Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On 10.03.2020 15:44, Martin Grigorov wrote: On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 3/10/20 04:43, Martin Grigorov wrote: We can define custom address like "loopback" for which Tomcat will bind on both "127.0.0.1" and "::1" depending on the values of java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am not sure whether it is worth it This is kind of an interesting suggestion, as would maybe supporting "all" as an alias for both 0.0.0.0 and :: together (the old default behavior, which is no longer possible with a single ). Are there any examples of these kinds of things in other products, or does everyone just manually define two separate connector-like entities? httpd just does: Listen 0.0.0.0 Listen :: Which is pretty simple. Tomcat's configuration is a lot more verbose and so repeating it is doubly so. Another option is to make "address" attribute multi valued, e.g. comma/space separated. My 2 cent : Since the changes were necessary, have been made and are presumably there to stay, and since this seems to have caused a lot of confusion with a lot of sysadmins, mainly among the ones which had a working front-end/back-end configuration, which suddenly stopped working when they made a minor version upgrade. And since even so, it seems that when the change was made, there was quite an underestimate of the side-effects and the impact this would have in the practical reality out there, should there not be a separate addition to the documentation, explaining this AJP Connector and its settings "from the ground up", starting with the fact that currently, it is basically insecure if used on an open network (and that this was not its original purpose). (At least that's my sysadmin-level understanding of what I've read here so far). And when talking about changing some Connector attributes, maybe a review should be made first, downwards as well as upwards : - downwards : ultimately a Connector represents a socket (or more than one ?), at the OS TCP/IP stack level. Some information from that OS-level socket presumably "filters up" through whatever layers there can be between it, and the container level and the Java servlets running inside that container. Is that information liklely to be used at the application level, and would proposed changes be neutral in that respect ? - upwards : it seems from the accumulated discussions here, that (for example) to implement some of the changes/improvement, users (sysadmins) may have to go as far as duplicating the whole Connector tag, to implement the "listen only on localhost" feature (but, that this depends both on the underlying OS and on the in-between layer between that OS and the Connector). And, if some application software currently "interrogates" the Connector to find out about its IP address (or the IP address of the client connected to it), what answer would it get if the "address" attribute would become multi-value ? /Could/ it even get such an answer, if the underlying socket is not one, but two ? I don't know the answer to the above questions, and I don't even know whether they really are valid questions. But again, I look at this from a sysadmin configurator point of view, without necessarily a deep understanding on the Java finery underlying all this, and I'm quite confused and worried that I could inadvertently break some user application and not really understand why. And maybe another underlying question : is it really unthinkable to have an AJP connection capable of running under SSL ? (I mean directly, not under some external setup like stunnel e.g.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On 11.03.2020 09:30, Piyush Kumar Nayak wrote: What's the point of " ipv6v6only" attribute. The doc says : "If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present." So if I set address to "::1" and " ipv6v6only" is left to its default, shouldn’t, the connector listen to both the addresses. I guess it depends on the precise meaning of "on a dual stack system" .. -Original Message- From: Martin Grigorov Sent: Tuesday, March 10, 2020 8:14 PM To: Tomcat Users List Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 3/10/20 04:43, Martin Grigorov wrote: We can define custom address like "loopback" for which Tomcat will bind on both "127.0.0.1" and "::1" depending on the values of java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am not sure whether it is worth it This is kind of an interesting suggestion, as would maybe supporting "all" as an alias for both 0.0.0.0 and :: together (the old default behavior, which is no longer possible with a single ). Are there any examples of these kinds of things in other products, or does everyone just manually define two separate connector-like entities? httpd just does: Listen 0.0.0.0 Listen :: Which is pretty simple. Tomcat's configuration is a lot more verbose and so repeating it is doubly so. Another option is to make "address" attribute multi valued, e.g. comma/space separated. Martin - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8 pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1 XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6 gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0= =ewrT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
