I have tested r successful AJP connector with apache proxy on (tomcat 7) 1. For AJP connector adding secretRequired="false" and address="0.0.0.0" resolved my connectivity issue. I suspect the issue you are having (with 403) is more like a permissions issue on the site the request is trying to reach, than a AJP connector configuration issue.
On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < florian.fri...@irb.fraunhofer.de> wrote: > Just to make it clear what from my opinion the problem is: > > SCHWERWIEGEND [main] > org.apache.catalina.core.StandardService.startInternal Failed to start > connector [Connector[AJP/1.3-8011]] > org.apache.catalina.LifecycleException: Der Start des > Protokoll-Handlers ist fehlgeschlagen > at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1057) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.startup.Catalina.start(Catalina.java:688) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) > Caused by: java.lang.IllegalArgumentException: The AJP Connector > is configured with secretRequired="true" but the secret attribute is either > null or "". This combination is not valid. > at > org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274) > at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1055) > ... 12 more > > This new "secretRequired" attribute prevents the Tomcat from starting > flawlessly. It was first introduced with the Ghostcat release. > So this is a wish from me to the Tomcat developers: Please set this new > attribute not mandatory but optional. So that I can run the newest Tomcat > without this attribute which I do now with the pre-Ghostcat releases. > > Have a nice weekend > Florian Fritze > > -- > Florian Fritze M.A. > Fraunhofer-Informationszentrum Raum und Bau IRB > Competence Center Research Services & Open Science > Nobelstr. 12, 70569 Stuttgart, Germany > Telefon +49 711 970-2713 > florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de > > > -----Ursprüngliche Nachricht----- > Von: André Warnier (tomcat/perl) <a...@ice-sa.com> > Gesendet: Freitag, 20. März 2020 13:34 > An: users@tomcat.apache.org > Betreff: Re: AW: AW: AJP Connector issue > > Ok, so it looks like : > - the request is effectively reaching tomcat, and that it is tomcat > sending back the 403 response. > - the URL is "/", so presumably it is "well-formed" etc. > > Furthermore, according to something you wrote below, both Apache httpd and > tomcat are running on the same Linux host. > > This reminds me vaguely of some issue previously (and recently) discussed > on the list, with some request attributes which tomcat did not like.. > But I do not remember ptecisely what the issue was, and it also seems to > me that this concerned an IIS front-end, not Apache httpd. > > Perhaps someone else on the list has a better idea. > > > Incidentally, it also seems that you are, in httpd, proxying *all* > requests to tomcat. > Which raises the question of why you have a httpd front-end in the first > place. > (But that's a later discussion maybe, let's first see why "/" doesn't work) > > > On 20.03.2020 11:07, Fritze, Florian wrote: > > Here is the additional information: > > > > The error page looks like Tomcat: > > > > HTTP Status 403 – Forbidden > > > > _____ > > > > Type Status Report > > > > Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine > Autorisierung. > > > > _____ > > > > Apache Tomcat/8.5.53 > > > > The Apache HTTPD log file says: > > > > - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" > "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" > > > > - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 " > https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT 10.0; > Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 > Safari/537.36 Edg/80.0.361.69" > > > > > > > > The Tomcat says: > > > > - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 > > > > - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630 > > > > > > > > The server on which all is running is: > > > > Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC > > 2020 x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > There is no new entry in the Apache HTTPD error.log concering these > requests. > > > > > > > > Help is appreciated > > > > Florian Fritze > > > > -- > > > > Florian Fritze M.A. > > > > Fraunhofer-Informationszentrum Raum und Bau IRB > > > > Competence Center Research Services & Open Science > > > > Nobelstr. 12, 70569 Stuttgart, Germany > > > > Telefon +49 711 970-2713 > > > > florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > Von: André Warnier (tomcat/perl) <a...