Re: tomcat 7.0.100 AJP connector with mod_jk on another host
On 06/03/2020 06:46, Thomas Glanzmann wrote: > the issue seems to be that mod_jk no longer works without a password > with tomcat7. So you need to set a password on both sites, and than > everything works again. This is not the case. Tomcat can be configured so a secret is not required. > server.xml: > > secret="verysecure" secretRequired="true"/> > > workers.properties of mod_jk > > worker.tomcat-06.secret=verysecure That won't work when httpd/mod_jk is on a separate host to Tomcat (as per the subject of this thread). > If I do _not_ set a password I'm getting a 403 no matter what I do. That is a configuration issue. The equivalent Tomcat configuration to that quoted above that will not require a password is: Note: With 7.0.100 if you specify a secret, even an empty string, the client must provide a matching secret irrespective of the setting of secretRequired. secretRequired determines if the secret attribute must be set in the configuration, not whether the client has to provide a secret. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello, > If you don't set secretRequired="false" properly then at start time Tomcat > will complain if there is no specified "secret" attribute. > If it doesn't complain then most probably you are testing again with the > wrong server.xml or old version of Tomcat. the issue seems to be that mod_jk no longer works without a password with tomcat7. So you need to set a password on both sites, and than everything works again. server.xml: workers.properties of mod_jk worker.tomcat-06.secret=verysecure If I do _not_ set a password I'm getting a 403 no matter what I do. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
On Thu, Mar 5, 2020 at 10:05 AM Thomas Glanzmann wrote: > Hello Martin, > > > > This should be: secretRequired="false". > > > This attribute has been renamed recently. > > I just looked at my notes, and I tried that already yesterday night. > Still facing the same problem with 403. Might it be possible that I need > to use a secret in order to access ajp from mod_jk? > If you don't set secretRequired="false" properly then at start time Tomcat will complain if there is no specified "secret" attribute. If it doesn't complain then most probably you are testing again with the wrong server.xml or old version of Tomcat. > > Cheers, > Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello Martin, > > This should be: secretRequired="false". > > This attribute has been renamed recently. I just looked at my notes, and I tried that already yesterday night. Still facing the same problem with 403. Might it be possible that I need to use a secret in order to access ajp from mod_jk? Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello Martin, > This should be: secretRequired="false". > This attribute has been renamed recently. thanks. I'll test later and let you know how it went. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hi Thomas, On Thu, Mar 5, 2020 at 3:53 AM Thomas Glanzmann wrote: > Hello, > the problem was that I edited the wrong server.xml. The one that was not > used. So now that I figured that out, settings these two settings help. > > > > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > > type="org.apache.catalina.UserDatabase" > description="User database that can be updated and > saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > connectionTimeout="3000" > URIEncoding="UTF-8" > redirectPort="8443" > maxHttpHeaderSize="8192" > maxThreads="400" > processorCache="400" > minSpareThreads="40" > enableLookups="false" > acceptCount="100" > disableUploadTimeout="true" > /> > address="0.0.0.0" > requiredSecret="false" > This should be: secretRequired="false". This attribute has been renamed recently. Martin > redirectPort="8443" > URIEncoding="UTF-8" > connectionTimeout="3000" > maxThreads="400" > processorCache="400" > minSpareThreads="40" > maxConnections="400" > enableLookups="false" > acceptCount="100" > /> > jvmRoute="tomcat-06" > > className="org.apache.catalina.realm.LockOutRealm"> > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > > unpackWARs="true" autoDeploy="true"> > className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log." > suffix=".txt" > pattern="%h %l %u %t %r %s %b" > /> > > > > > > However when I try to access this using mod_jk, I get a 403. I used a > sniffer > and it is coming from the AJP connector. So I tried to set > allowedRequestAttributesPattern=".*" but that did not solve my problems, > any > ideas? > > Setup is: > > apache with mod_jk 1.2.46 load balances over 4 tomcats on seperate hosts. > > Cheers, > Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 7.0.100 AJP connector with mod_jk on another host
Hello, the problem was that I edited the wrong server.xml. The one that was not used. So now that I figured that out, settings these two settings help. However when I try to access this using mod_jk, I get a 403. I used a sniffer and it is coming from the AJP connector. So I tried to set allowedRequestAttributesPattern=".*" but that did not solve my problems, any ideas? Setup is: apache with mod_jk 1.2.46 load balances over 4 tomcats on seperate hosts. Cheers, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
