On 20.03.2020 08:23, Fritze, Florian wrote:
Hello Chris,

thanks for the reply. Maybe I am doing something wrong, but setting
secretRequired="false" does not solve my issue. Let me show you what I did
and experience: I added <Connector port="8011" protocol="AJP/1.3"
redirectPort="8443" secretRequired="false" /> to the Tomcat configuration
and the ajp connector on the Apache HTTPD side connects to 8011. When I now
visit my website I got HTTP Status 403 – Forbidden

And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style).

Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ? (compare by timestamnp and URI)

Also, under what OS does your front-end httpd run ?

I attached also the error page as a screenshot to this mail. This behaviour
exists only sice the Ghostcat fix release (I know that this has nothing to
do with security fix but probably with the release itself).

Thanks in advance

Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de

-----Ursprüngliche Nachricht-----
Von: Christopher Schultz <ch...@christopherschultz.net>
Gesendet: Donnerstag, 19. März 2020 20:14
An: users@tomcat.apache.org
Betreff: Re: AJP Connector issue

Hash: SHA256


On 3/19/20 07:43, Fritze, Florian wrote:
since the Tomcat release with the Ghostcat security fix (Tomcat
8.5.51) me as an admin have the problem using the
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
connect the Apache HTTPD with the Tomcat running on localhost. The
attribute secretRequired must be set to „true“ or „false“ with „false“
set the connection is not possible between Tomcat and Apache HTTPD.

When you have set secretRequired="false", it's not possible to connect? When
you try to connect, what DOES happen?

With „true“ the Apache development is not ready in the current version
to work with the „secret“ attribute. Only the next version of Apache
2.4 supports this attribute.
Correct. Support for secret= in mod_proxy_ajp was evidently never really a
priority for anybody until now.

So I want to use the newest Tomcat version and an AJP connector but
after the Ghostcat fix release there is this attribute which does not
work in my configuration.

Are there any suggestions or solutions available that you can deliver
me (links or documentation, etc.)

secretRequired="false" should be all you need.

Of course, to be truly secure, you need to make sure that not just anybody
can make requests through your AJP interface. Have you secured that
interface from potential evildoers?

- -chris
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to