On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman <elle...@gmail.com> wrote: > > Hi, > > I’m having a lot of trouble configuring the isapi_redirect connector between > IIS and Tomcat. I am running out of ideas so it’s time to ask for help from > the experts. I think the problems remaining are in the tomcat configuration > area, not the IIS area anymore. > > What’s wrong: > The ISAPI module appears to be working and correctly sending AJP requests to > Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 > error. The isapi_redirect.log shows the complete content of the tomcat > response, and no longer shows any errors - in other words, it thinks it is > working. > > Text of the 403 error: > > HTTP Status 403 – Forbidden > Type Status Report > Description The server understood the request but refuses to authorize > it. > Apache Tomcat/8.5.51 > > > What does work: > Requests directly to Tomcat on port 8080 to pages within the > connector-exposed web application work fine. > For example, both of these work: > localhost:8080/exposedApplication/simple.html. (viewed on the server’s > browser) > my.servers.domain.com:8080/exposedApplication/simple.html (viewed anywhere > else) > > > What does not work: > Requests that go through IIS and the connector to the connector-exposed > application result in a 403 error. > For example, this does not work: > https:my.servers.domain.com/exposedApplication/simple.html > > > This Windows 2019 setup has the following versions of tomcat, windows, etc: > > Tomcat version 8.5.51 > Isapi_redirect.dll version 1.2.46.0 > IIS 10/Windows server 2019 > > I also have two older, similar Windows Server environments that work > perfectly. They both use these versions: > > Tomcat version 8.5.3 (64 bit) as a service > Isapi_redirect.dll version 1.2.40.0 64 bit > IIS 8/Windows server 2012R2 > > > The component versions between the working and non-working environments are > slightly different, and I think that might be the source of the problem - > there are probably new configuration requirements that I need to be aware of. > I started with the settings used in the working environments and found that > some things needed to be changed to get the connector to work at alll. For > example I had to specify an iPv4 address for the connector where I didn’t > need to before. > > My theories at the moment: > 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about the > allowedRequestAttributesPattern attribute for the AJP connector possibly > causing a 403 error, but I don’t understand how to use it or if it is needed. > 2. It’s possible that something in the Tomcat permissions settings are wrong, > but I really don’t know where to look. > > > Relevant configuration settings in server.xml, workers.properties and > uriworkermap.properties: > > server.xml > > <Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000" > redirectPort="8443" /> > <Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009" > requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" /> > > <Host name="localhost" appBase=“webapps" unpackWARs="true" > autoDeploy="true"> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > </Host> > > <Host name="127.0.0.1" appBase=“webapps” unpackWARs="true" > autoDeploy="true"> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="127_0_01_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > </Host> > > > workers.properties > > # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 > worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > worker.worker1.secret=xxxxxxxx > > > uriworkermap.properties > /exposedApplication/*=worker1 > > > Any suggestions or new directions will be welcome. > > Thank you, > > Ellen Meiselman >
Change requiredSecret="true" to secretRequired="true" in your AJP connector definition. HTH Chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
