There is no Tomcat, mod_jk nor httpd bug here.
The root cause of this thread is a configuration error.
>From the httpd docs for Location:
<quote>
The URL may use wildcards. In a wild-card string, ? matches any single
character, and * matches any sequences of characters. Neither wildcard
character matches a / in the URL-path.
</quote>
Note - in particular - the final sentence.
>From the JkMount docs:
<quote>
Inside Location, one omits the first argument (path), which gets
inherited verbatim from the Location argument. Whereas <Location /myapp>
matches any URI beginning with "/myapp", any JkMount nested in such a
Location block will only match for requests with exact URI /myapp.
Therefore nesting JkMount in Location is typically not the right thing
to do.
</quote>
Again, note - in particular - the final sentence.
The original configuration was:
<Location "/servlet*">
JkMount worker1
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
...
</Location>
As per the documentation, configuration in the Location block and the
JkMount DO NOT apply to the same set of URLs as the matching rules are
different. Hence the behaviour that is observed.
For example "/servlet/foo" will match the JkMount directive but NOT the
location block.
It isn't clear what the intended configuration is but I suspect it is
something along these lines:
<Location "/servlet">
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
...
</Location>
JkMount /servlet worker1
JkMount /servlet/* worker1
Mark
On 08/10/2019 02:09, André Warnier (tomcat) wrote:
> On 08.10.2019 00:50, Magosányi Árpád wrote:
>> On 10/7/19 11:29 PM, André Warnier (tomcat) wrote:
>>> <LocationMatch /servlet.*>
>>> DirectoryIndex off
>>> RewriteEngine Off
>>> AuthType openid-connect
>>> AllowOverride None
>>> AuthzDBDQuery "a correct database query"
>>> Require dbd-group allrepo
>>> LogLevel debug
>>> </LocationMatch>
>>
>> Nice. It have solved the problem, thank you very much. By adding the ssl
>> related directives here I could pass the ssl info as well. So basically
>> we have put the JkMount in a Location, and the other directives in
>> another similar directive, as a kind of workaround?
>
> Think of it as follows :
> When httpd gets a request,
> - step 1 : it first looks only at the request URL, and it applies any
> directives that it finds in <Location> or <LocationMatch> sections which
> match that URL.
> - step 2 : then it tries to match the URL, with the filesystem on disk,
> and IF it finds a file that corresponds to that URL
> - step 3 : then it applies any <Directory(Match)> or <Files(Match)> that
> apply to that file
> - step 4 : httpd serves the file back to the browser
>
> If you have JkMount directives that match the URL, then step 2, 3 and 4
> above never happen, because the request will be passed to tomcat anyway,
> so it will never map to a file on the httpd filesystem. And if you have
> JkUnmount directives, that also match the URL, then they partially
> negate the matching JkMount, and they /force/ step 2, 3 and 4.
>
> The combination of JkMount/JkUnmount directives, with the httpd
> <Location(Match)> and <Directory(Match)> sections, is sometimes a bit
> unclear, specially when they overlap.
>
> There is another syntax applicable to the proxying via mod_jk, which I
> prefer because I find that it makes the httpd URL mapping clearer, in a
> httpd configuration logic sense.
> You can find it here :
> http://tomcat.apache.org/connectors-doc/reference/apache.html
> section : Using SetHandler and Environment Variables
>
> Using that form, you do NOT use any "JkMount/JkUnmount" directives, you
> use only <Location(Match)> blocks, like :
>
> <LocationMatch /servlet.*>
> SetHandler jakarta-servlet
> SetEnv JK_WORKER_NAME worker1
> DirectoryIndex off
> RewriteEngine Off
> AuthType openid-connect
> AllowOverride None
> AuthzDBDQuery "a correct database query"
> Require dbd-group allrepo
> LogLevel debug
> </LocationMatch>
>
> The combination of the <LocationMatch /servlet.*>, SetHandler and
> SetEnv, does the same as a separate "JkMount /servlet* worker1" and (in
> my view) it makes it clearer in the Apache httpd configuration file, to
> know which URLs get proxied to tomcat and which do not get proxied.
> Look at the example "<Location /apps/>" to see how you can have some
> static documents served by the httpd front-end directly (= not proxied
> to tomcat), and the real calls to tomcat servlets being proxied to tomcat.
>
>
>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
