please care and vote for Chinese people under cruel autocracy of CCP, great thanks!
Hi all, Sorry for disturbing you guys. Though I don't think here as a proper place to do this, I need your help, your vote, your holy vote, for us Chinese, for conscience and justice, for better world. In the over 70 years of ruling over China, the Chinese Communist Party has done many horrible things humans can think of. These malicious and evil deeds include but are not limited to: falsifying national history, suppression of freedom of speech and press, money laundering in the scale of trillions, live organ harvesting, sexual harassment and assault to underaged females, slaughtering innocent citizens with counter-revolutionary excuses, etc. In light of the recent violent actions to Hong Kongers by the People's Liberation Army (PLA) disguised as Hong Kong Police Force, we the people petition to officially recognize the Chinese Communist Party as a terrorist organization. PLEASE SIGNUP and VOTE for us: https://petitions.whitehouse.gov/petition/call-official-recognition-chinese-communist-party-terrorist-organization Thanks again for all! nameless, an ant fighter 2019.8.29
Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?
Tomcat version: 8.5.14 OS: debian 9 (stretch) Issues: If using SSLVerifyClient=optional, it seems to work (log attached, assuming config is validated); however when trying to use SSLVerifyClient=none, the browser complains This site can’t provide a secure connection login-test.foo.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR When digging into tomcat log, the only clues as follows. 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test .. wondering if anyone has any suggestion as how to debug the issues. Thank you all in advance for your help. Configuration: 1. web.xml X509AuthHandler net.shibboleth.idp.authn.impl.X509AuthServlet 3 X509AuthHandler /Authn/X509 X509AuthHandler /Authn/X509 CONFIDENTIAL X509 CLIENT-CERT 2. server.xml 3. logging.properties org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true net.unicon.tomcat7.realm.level = ALL net.unicon.tomcat7.realm.useParentHandlers = true org.apache.coyote.http11.level = ALL org.apache.coyote.http11.useParentHandlers = true with -Djavax.net.debug=ssl 4. When SSLVerifyClient=none is specified in Connector, got the following in the browser, This site can’t provide a secure connection login-test.foo.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR and in the catalina log, 28-Aug-2019 18:16:38.089 FINE [https-openssl-apr-8443-exec-1] org.apache.coyote.http11.Http11InputBuffer.parseRequestLine Received [GET /idp/Authn/X509?conversation=e1s1 HTTP/1.1 Host: login-test.foo.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 DNT: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: none Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,mt;q=0.6,zh-TW;q=0.5 Cookie: JSESSIONID=70B72EE82D09700707565E884DB1E3C5.jvm1; x509passthrough=1 ] 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /idp/Authn/X509 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[X509AuthHandler]' against GET /Authn/X509 --> true 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Automatic Forward to HTTPS/SSL]' against GET /Authn/X509 --> true 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test 28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1] org.apache.coyote.AbstractProcessorLight.process Socket: [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@2081420c:139711359418528], Status in: [OPEN_READ], State out: [OPEN] 28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1] org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed Processor [org.apache.coyote.http11.Http11Processor@4c325234] 28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2] org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing socket [139,711,359,418,528] with status [OPEN_READ] 28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2] org.apache.coyote.AbstractProtocol$ConnectionHandler.process Found processor [null] for socket [139,711,359,418,528] 28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2] org.apache.coyote.AbstractProtocol$ConnectionHandler.process Popped processor [org.apache.coyote.http11.Http11Processor@4c325234] from cache 28-Aug-2019 18:16:38.124 FINE [https-openssl-apr-8443-exec-2]
RE: Profiler for Tomcat
Michael, > -Original Message- > From: Michael Duffy > Sent: Tuesday, August 27, 2019 5:47 PM > To: users@tomcat.apache.org > Subject: Profiler for Tomcat > > I have searched for a good profiler for Tomcat with little success. > > I am looking for an application that will profile internal memory and > bandwidth utilized (data transfer rates from Tomcat). > > Any help would be greatly appreciated. > > Thx! Flight recordings made with Mission Control have pretty useful memory allocation data. I've definitely found some low-hanging fruit with it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access denied (403) for external requests
Ouch. You're definitely right, I should have post my environment. While looking at it I detected Tomcat 9.0.10 ... quite old. So I did an update to 9.0.24. Finalizing the update I recognized that someone had modified the global context.xml and looking at the diff I found an additional Valve: So, no wonder we got only responses for requests from the intranet ... :-/ Am Mittwoch, 28. August 2019, 12:17:35 CEST schrieb André Warnier (tomcat): > Hi. > (While not saying yet that this is the problem in your case) > It would help a lot if you specified the version of Tomcat, the JVM, and the > platform on which you are running this. > (Such as maybe a bug in a past version of RemoteAddrValve which would > explain this). [snip] Cheers, Jörg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access denied (403) for external requests