What's the point of " ipv6v6only" attribute. The doc says : "If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present. " So if I set address to "::1" and " ipv6v6only" is left to its default, shouldn’t, the connector listen to both the addresses. -Original Message- From: Martin Grigorov Sent: Tuesday, March 10, 2020 8:14 PM To: Tomcat Users List Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 3/10/20 04:43, Martin Grigorov wrote: > > We can define custom address like "loopback" for which Tomcat will > > bind on both "127.0.0.1" and "::1" depending on the values of > > java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am > > not sure whether it is worth it > This is kind of an interesting suggestion, as would maybe supporting > "all" as an alias for both 0.0.0.0 and :: together (the old default > behavior, which is no longer possible with a single ). > > Are there any examples of these kinds of things in other products, or > does everyone just manually define two separate connector-like entities? > > httpd just does: > > Listen 0.0.0.0 > Listen :: > > Which is pretty simple. Tomcat's configuration is a lot > more verbose and so repeating it is doubly so. > Another option is to make "address" attribute multi valued, e.g. comma/space separated. Martin > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8 > pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr > Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1 > XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv > ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT > /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH > FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct > 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg > KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG > n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo > WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6 > gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0= > =ewrT > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 3/10/20 04:43, Martin Grigorov wrote: > > We can define custom address like "loopback" for which Tomcat will > > bind on both "127.0.0.1" and "::1" depending on the values of > > java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I > > am not sure whether it is worth it > This is kind of an interesting suggestion, as would maybe supporting > "all" as an alias for both 0.0.0.0 and :: together (the old default > behavior, which is no longer possible with a single ). > > Are there any examples of these kinds of things in other products, or > does everyone just manually define two separate connector-like entities? > > httpd just does: > > Listen 0.0.0.0 > Listen :: > > Which is pretty simple. Tomcat's configuration is a lot > more verbose and so repeating it is doubly so. > Another option is to make "address" attribute multi valued, e.g. comma/space separated. Martin > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8 > pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr > Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1 > XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv > ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT > /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH > FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct > 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg > KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG > n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo > WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6 > gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0= > =ewrT > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 3/10/20 04:43, Martin Grigorov wrote: > We can define custom address like "loopback" for which Tomcat will > bind on both "127.0.0.1" and "::1" depending on the values of > java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I > am not sure whether it is worth it This is kind of an interesting suggestion, as would maybe supporting "all" as an alias for both 0.0.0.0 and :: together (the old default behavior, which is no longer possible with a single ). Are there any examples of these kinds of things in other products, or does everyone just manually define two separate connector-like entities? httpd just does: Listen 0.0.0.0 Listen :: Which is pretty simple. Tomcat's configuration is a lot more verbose and so repeating it is doubly so. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8 pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1 XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6 gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0= =ewrT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
; /> > netstat -ano | findstr 8009 > TCP127.0.0.1:8009 0.0.0.0:0 LISTENING > 8964 > > Even if the default is used it listens to IPv6 only > redirectPort="8443" secret="seckey" /> > TCP[::1]:8009 [::]:0 LISTENING 3880 > As per the docs, the default for ipv6v6only attribute is false. Should it > not listen to both the protocol stacks. > > -Piyush. > > -Original Message- > From: Piyush Kumar Nayak > Sent: Saturday, March 7, 2020 5:29 PM > To: Tomcat Users List > Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > Chris, > In both the cases, ISAPI and mod_jk, the hostname is set to "localhost" > Tomcat and webserver are on the same host machine. > > > -Original Message- > From: Christopher Schultz > Sent: Friday, March 6, 2020 8:20 PM > To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Piyush, > > On 3/5/20 14:40, Piyush Kumar Nayak wrote: > > Thanks Mark, Two connector configs works. Any ideas, on why the > > behavior if different for ISAPI and mod_jk modules? > > What do your configurations look like for each module? > > - -chris > > > -Original Message- From: Mark H. Wood > > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > > > On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak > > wrote: > >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and > >> IPv6 loopback addresses. > >> > >> By default, it seems that Tomcat binds to IPv4 loopback Default > >> connector config : >> redirectPort="8447" packetSize="65535" secret="xxx" > >> tomcatAuthentication="false"/> > >> > >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING > >> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED > >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 > >> > >> Introducing the address attribute like so : >> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" > >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds > >> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP > >> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 > >> [::1]:8014 ESTABLISHED 6564 > >> > >> Is there a way to make it bind to both the loopbacks. The problem we > >> are facing is our Tomcat installations can have connector configured > >> with IIS or Apache HTTPD. Apache connector, by default seems to make > >> a socket connection using the address ::1 (IPv6 loop back address), > >> whereas IIS connector tries to bind to the > >> IPv4 loopback. > > > > Two things I would try: > > > > 1. Two connectors, one with address='::1' and the other with > > address='127.0.0.1', both with port='8014'. > > > > 2. Configure the other end explicitly: tell HTTPD and IIS which > > address to use, and then configure your AJP Connector to match. > > > > -- Mark H. Wood Lead Technology Analyst > > > > University Library Indiana University - Purdue University Indianapolis > > 755 W. Michigan Street Indianapolis, IN 46202 > > 317-274-0749 www.ulib.iupui.edu > > > > - > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 > pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA > VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe > 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk > FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl > E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp > kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC > rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH > OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9 > XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch > QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm > TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8= > =/AOd > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > B CB > [ X ܚX K K[XZ[ > \ \ ][ X ܚX P X ] > \ X K ܙ B ܈ Y ] [ۘ[[X[ K[XZ[ > \ \ Z [ X ] > \ X K ܙ B >
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/9/20 15:34, Piyush Kumar Nayak wrote: > There appears to be a change in the behavior of AJP connector in Tomcat, with respect to the protocol stack of the loopback address it binds to. > With older versions it binds to both IPv6 and IPv4 interface, but with 9.0.31 it appears to bind to IPv4 only, if the address attribute is removed from the connector config > > Tomcat 9.0.16 - default config protocol="AJP/1.3" redirectPort="8443" /> netstat -ano | findstr > 8009 TCP0.0.0.0:8009 0.0.0.0:0 > LISTENING 19832 > TCP[::]:8009 [::]:0 LISTENING 19832 > > Tomcat 9.0.31 - note that address attribute is removed... in the standard config it is set to "::1". > > netstat -ano | findstr 8009 TCP127.0.0.1:8009 0.0.0.0:0 > LISTENING 8964 > > Even if the default is used it listens to IPv6 only protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" secret="seckey" /> > TCP[::1]:8009 [::]:0 LISTENING 3880 > > As per the docs, the default for ipv6v6only attribute is false. Should it not listen to both the protocol stacks. The old default was "no address specified" and so Java would generally bind to all interfaces. The new default is "localhost", so it may be sensitive to the name-resolution that your system performs when you ask it for the interface for "localhost". If it gives only an IPv4 address, you'll get IPv4. If only IPv6, then only IPv6. If both, then probably both. Actually, maybe not. I don't think you can bind to two interfaces at the same time, unless those interfaces are the "all interfaces" metainterface. - -chris > -Original Message- From: Piyush Kumar Nayak > Sent: Saturday, March 7, 2020 5:29 PM > To: Tomcat Users List Subject: RE: bind > Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > Chris, In both the cases, ISAPI and mod_jk, the hostname is set to > "localhost" Tomcat and webserver are on the same host machine. > > > -Original Message- From: Christopher Schultz > Sent: Friday, March 6, 2020 8:20 PM > To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and > IPv6 loopback, Tomcat 9.0.31 > > Piyush, > > On 3/5/20 14:40, Piyush Kumar Nayak wrote: >> Thanks Mark, Two connector configs works. Any ideas, on why the >> behavior if different for ISAPI and mod_jk modules? > > What do your configurations look like for each module? > > -chris > >> -Original Message- From: Mark H. Wood >> Sent: Thursday, March 5, 2020 10:28 PM To: >> users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6 >> loopback, Tomcat 9.0.31 > >> On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak >> wrote: >>> Is there a way to get Tomcat's AJP connector to bind to both >>> IPv4 and IPv6 loopback addresses. >>> >>> By default, it seems that Tomcat binds to IPv4 loopback Default >>> connector config : >> redirectPort="8447" packetSize="65535" secret="xxx" >>> tomcatAuthentication="false"/> >>> >>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 >>> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED >>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 >>> >>> Introducing the address attribute like so : >> protocol="AJP/1.3" address="::1" port="8014" >>> redirectPort="8447" packetSize="65535" secret="xxx" >>> tomcatAuthentication="false"/> binds it to IPv6 loopback TCP >>> [::1]:8014 [::]:0 LISTENING 8616 TCP [::1]:8014 [::1]:57522 >>> ESTABLISHED 8616 TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564 >>> >>> Is there a way to make it bind to both the loopbacks. The >>> problem we are facing is our Tomcat installations can have >>> connector configured with IIS or Apache HTTPD. Apache >>> connector, by default seems to make a socket connection using >>> the address ::1 (IPv6 loop back address), whereas IIS connector >>> tries to bind to the IPv4 loopback. > >> Two things I would try: > >> 1. Two connectors, one with address='::1' and the other with >> address='127.0.0.1', both with port='8014'. > >> 2. Configure the other end explicitly: tell HTTPD and IIS which >> address to use, and then configure your AJP Connector to match. > >> -- Mark H. Wood Lead
