Hi Konstantin, On Mon, Oct 7, 2019 at 2:36 PM Konstantin Kolinko <knst.koli...@gmail.com> wrote:
> пн, 7 окт. 2019 г. в 14:23, Martin Knoblauch <kn...@knobisoft.de>: > > > > Dear fellow Tomcat users, > > > > recently we migrated our application from Tomcat7 to Tomcat9. Most > things > > work great so far, but we observed on issue. Basically serving static > pages > > has stopped for us. > > > > Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using > > mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that > > version. > > > > The mod_jk configuration basically looks like: > > > > <IfModule !mod_jk.c> > > LoadModule jk_module modules/mod_jk.so > > > > JkWorkersFile "conf/cb2/workers.properties" > > JkShmFile "logs/jk-runtime-status" > > JkLogFile "logs/mod_jk.log" > > JkLogLevel info > > JkWatchdogInterval 60 > > </IfModule> > > > > And then later inside a virtual host: > > > > # > > # CB2 - Portal > > # > > # Mount the "/cb2" application to worker "cb2" > > # > > JkMount /cb2/* cb2 > > # > > # Unmount "/cb2/docs" from worker "cb2" to allow static content > > # beeing served by apache. Same for "/cb2/cgi-bin" > > # > > JkUnMount /cb2/docs/* cb2 > > > > So we JkUnMount the "/cb2/docs" directory from the application base in > > order to server the content directly from Apache. "docs" itself is a > > symbolic link pointing outside the application base. > > > > With TC7, we observe the following in the apache access_log: > > > > [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs > > HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ > > HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > > > So the POST from the application is redirected to the static content, > which > > is served OK. > > A web server will happily server a static content in response to a > POST request. The redirect happens because you are requesting a > directory and your request URI does not end with a '/'. > > OK. Thanks for the explanation. > With TC9 we see: > > > > [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs > HTTP/1.1" > > s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > > > As said, the major difference between the setups is TC7 vs. TC9. Any > ideas > > for me to follow? I did not find anything in the migration 7->8 or 8->9 > > guides. > > 1. In your access log here I see "GET /docs" instead of "/cb2/docs". > Is it intentional? > > No, just to many windows to cut and past from. And not enough caffeine... 2. For Tomcat to issue a redirect, the "docs" directory must be > present in your web application. It can be empty, but it must be > present. (If there is none, Tomcat does not know that the requested > resource is a directory). > > OK. The "docs" directory is actually a symbolic link to a directory elsewhere. 3. Starting with some version (January 2016) the default place where > the redirect is issued by Tomcat was moved from Mapper (in earlier > stages of request processing) to the DefaultServlet. This behaviour is > controlled by configuration attributes on a Context (in the file > META-INF/context.xml of your web application). See CVE-2015-5345 > > http://tomcat.apache.org/security-9.html > > Sounds interesting. Need to look at it. Thanks Martin > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
