What is in your URIWorkermap.properties file?
Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: Ellen Meiselman <elle...@gmail.com> Sent: Tuesday, February 25, 2020 3:12 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat Hi Johann, I’ve been trying both ways - with and without secret. Happy to have it set up any way it works that won’t arouse the ire of our security team. I’ll increase the log levels and see what else I can find. Thanks, Ellen > On Feb 25, 2020, at 4:07 PM, js84 <aon.913111...@aon.at> wrote: > > Hello! > > What for are you using secret property when running tomcat locally using > loopback interface? > > I suggest to increase loglevel to „debug“ temporary. (Don’t forget to > reset it because performance will slow down dramatically if > isapi_redirect logfile grows on a Windows machine.) > > Best regards, > Johann > > Von: Christopher Schultz > Gesendet: Dienstag, 25. Februar 2020 21:42 > An: users@tomcat.apache.org > Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector > andTomcat > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ellen, > > On 2/25/20 13:10, Ellen Meiselman wrote: >> No, just that I don't know how to set this particular connector up >> another way. I based this on the instructions on the isapi_connector >> site http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html >> and on the 2 older servers we have which are working.> I'm sort of >> thinking of suggesting that we get rid of IIS entirely and switch to >> Tomcat. Then we can run the necessary Java application and also serve >> all the HTML items we need to using the same web server. > Tomcat is a perfectly good "plain old" web server. Some security > people get all freaked-out when you suggest that Tomcat be exposed > "directly" but IMHO it can't be any worse than IIS. > > But also IMHO there are always reasons to use a reverse proxy: > flexibility and availability. When you are restarting Tomcat for > whatever reason, what will clients see if they try to access your > application? CONNECTION REFUSED? :( With the proxy in the way, that is > much less likely. Also, if you want to serve Java web applications, > python web applications, .NET whatevers, you'll be able to do that > much more flexibly with a reverse-proxy in the mix. > > - -chris > >> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> Ellen, >> >> On 2/25/20 12:55, Ellen Meiselman wrote: >>>>> Sorry - no, the quotes were not there except for a 5 minute test >>>>> of a hopeless theory that they might be needed. Right now there is >>>>> no secret at all in the workers.properties, and >> in the >>>>> ajp connector, i have secretRequired ="false". >>>>> Workers.properties: worker.worker1.type=ajp13 >>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>> >>>>> Server.xml: <Connector protocol="AJP/1.3" >>>>> address="127.0.0.1" port="8009" secretRequired="false" >>>>> redirectPort="8443" /> >> >> Hmm. I think we've all been operating under the assumption that the >> "secret" (by whatever name) was the source of the problem. It appears >> that was incorrect. >> >> Have a look at Jon's question about file permissions. >> >> Was this a configuration that had been working until recently, or is >> this a new configuration that you haven't (yet) been able to get >> working ? >> >> Any reason not to use HTTP(S) for your protocol instead of AJP? >> >> -chris >> >>>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < >>>>> ch...@christopherschultz.net> wrote: >>>>> >>>>> Ellen, >>>>> >>>>> On 2/25/20 12:06, Ellen Meiselman wrote: >>>>>>>> Yes, everything is on the same server. >>>>>>>> >>>>>>>> workers.properties: # Set properties for worker1 >>>>>>>> (ajp13) worker.worker1.type=ajp13 >>>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>>>>> worker.worker1.secret="mySecret". >>>>> >>>>> Just so there is no confusion: your "mySecret" should have neither >>>>> quotes nor the trailing period. >>>>> >>>>> Are those literally in your ISS config file? >>>>> >>>>> -chris >>>>> >>>>>>>> On Tue, Feb 25, 2020 at 11:27 AM >>>>>>>> <jonmcalexan...@wellsfargo.com.invalid> wrote: >>>>>>>> >>>>>>>>> -----Original Message----- From: Ellen Meiselman >>>>>>>>> <elle...@gmail.com> Sent: Tuesday, February 25, 2020 >>>>>>>>> 10:01 AM To: Tomcat Users List <users@tomcat.apache.org> >>>>>>>>> Subject: Re: At wits end: >>>>>>>>> Difficulties with IIS ISAPI connector and Tomcat >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> I've been testing, and so far, there is no change in the >>>>>>>>>> behavior. I am >>>>>>>>> still getting the same tomcat->based 403 error. >>>>>>>>> >>>>>>>>>> Based on what you said above... >>>>>>>>>> >>>>>>>>>> secretRequired="true" (which is the default, so it can be >>>>>>>>>> removed) secret="xxxxxxx" >>>>>>>>> >>>>>>>>> >>>>>>>>>> ...I removed secretRequired="true" and left secret. >>>>>>>>>> So the connector >>>>>>>>> definition now looks like this: >>>>>>>>>> <Connector protocol="AJP/1.3" address="127.0.0.1" >>>>>>>>>> port="8009" secret="mySecret" redirectPort="8443" >>>>>>>>>> /> >>>>>>>>> >>>>>>>>> <SNIP> >>>>>>>>> >>>>>>>>> I'm assuming that your web-front-end is on the same server as >>>>>>>>> your Tomcat instance, based on you having the address set to >>>>>>>>> 127.0.0.1, correct? What do you have in your >>>>>>>>> workers.properties file? >>>>>>>>> >>>>>>>> >>>>>> >>>>>> ----------------------------------------------------------------- >>>>>> - > - --- >>>>>> >>>>>> >> >>>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: >>>>>> users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>> >>> >>> -------------------------------------------------------------------- >>> - >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vhr0ACgkQHPApP6U8 > pFh5Rg//WTLD7EEH9UVwjEri7uzawYO1IFneURN9LQYaMd7EkrC5NKbwoQieLwwW > 3ylab6iSK1mjjKs3SiMVSIgBynDBBym6r7GtAd1xKGjlBHIYpeFFom1Y1W1K/PYg > Cdzdcbu6uOHmwOvprAxlH8IRAkvLTQy1P4dUeNHaoZljdrzVDRuoYJIrnoR3TFhD > 1EwrrITH5we9iQ93KoreaxQMqcR5GoxWe8kbVP8rzflZGbeQfpPT5P3XypWaRFIg > 8pmyEP+x4U70JvXbAHHtjeiC6iOHjdEmuFBVZZV8bpipikcOEsY+t7WsZ9uJeMkh > Su8A/234t4IX3uPXaQD7f6JBSbiqZ2UtUtCgTjHTAZpY+R5G/CErENz15Imw9n5z > 8qpy6plCoXX7gjDSUqt4kzZMzv2ibskI2l3l8B4N6IGym+bozbbpor8lwODnegHg > A1xYbLM4tLCDaN3p+TnMCpVh2JCWpz59azkNoxNFrQtAdvg5oiOP6ktvzg7sXMp3 > 7FtxzDbaF5xNoDzrsJTImw9+aRWnmngsCDkz3IjZTHJxqjLKktHLz8jMdBJX+1UO > Vu0Xg/ORTv229wEDgoaynLjKRrVHwC1lMgV8LFoVtX3WwOhhmcuEFWWhwOaRcOAA > 9QRLLWSBguA1vgxO3Ycd+FDoHa/kFTgK1MXO6ECwDFUUzFCTOGY= > =4Wjy > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
