On Thu, Aug 8, 2013 at 5:12 PM, Rainer Jung <[email protected]> wrote:
> On 08.08.2013 17:32, Nick Tkach wrote: > > Not quite sure if this needs to wind up in this group or the tomcat list > > since it kind of involves both. I'm fairly sure it involves an Apache > > misconfig, so thought I'd start here. > > > > We've got an Apache facing the Internet with some Java app servers (both > > jboss and tomcat), pretty standard thing. It's got the jk status worker > > locked down to only the internal IP addresses as usual. That much seems > > to work fine. The weirdness is that if you do a "blank" POST to the > > root context in the Apache it returns the jk status page *regardless of > > where you are*. > > > > So for instance, let's say my external site is http://baseco.com. If > > I've got the status worker mounted as /status, then > > http://baseco.com/status is correctly *not* reachable from the outside > > (403 denied) and correctly *is* reachable from the inside. > > > > However if I do a POST of blank lines: > > > > POST / HTTP/1.0 > > Host:baseco.com <http://baseco.com> > > > > > > (there are two carriage returns here) > > > > It acts as though you made a call to http://baseco.com/status (in the > > contents-not the url). > > > > Not sure what all parts of the config to include, but this is the > > general outline > > > > ------------------------------ > > DirectoryIndex index.html index.html.var > > > > <Directory /> > > Options FollowSymLinks > > AllowOverride None > > <Limit GET POST HEAD> > > Order allow,deny > > Allow from all > > </Limit> > > <LimitExcept GET POST HEAD> > > Order deny,allow > > Deny from all > > </LimitExcept> > > </Directory> > > > > JkMount /status mystatus > > <Location /status> > > JkMount mystatus > > Order allow,deny > > Allow from all > > Deny from xx.yy.zz aa.bb.cc <http://aa.bb.cc> (subnets for > > external-facing firewalls) > > </Location> > > <VirtualHost externalip:external port> > > > > </VirtualHost> > > -------------------------------------- > > > > Then the really strange (to me) follow-up is that it seems to be related > > to not having anything for an index page in the DocumentRoot directory > > (even though we're blocking access to /). As soon as you put an > > index.html file out there in the DocumentRoot (even with just a blank > > line in it) the problem goes away. > > > > I'm trying to figure out how a request for / can "become" a call to > > /status. Any ideas? I'm guessing it's something subtle about the > > config and not an actual bug. > > > The shown config obviously is not complete. You should also tell us > about the versions of Apache and mod_jk used. > > I would clean up by removing "JkMount mystatus" from inside the > Location. The JkMount above the Location is sufficient. > > The problem does not happen if you request "GET /"? > > Then I would switch JkLogLevel to "debug" on an idle system, reproduce > the problem and post the log here. Clean the log from any info that you > don't want to expose publicly. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > You are absolutely right. I'm embarrassed I didn't think to include versions! :) I will do that soon as I get back to work. Yes, oddly enough it does *not* happen on a GET, PUT, DELETE, OPTIONS, or HEAD.