@ice-sa.com> > > Gesendet: Freitag, 20. März 2020 10:14 > > An: users@tomcat.apache.org > > Betreff: Re: AW: AJP Connector issue > > > > > > > > On 20.03.2020 08:23, Fritze, Florian wrote: > > > >> Hello Chris, > > > >> > > > >> thanks for the reply. Maybe I am doing something wrong, but setting > > > >> secretRequired="false" does not solve my issue. Let me show you what > >> I > > > >> did and experience: I added <Connector port="8011" protocol="AJP/1.3" > > > >> redirectPort="8443" secretRequired="false" /> to the Tomcat > > > >> configuration and the ajp connector on the Apache HTTPD side connects > > > >> to 8011. When I now visit my website I got HTTP Status 403 – > >> Forbidden > > > > > > > > And just to make diagnosis a bit quicker : does that 403 error page look > like an Apache httpd page, or a tomcat page ? (they look quite differemt in > style). > > > > > > > > Also, can you check both the httpd logs, and the tomcat logs for that > > request, and check what they say ? (compare by timestamnp and URI) > > > > > > > > Also, under what OS does your front-end httpd run ? > > > > > > > >> > > > >> I attached also the error page as a screenshot to this mail. This > > > >> behaviour exists only sice the Ghostcat fix release (I know that this > > > >> has nothing to do with security fix but probably with the release > itself). > > > >> > > > >> Thanks in advance > > > >> Florian > > > >> > > > >> -- > > > >> Florian Fritze M.A. > > > >> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center > > > >> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, > > > >> Germany Telefon +49 711 970-2713 > >> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer > >> .de> | > > > >> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> > > > >> > > > >> -----Ursprüngliche Nachricht----- > > > >> Von: Christopher Schultz > >> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > > > >> Gesendet: Donnerstag, 19. März 2020 20:14 > > > >> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > > > >> Betreff: Re: AJP Connector issue > > > >> > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> Hash: SHA256 > > > >> > > > >> Florian, > > > >> > > > >> On 3/19/20 07:43, Fritze, Florian wrote: > > > >>> since the Tomcat release with the Ghostcat security fix (Tomcat > > > >>> 8.5.51) me as an admin have the problem using the > > > >>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to > > > >>> connect the Apache HTTPD with the Tomcat running on localhost. The > > > >>> attribute secretRequired must be set to „true“ or „false“ with > > > >>> „false“ set the connection is not possible between Tomcat and Apache > HTTPD. > > > >> > > > >> When you have set secretRequired="false", it's not possible to > > > >> connect? When you try to connect, what DOES happen? > > > >> > > > >>> With „true“ the Apache development is not ready in the current > > > >>> version to work with the „secret“ attribute. Only the next version > >>> of > > > >>> Apache > > > >>> 2.4 supports this attribute. > > > >> Correct. Support for secret= in mod_proxy_ajp was evidently never > > > >> really a priority for anybody until now. > > > >> > > > >>> So I want to use the newest Tomcat version and an AJP connector but > > > >>> after the Ghostcat fix release there is this attribute which does > >>> not > > > >>> work in my configuration. > > > >>> > > > >>> Are there any suggestions or solutions available that you can > >>> deliver > > > >>> me (links or documentation, etc.) > > > >> > > > >> secretRequired="false" should be all you need. > > > >> > > > >> Of course, to be truly secure, you need to make sure that not just > > > >> anybody can make requests through your AJP interface. Have you > >> secured > > > >> that interface from potential evildoers? > > > >> > > > >> - -chris > > > >> -----BEGIN PGP SIGNATURE----- > > > >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > >> > > > >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8 > > > >> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC > > > >> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq > > > >> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C > > > >> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L > > > >> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2 > > > >> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln > > > >> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6 > > > >> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB > > > >> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9 > > > >> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh > > > >> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec= > > > >> =CYi0 > > > >> -----END PGP SIGNATURE----- > > > >> > > > >> --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: > >> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a > >> pache.org> > > > >> For additional commands, e-mail: > >> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > > > >> > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.ap > > ache.org> > > > > For additional commands, e-mail: > > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