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
There appears to be a change in the behavior of AJP connector in Tomcat, with respect to the protocol stack of the loopback address it binds to. With older versions it binds to both IPv6 and IPv4 interface, but with 9.0.31 it appears to bind to IPv4 only, if the address attribute is removed from the connector config Tomcat 9.0.16 - default config netstat -ano | findstr 8009 TCP0.0.0.0:8009 0.0.0.0:0 LISTENING 19832 TCP[::]:8009 [::]:0 LISTENING 19832 Tomcat 9.0.31 - note that address attribute is removed... in the standard config it is set to "::1". netstat -ano | findstr 8009 TCP127.0.0.1:8009 0.0.0.0:0 LISTENING 8964 Even if the default is used it listens to IPv6 only TCP[::1]:8009 [::]:0 LISTENING 3880 As per the docs, the default for ipv6v6only attribute is false. Should it not listen to both the protocol stacks. -Piyush. -Original Message- From: Piyush Kumar Nayak Sent: Saturday, March 7, 2020 5:29 PM To: Tomcat Users List Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 Chris, In both the cases, ISAPI and mod_jk, the hostname is set to "localhost" Tomcat and webserver are on the same host machine. -Original Message- From: Christopher Schultz Sent: Friday, March 6, 2020 8:20 PM To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/5/20 14:40, Piyush Kumar Nayak wrote: > Thanks Mark, Two connector configs works. Any ideas, on why the > behavior if different for ISAPI and mod_jk modules? What do your configurations look like for each module? - -chris > -Original Message- From: Mark H. Wood > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak > wrote: >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and >> IPv6 loopback addresses. >> >> By default, it seems that Tomcat binds to IPv4 loopback Default >> connector config : > redirectPort="8447" packetSize="65535" secret="xxx" >> tomcatAuthentication="false"/> >> >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING >> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 >> >> Introducing the address attribute like so : > protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds >> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP >> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 >> [::1]:8014 ESTABLISHED 6564 >> >> Is there a way to make it bind to both the loopbacks. The problem we >> are facing is our Tomcat installations can have connector configured >> with IIS or Apache HTTPD. Apache connector, by default seems to make >> a socket connection using the address ::1 (IPv6 loop back address), >> whereas IIS connector tries to bind to the >> IPv4 loopback. > > Two things I would try: > > 1. Two connectors, one with address='::1' and the other with > address='127.0.0.1', both with port='8014'. > > 2. Configure the other end explicitly: tell HTTPD and IIS which > address to use, and then configure your AJP Connector to match. > > -- Mark H. Wood Lead Technology Analyst > > University Library Indiana University - Purdue University Indianapolis > 755 W. Michigan Street Indianapolis, IN 46202 > 317-274-0749 www.ulib.iupui.edu > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Chris, In both the cases, ISAPI and mod_jk, the hostname is set to "localhost" Tomcat and webserver are on the same host machine. -Original Message- From: Christopher Schultz Sent: Friday, March 6, 2020 8:20 PM To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/5/20 14:40, Piyush Kumar Nayak wrote: > Thanks Mark, Two connector configs works. Any ideas, on why the > behavior if different for ISAPI and mod_jk modules? What do your configurations look like for each module? - -chris > -Original Message- From: Mark H. Wood > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak > wrote: >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and >> IPv6 loopback addresses. >> >> By default, it seems that Tomcat binds to IPv4 loopback Default >> connector config : > redirectPort="8447" packetSize="65535" secret="xxx" >> tomcatAuthentication="false"/> >> >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING >> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 >> >> Introducing the address attribute like so : > protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds >> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP >> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 >> [::1]:8014 ESTABLISHED 6564 >> >> Is there a way to make it bind to both the loopbacks. The problem we >> are facing is our Tomcat installations can have connector configured >> with IIS or Apache HTTPD. Apache connector, by default seems to make >> a socket connection using the address ::1 (IPv6 loop back address), >> whereas IIS connector tries to bind to the >> IPv4 loopback. > > Two things I would try: > > 1. Two connectors, one with address='::1' and the other with > address='127.0.0.1', both with port='8014'. > > 2. Configure the other end explicitly: tell HTTPD and IIS which > address to use, and then configure your AJP Connector to match. > > -- Mark H. Wood Lead Technology Analyst > > University Library Indiana University - Purdue University Indianapolis > 755 W. Michigan Street Indianapolis, IN 46202 > 317-274-0749 www.ulib.iupui.edu > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9 XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8= =/AOd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/5/20 14:40, Piyush Kumar Nayak wrote: > Thanks Mark, Two connector configs works. Any ideas, on why the > behavior if different for ISAPI and mod_jk modules? What do your configurations look like for each module? - -chris > -Original Message- From: Mark H. Wood > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 > > On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak > wrote: >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 >> and IPv6 loopback addresses. >> >> By