Re: [OT] Re: What exactly does the AJP connector on 8009 do?
On 4/6/21 9:11 AM, Olaf Kock wrote: *Everybody* has a dedicated testing system. Always! *Some* are lucky that they have a completely separate production system. We expect disk drives to fail. So we plan for it, using some form of RAID (full mirroring in my case). And so the power supply fails instead. Also: The likelihood of a power supply failure is inversely proportional to its maintenance accessibility. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: What exactly does the AJP connector on 8009 do?
Olaf, On 4/6/21 12:11, Olaf Kock wrote: On 06.04.21 11:53, André Warnier (tomcat/perl) wrote: Shortcut : - comment-out the AJP Connector in the tomcat configuration - restart tomcat - and wait for desperate support calls That reminds me of the common wisdom in System Administration: *Everybody* has a dedicated testing system. Always! *Some* are lucky that they have a completely separate production system. That's ... amazing. http://www.quickmeme.com/meme/2gs6 -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: What exactly does the AJP connector on 8009 do?
On 06.04.21 11:53, André Warnier (tomcat/perl) wrote: > > Shortcut : > - comment-out the AJP Connector in the tomcat configuration > - restart tomcat > - and wait for desperate support calls > That reminds me of the common wisdom in System Administration: *Everybody* has a dedicated testing system. Always! *Some* are lucky that they have a completely separate production system. (lost the source) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
André, On 4/6/21 05:53, André Warnier (tomcat/perl) wrote: On 06.04.2021 00:45, James H. H. Lampert wrote: On 4/5/21 1:22 PM, Christopher Schultz wrote: If you are not running a reverse-proxy in front of Tomcat, then it does absolutely nothing for you. If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for you, depending upon what software you are using and what its configuration is. Thanks. Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our cloud-based product, but I don't know if the AJP port is involved in any of that. I don't know about AWS Beanstalks They almost certainly do not support AJP. but for Apache httpd, there are some tell-tale configuration directives in the Apache httpd configuration files, which - if present - will tell you if Apache httpd is communicating with the back-end tomcat using the AJP protocol (and hence tomcat's AJP Connector). Look for either of : - ProxyPass instructions mentioning "AJP:" - SetHandler jakarta-servlet - JkMount (case does generally not matter) +1 Shortcut : - comment-out the AJP Connector in the tomcat configuration - restart tomcat - and wait for desperate support calls :) (*) This is not a critic : it is very flexible that way; it's just a bit more work to search for the right files. You can also run httpd and have it dump the list of all included files: $ apachectl -t -D DUMP_INCLUDES It seems silly that "apachectl" doesn't have a "--dump-effective-configuration" option which just dumps out EVERYTHING, as httpd would see the complete configuration. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
пн, 5 апр. 2021 г. в 21:59, James H. H. Lampert : > > We've just gotten a complaint about a vulnerability involving AJP (to > something called "Ghostcat") from a customer. The report from the > security consultant recommends updating to a more recent version of > Tomcat, and I note that we've already started rolling out 7.0.108 to > customers. > > Looking at server.xml, the only reference to AJP is in relation to port > 8009, and that this connector is commented out in 108, but not in 93. > > So what exactly *is* this connector, and what purpose does it serve? A well-configured instance of Apache Tomcat should serve requests either over "http:"/"https:" or over "ajp:", but not both. The clients for http: protocol are web browsers. The clients for AJP protocol are web servers (proxies). See also https://tomcat.apache.org/connectors-doc/ https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors https://en.wikipedia.org/wiki/Apache_JServ_Protocol Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
On 06.04.2021 00:45, James H. H. Lampert wrote: On 4/5/21 1:22 PM, Christopher Schultz wrote: If you are not running a reverse-proxy in front of Tomcat, then it does absolutely nothing for you. If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for you, depending upon what software you are using and what its configuration is. Thanks. Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our cloud-based product, but I don't know if the AJP port is involved in any of that. I don't know about AWS Beanstalks, but for Apache httpd, there are some tell-tale configuration directives in the Apache httpd configuration files, which - if present - will tell you if Apache httpd is communicating with the back-end tomcat using the AJP protocol (and hence tomcat's AJP Connector). Look for either of : - ProxyPass instructions mentioning "AJP:" - SetHandler jakarta-servlet - JkMount (case does generally not matter) (Note that under Linux(es), your Apache httpd config files may be spread in small chunks all over the place, generally in locations such as "/etc/apache2/*" or "/etc/httpd/*") (*) Relevant documentation is available here : 1) http://tomcat.apache.org/connectors-doc/ 2) http://tomcat.apache.org/connectors-doc/reference/apache.html 3) http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass 4) (more complicated cases) http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule Also, if Apache httpd uses AJP to communicate with tomcat, then either one of these Apache httpd add-on modules will be loaded and configured : - mod_jk - mod_proxy_ajp To find out which modules are loaded by Apache httpd, use the following command : # apache2ctl -M (Note that the mere fact that a module is loaded, does not necessarily mean that it is being *used*; but if neither of them is loaded, then you can be pretty sure that Apache httpd is NOT using AJP) Shortcut : - comment-out the AJP Connector in the tomcat configuration - restart tomcat - and wait for desperate support calls (*) This is not a critic : it is very flexible that way; it's just a bit more work to search for the right files. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
On 4/5/21 1:22 PM, Christopher Schultz wrote: If you are not running a reverse-proxy in front of Tomcat, then it does absolutely nothing for you. If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for you, depending upon what software you are using and what its configuration is. Thanks. Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our cloud-based product, but I don't know if the AJP port is involved in any of that. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
James, On 4/5/21 14:58, James H. H. Lampert wrote: We've just gotten a complaint about a vulnerability involving AJP (to something called "Ghostcat") from a customer. The report from the security consultant recommends updating to a more recent version of Tomcat, and I note that we've already started rolling out 7.0.108 to customers. Looking at server.xml, the only reference to AJP is in relation to port 8009, and that this connector is commented out in 108, but not in 93. So what exactly *is* this connector, and what purpose does it serve? If you are not running a reverse-proxy in front of Tomcat, then it does absolutely nothing for you. If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for you, depending upon what software you are using and what its configuration is. IMHO, it's time for AJP to go. [1] (This is another reminder to me to get off my butt and post all the presentations from ApacheCon @Home to the "Presentations" page.) -chris [1] https://www.youtube.com/watch?v=qUjUEvGFstI - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org