Here is the additional information:
The error page looks like Tomcat:
HTTP Status 403 – Forbidden
_____
Type Status Report
Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine
Autorisierung.
_____
Apache Tomcat/8.5.53
The Apache HTTPD log file says:
- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Edg/80.0.361.69"
- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885
"https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
The Tomcat says:
- - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
- - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
The server on which all is running is:
Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
There is no new entry in the Apache HTTPD error.log concering these requests.
Help is appreciated
Florian Fritze
--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat/perl) <a...@ice-sa.com>
Gesendet: Freitag, 20. März 2020 10:14
An: users@tomcat.apache.org
Betreff: Re: AW: AJP Connector issue
On 20.03.2020 08:23, Fritze, Florian wrote:
Hello Chris,
thanks for the reply. Maybe I am doing something wrong, but setting
secretRequired="false" does not solve my issue. Let me show you what I
did and experience: I added <Connector port="8011" protocol="AJP/1.3"
redirectPort="8443" secretRequired="false" /> to the Tomcat
configuration and the ajp connector on the Apache HTTPD side connects
to 8011. When I now visit my website I got HTTP Status 403 – Forbidden
And just to make diagnosis a bit quicker : does that 403 error page look like
an Apache httpd page, or a tomcat page ? (they look quite differemt in style).
Also, can you check both the httpd logs, and the tomcat logs for that request,
and check what they say ? (compare by timestamnp and URI)
Also, under what OS does your front-end httpd run ?
I attached also the error page as a screenshot to this mail. This
behaviour exists only sice the Ghostcat fix release (I know that this
has nothing to do with security fix but probably with the release itself).
Thanks in advance
Florian
--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center
Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,
Germany Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de<mailto:florian.fri...@irb.fraunhofer.de> |
www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
-----Ursprüngliche Nachricht-----
Von: Christopher Schultz
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>
Gesendet: Donnerstag, 19. März 2020 20:14
An: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
Betreff: Re: AJP Connector issue
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Florian,
On 3/19/20 07:43, Fritze, Florian wrote:
since the Tomcat release with the Ghostcat security fix (Tomcat
8.5.51) me as an admin have the problem using the
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
connect the Apache HTTPD with the Tomcat running on localhost. The
attribute secretRequired must be set to „true“ or „false“ with
„false“ set the connection is not possible between Tomcat and Apache HTTPD.
When you have set secretRequired="false", it's not possible to
connect? When you try to connect, what DOES happen?
With „true“ the Apache development is not ready in the current
version to work with the „secret“ attribute. Only the next version of
Apache
2.4 supports this attribute.
Correct. Support for secret= in mod_proxy_ajp was evidently never
really a priority for anybody until now.
So I want to use the newest Tomcat version and an AJP connector but
after the Ghostcat fix release there is this attribute which does not
work in my configuration.
Are there any suggestions or solutions available that you can deliver
me (links or documentation, etc.)
secretRequired="false" should be all you need.
Of course, to be truly secure, you need to make sure that not just
anybody can make requests through your AJP interface. Have you secured
that interface from potential evildoers?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
=CYi0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>