rpmnew as it won't overwrite config.
The only change I make in httpd.conf is to make sure there is
no
browsing
#Options Indexes FollowSymLinks
#No folders/files listed
Options -Indexes -FollowSymLinks
Cheers Greg
On Sat, 24 Nov 2018 at 22:02, Lou Wallace <
mrlouwall...@gmail.com>
wrote:
Here is what I see
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbd_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cache_module (shared)
cache_disk_module (shared)
data_module (shared)
dbd_module (shared)
deflate_module (shared)
dir_module (shared)
dumpio_module (shared)
echo_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
info_module (shared)
log_config_module (shared)
logio_module (shared)
mime_magic_module (shared)
mime_module (shared)
negotiation_module (shared)
remoteip_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_plain_module (shared)
slotmem_shm_module (shared)
socache_dbm_module (shared)
socache_memcache_module (shared)
socache_shmcb_module (shared)
status_module (shared)
substitute_module (shared)
suexec_module (shared)
unique_id_module (shared)
unixd_module (shared)
userdir_module (shared)
version_module (shared)
vhost_alias_module (shared)
dav_module (shared)
dav_fs_module (shared)
dav_lock_module (shared)
lua_module (shared)
mpm_prefork_module (shared)
proxy_module (shared)
lbmethod_bybusyness_module (shared)
lbmethod_byrequests_module (shared)
lbmethod_bytraffic_module (shared)
lbmethod_heartbeat_module (shared)
proxy_ajp_module (shared)
proxy_balancer_module (shared)
proxy_connect_module (shared)
proxy_express_module (shared)
proxy_fcgi_module (shared)
proxy_fdpass_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_scgi_module (shared)
proxy_wstunnel_module (shared)
ssl_module (shared)
systemd_module (shared)
cgi_module (shared)
No mod_jk
On Sat, Nov 24, 2018 at 4:23 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lou,
On 11/24/18 12:19, Lou Wallace wrote:
Hi Greg,
I did this and restarted HTTPD. No error but no change.
Not sure how 10-my.conf and my.conf are called, but I did
create
them as described.
Also when I checked configtest
[root@server2 conf]# apachectl configtest Syntax OK
and apachectl -S
[root@server2 conf]# apachectl -S VirtualHost
configuration:
*:443
server2.us-west2-a.c.helpful-kingdom-220815.internal
(/etc/httpd/conf.d/ssl.conf:56) ServerRoot: "/etc/httpd"
Main
DocumentRoot: "/var/www/html" Main ErrorLog:
"/etc/httpd/logs/error_log" Mutex mpm-accept:
using_defaults
Mutex
authdigest-opaque: using_defaults Mutex
proxy-balancer-shm:
using_defaults Mutex rewrite-map: using_defaults Mutex
authdigest-client: using_defaults Mutex ssl-stapling:
using_defaults Mutex proxy: using_defaults Mutex
authn-socache:
using_defaults Mutex ssl-cache: using_defaults Mutex
default:
dir="/run/httpd/" mechanism=default PidFile:
"/run/httpd/httpd.pid" Define:
_RH_HAS_HTTPPROTOCOLOPTIONS
Define:
DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="apache"
id=48
Group:
name="apache" id=48
Looking forward to your thoughts.
Try:
$ apachectl -M
I get something like this:
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
headers_module (shared)
include_module (shared)
jk_module (shared) <-- here is mod_jk
mime_module (shared)
negotiation_module (shared)
php5_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
ssl_module (shared)
status_module (shared)
Syntax OK
If mod_jk isn't loading, obviously none of the
module-defined
directives will work.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird -
https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv5wT8ACgkQHPApP6U8
pFgJMA//ex7/qu/RFlla2FiSxRDJeYfwxaGywm1IrtNXL2y0/nkjIyJKLuNkwfec
jWQm0ihAXKjBaLks9boK8dVmmEfEibsEDBSRK7LVtLwOd97PQgo6Wv8/itehOAQW
4Q8Vyc3Ov2PmXPTCzxehAyzdO8ltSZ5wFZ7TA6tXQYDzgY3yDxl3PMDl3Th0Byi1
tts6340/Ih4jhPdYoA0W9LXVqIYjEn/tzMgXUazjXE9jRUxP8bslOeMzQjiuLjvt
BkwNDqYoTN3INxwljJ9BXVumbk4DehIIx4lw1zuxdzuiLPHYxYsJY+pYLWtAY3i4
Op6ATyoKrBiOjjN6DIFWM0ilsRS0ktM7bdwRlRFCXGTUzfwv2v2qzv6PkRsaUbma
bQ9a7+FFMoHGgWQ62VUtByCyyzHsPI1RoRlXwHRNYufMI+1UpV4IxfqA8tbCcwc+
ONzzVti5y16K6mZAH4FDsU/WiFW35hkJLkDrkrvw/z3uCvQjn72etkQFoICUmlEY
uxirMQHdM8CKrJ7whqiH/1ihdJXwcOPU20QCAfwEbyE58oN+sJxFWDCbGjfVbOfe
l9yQrKzzp1rnNepPyeseCeOQqSKXBeBDahkSEO/WGDu2PYuOYf2vT/BV6cthLMlm
WhyNoGDl3P3Hr68i4Zwe3a++cXWfzosHpLQOP5RxggV9QUsvKn8=
=gAVW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:
users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
