On 15.05.20 13:23, ohaya wrote: > Hi, > > I just tried adding the secret to the Apache side: > > ProxyPass ajp://192.168.218.XXX:8009 secret="123" > ProxyPassReverse ajp://192.168.218.XXX:8009 secret="123" > > and I get an error when I try to start Apache: > > AH00526: Syntax error on line 554 of /apps/oracle/apache/conf/httpd.conf: > ProxyPass unknown Worker parameter > > I am currently using Apache 2.4.39. Is there another way to specify the > "secret"?
With 9.0.20 you do not yet need to pass a secret - that came along later (somewhere around 30-33 AFAIR). However, you'll need to make sure that your AJP port is only available for the reverse proxy and nobody else - there was a recent security disclosure, which led to the change of many default settings for the AJP connector in the current releases. It boils down to the last sentence of my previous answer: I've never used REMOTE_USER headers for authentication, and there's no indicator in your setup that you're allowing Tomcat to trust such a header. I might be completely off here, but as nobody else answered yet, I thought I'd give it a try. Olaf > Thanks, > Jim > > > On Friday, May 15, 2020, 07:04:44 AM EDT, ohaya > <oh...@yahoo.com.invalid> wrote: > > Hi, > > The Tomcat version I am using is 9.0.20. I will take a look at the changelog. > > This is the first time I have tried this, and I couldn't find much info, so I > appreciate the feedback. I will look for info about "secret". > > I wasn't sure about the format on the Apache side for the > ProxyPass/ProxyPassReverse - does what I posted look all right? > > Also, when I was searching around for info, I saw some comments that seem to > be saying that the "tomcatAuthentication" parameter on the Tomcat connection > was no longer supported or something like that? > > Also re. "secret" on the Tomcat side: If that is set to, for example, > "mysecret", how do I pass that on the Apache side? > > Thanks again, > Jim > > > On Friday, May 15, 2020, 03:33:19 AM EDT, Olaf Kock <tom...@olafkock.de> > wrote: > > > On 15.05.20 09:06, oh...@yahoo.com.INVALID wrote: >> Hi, >> >> I am using an Apache proxy in front of Tomcat 9, and I am using AJP >> connection to connect from the Apache to Tomcat, and I have the Apache >> sending a username to the Tomcat in a REMOTE_USER header. >> >> In the Tomcat server.xml I have: >> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >> tomcatAuthentication="false"/> >> >> In the Apache httpd.conf, to test, this I have: >> >> <LocationMatch /myapp*> >> ProxyPass ajp://192.168.218.XX:8009 >> ProxyPassReverse ajp://192.168.XX.224:8009 >> </LocationMatch> >> >> But when I access the app via the Apache, it is not automatically logging me >> into the app. >> >> Is there anything else that I have to do to get this to work besides what I >> did above? Is there something that I have to modify in the app itself to >> get this to work? > Hi Jim, > > which exact version of Tomcat 9 are you using? Note that there were > significant changes for the default and required configuration for the > AJP connector, in order to use it. Best to find all of them: Search for > AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html > > Notable among them: Everything to do with "secret", and the default bind > address, "localhost", for the AJP connector. i.e. I'd expect this > configuration to be insufficient for any of the latest releases. > > I haven't ever used this REMOTE_USER authentication, but nothing in the > configuration that you've posted gives any clue about what you do and > what you send. I would expect Tomcat to *not* blindly accept any > REMOTE_USER header by default, unless it's whitelisted and explicitly > asked for - it otherwise would be a great way to exploit servers that > don't have a remote proxy (or one where the remote proxy is configured > to remove this header). Nothing in the configuration you post gives me a > hint about what you do to make tomcat accept and trust this header. > > Olaf > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
