On 13/02/2020 12:04, Olivier Jaquemet wrote:
> On 13/02/2020 12:41, Mark Thomas wrote:
>> On 13/02/2020 09:57, Olivier Jaquemet wrote:
>>> I understand the need to introduce a "secured by default" AJP
>>> configuration.
>>> However, I question one choice that was made for this change : the
>>> default behavior of the AJP connector to listen only on the loopback
>>> address.
>>> [...]
>> You can specify "" (IPv4) or "::" (IPv6) to restore the behaviour
>> of listening on any address.
>> Mark
> Thank you Mark. This should address this use case.
> Would you consider adding this binding information to the documentation
> (in the documentation of the address attribute) ?

The migration guide might be a better place for that sort of thing. Care
to suggest a suitable change to this section:


(we can copy the text to the equivalent sections for 8.5.x and 7.0.x)?

> To sum up :
> When migrating to Tomcat 8.5.51, 9.0.31 (and probably the next 7.0.x as
> I saw you had also backported this change to the 7.0.x branch),


> if your server architecture is to expose tomcat with an AJP connector,
> to a remote distant front server, you can :
> either, *secure your installation* (obviously the recommended way on
> untrusted network) :
> - by specifying the valid IP address on which the connector must bind;
> This is done with address attribute of the AJP connector.
> - by specifying a shared secret between the front server and the
> connector ; This is done with the secret attribute of the AJP connector
> or else, if you want your server.xml to be agnostic to the running host
> and remote front server, change your configuration back to the previous
> behavior, *BUT ONLY IF AND ONLY IF you are on trusted network* :
> - by removing explicit bind of AJP connector, by specifying ""
> (IPv4) or "::" (IPv6) in the address attribute of the AJP connector
> - by removing need for shared secret between front and tomcat ; This is
> done with the secretRequired="false" attribute of the AJP connector.

Correct. Nice summary.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to