Hi. (While not saying yet that this is the problem in your case) It would help a lot if you specified the version of Tomcat, the JVM, and the platform on which you are running this. (Such as maybe a bug in a past version of RemoteAddrValve which would explain this). On 28.08.2019 11:17, Jörg Schaible wrote: Hi, we've setup a Tomcat instance to answer on HTTP and port 8080 to requests from the intranet and HTTPS with port 8445 to external requests. When we use HTTPS and port 8445 from the intranet, our firewall will redirect the request, but without changing protocol or port. Tomcat answers to every request from the intranet using either HTTP/8080 or HTTPS/8445, but every external request is denied with 403 and we have no clue why. The server.xml is just modified by adding an additional connector for HTTPS and an a valve to restrict the access to 8445 for external addresses: ... ... We get the following 3 entries in our access log: %< 192.168.10.31:8080 sub.intranet.local:8080 - - [28/Aug/2019:10:54:11 +0200] "GET /app/ping HTTP/1.1" 200 1525 - 192.168.10.1:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:57 +0200] "GET / app/ping HTTP/1.1" 200 1537 - 111.222.333.444:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:26 +0200] "GET /app/ping HTTP/1.1" 403 983 - %< First two requests were from within the intranet: http://sub.intranet.local:8080/app/ping https://sub.domain.demo:8445/app/ping However, if we make the latter request from external, we're denied although the regex of the RemoteAddrValve matches. We searched now for hours in the Tomcat documentation, FAQ and Google, but we found neither an explanation for the behavior nor how we can enable further diagnostics for this denial. Regards, Jörg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Access denied (403) for external requests
Hi, we've setup a Tomcat instance to answer on HTTP and port 8080 to requests from the intranet and HTTPS with port 8445 to external requests. When we use HTTPS and port 8445 from the intranet, our firewall will redirect the request, but without changing protocol or port. Tomcat answers to every request from the intranet using either HTTP/8080 or HTTPS/8445, but every external request is denied with 403 and we have no clue why. The server.xml is just modified by adding an additional connector for HTTPS and an a valve to restrict the access to 8445 for external addresses: ... ... We get the following 3 entries in our access log: %< 192.168.10.31:8080 sub.intranet.local:8080 - - [28/Aug/2019:10:54:11 +0200] "GET /app/ping HTTP/1.1" 200 1525 - 192.168.10.1:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:57 +0200] "GET / app/ping HTTP/1.1" 200 1537 - 111.222.333.444:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:26 +0200] "GET /app/ping HTTP/1.1" 403 983 - %< First two requests were from within the intranet: http://sub.intranet.local:8080/app/ping https://sub.domain.demo:8445/app/ping However, if we make the latter request from external, we're denied although the regex of the RemoteAddrValve matches. We searched now for hours in the Tomcat documentation, FAQ and Google, but we found neither an explanation for the behavior nor how we can enable further diagnostics for this denial. Regards, Jörg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems starting Tomcat 9.0.24 32-bit as a service
On August 27, 2019 5:40:57 PM UTC, Juan Ramirez wrote: >Hello, > >I'm currently having an issue with starting Tomcat 9.0.24 32-bit >version as a service. https://bz.apache.org/bugzilla/show_bug.cgi?id=63625 It seems to be specific to 32-bit Windows. Still digging in to the root cause. You can use Tomcat9.exe from 9.0.22 as a workaround. Mark > After installing Tomcat9 using the windows >service installer, I try to run Tomcat9 and get the windows service >error: >"Windows could not start Tomcat9 service on Local Computer. Error 1067: >The process terminated unexpectedly." I tried looking in the logs to >see what could have caused the error, but no errors are logged. The >only thing I could find in the logs is in the commons daemon log file: > >[10860] Apache Commons Daemon procrun (1.2.0.0 32-bit) started. >[10860] Debugging 'tomcat9' service... >[10860] Starting service... > >I also tried running Tomcat9 through the executable (tomcat9.exe) and >get the error: "Apache Commons Daemon Service Runner has stopped >working." I have also tried manually installing Tomcat9 through the >32-bit Windows zip and keep having the same errors as installing it >through the installer. When I tried using the 64-bit version of Tomcat >9.0.24, it seems to work fine and I'm able to launch it as a service, >which leads me to belive that something maybe wrong with the 32-bit >version only. I'm using AdoptJDK 12.0.2+10 HotSpot 32-bit for Windows >10, as well as the 64-bit version when I tried the 64 bit version of >Tomcat9. The last thing I tried was running Tomcat 9.0.24 32-bit >through the command line window with the provided startup.bat file in >the bin folder and I was able to run Tomcat9 and even reach the default >web page. I'm just not able to run it as a windows service. > >Any and all help is appreciated, thanks. >Juan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org