default, it seems that Tomcat binds to IPv4 loopback Default >> connector config : > redirectPort="8447" packetSize="65535" secret="xxx" >> tomcatAuthentication="false"/> >> >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 >> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 >> >> Introducing the address attribute like so : > protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> >> binds it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 >> TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522 >> [::1]:8014 ESTABLISHED 6564 >> >> Is there a way to make it bind to both the loopbacks. The problem >> we are facing is our Tomcat installations can have connector >> configured with IIS or Apache HTTPD. Apache connector, by default >> seems to make a socket connection using the address ::1 (IPv6 >> loop back address), whereas IIS connector tries to bind to the >> IPv4 loopback. > > Two things I would try: > > 1. Two connectors, one with address='::1' and the other with > address='127.0.0.1', both with port='8014'. > > 2. Configure the other end explicitly: tell HTTPD and IIS which > address to use, and then configure your AJP Connector to match. > > -- Mark H. Wood Lead Technology Analyst > > University Library Indiana University - Purdue University > Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 > 317-274-0749 www.ulib.iupui.edu > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8 pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9 XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8= =/AOd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Thanks Mark, Two connector configs works. Any ideas, on why the behavior if different for ISAPI and mod_jk modules? -Original Message- From: Mark H. Wood Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31 On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak wrote: > Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 > loopback addresses. > > By default, it seems that Tomcat binds to IPv4 loopback Default > connector config : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > > netstat -ano | findstr 8014 > TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616 TCP 127.0.0.1:8014 > 127.0.0.1:57510 ESTABLISHED 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 > ESTABLISHED 11800 > > Introducing the address attribute like so : > redirectPort="8447" packetSize="65535" secret="xxx" > tomcatAuthentication="false"/> binds it to IPv6 loopback TCP > [::1]:8014 [::]:0 LISTENING 8616 TCP [::1]:8014 [::1]:57522 > ESTABLISHED 8616 TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564 > > Is there a way to make it bind to both the loopbacks. The problem we are > facing is our Tomcat installations can have connector configured with IIS or > Apache HTTPD. > Apache connector, by default seems to make a socket connection using the > address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to > the IPv4 loopback. Two things I would try: 1. Two connectors, one with address='::1' and the other with address='127.0.0.1', both with port='8014'. 2. Configure the other end explicitly: tell HTTPD and IIS which address to use, and then configure your AJP Connector to match. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak wrote: > Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 > loopback addresses. > > By default, it seems that Tomcat binds to IPv4 loopback > Default connector config : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > > netstat -ano | findstr 8014 > TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616 > TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616 > TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 > > Introducing the address attribute like so : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > binds it to IPv6 loopback > TCP [::1]:8014 [::]:0 LISTENING 8616 > TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 > TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564 > > Is there a way to make it bind to both the loopbacks. The problem we are > facing is our Tomcat installations can have connector configured with IIS or > Apache HTTPD. > Apache connector, by default seems to make a socket connection using the > address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to > the IPv4 loopback. Two things I would try: 1. Two connectors, one with address='::1' and the other with address='127.0.0.1', both with port='8014'. 2. Configure the other end explicitly: tell HTTPD and IIS which address to use, and then configure your AJP Connector to match. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Hi, Check this thread: https://lists.apache.org/thread.html/r1f83f0c731a8737fdf4dad13ae402acd2fdc1ab1a86605af5b496a5f%40%3Cusers.tomcat.apache.org%3E On Thu, Mar 5, 2020 at 3:53 PM Piyush Kumar Nayak wrote: > > Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 > loopback addresses. > > By default, it seems that Tomcat binds to IPv4 loopback > Default connector config : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > > netstat -ano | findstr 8014 > TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616 > TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616 > TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 > > Introducing the address attribute like so : > redirectPort="8447" packetSize="65535" secret="xxx" > tomcatAuthentication="false"/> > binds it to IPv6 loopback > TCP [::1]:8014 [::]:0 LISTENING 8616 > TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 > TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564 > > Is there a way to make it bind to both the loopbacks. The problem we are > facing is our Tomcat installations can have connector configured with IIS > or Apache HTTPD. > Apache connector, by default seems to make a socket connection using the > address ::1 (IPv6 loop back address), whereas IIS connector tries to bind > to the IPv4 loopback. > > Thanks, > Piyush. >