-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 RK,
On 3/20/20 09:57, RK Ashburn wrote: > I have tested r successful AJP connector with apache proxy on > (tomcat 7) > > 1. For AJP connector adding secretRequired="false" and address="0.0.0.0" > resolved my connectivity issue. I suspect the issue you are having > (with 403) is more like a permissions issue on the site the > request is trying to > reach, than a AJP connector configuration issue. binding to "all interfaces" may work, but it's not terribly secure. Are you really expecting an AJP connection from anywhere in the world? - -chris > On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < > florian.fri...@irb.fraunhofer.de> wrote: > >> Just to make it clear what from my opinion the problem is: >> >> SCHWERWIEGEND [main] >> org.apache.catalina.core.StandardService.startInternal Failed to >> start connector [Connector[AJP/1.3-8011]] >> org.apache.catalina.LifecycleException: Der Start des >> Protokoll-Handlers ist fehlgeschlagen at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:105 7) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.core.StandardService.startInternal(StandardService.j ava:440) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav a:766) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> >> at >> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) at >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) >> at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) >> Caused by: java.lang.IllegalArgumentException: The AJP Connector >> is configured with secretRequired="true" but the secret >> attribute is either >> null or "". This combination is not valid. at >> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java :274) >> at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:105 5) >> ... 12 more >> >> This new "secretRequired" attribute prevents the Tomcat from >> starting flawlessly. It was first introduced with the Ghostcat >> release. So this is a wish from me to the Tomcat developers: >> Please set this new attribute not mandatory but optional. So that >> I can run the newest Tomcat >> without this attribute which I do now with the pre-Ghostcat >> releases. >> >> Have a nice weekend Florian Fritze >> >> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und >> Bau IRB Competence Center Research Services & Open Science >> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 >> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de >> >> >> -----Ursprüngliche Nachricht----- Von: André Warnier >> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 >> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP >> Connector issue >> >> Ok, so it looks like : - the request is effectively reaching >> tomcat, and that it is tomcat sending back the 403 response. - >> the URL is "/", so presumably it is "well-formed" etc. >> >> Furthermore, according to something you wrote below, both Apache httpd and >> tomcat are running on the same Linux host. >> >> This reminds me vaguely of some issue previously (and recently) discussed >> on the list, with some request attributes which tomcat did not >> like.. But I do not remember ptecisely what the issue was, and it >> also seems to >> me that this concerned an IIS front-end, not Apache httpd. >> >> Perhaps someone else on the list has a better idea. >> >> >> Incidentally, it also seems that you are, in httpd, proxying >> *all* requests to tomcat. Which raises the question of why you >> have a httpd front-end in the first >> place. (But that's a later discussion maybe, let's first see why >> "/" doesn't work) >> >> >> On 20.03.2020 11:07, Fritze, Florian wrote: >>> Here is the additional information: >>> >>> The error page looks like Tomcat: >>> >>> HTTP Status 403 – Forbidden >>> >>> _____ >>> >>> Type Status Report >>> >>> Beschreibung Der Server hat die Anfrage verstanden, verbietet >>> aber eine >> Autorisierung. >>> >>> _____ >>> >>> Apache Tomcat/8.5.53 >>> >>> The Apache HTTPD log file says: >>> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 >>> "-" >> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" >>> 403 885 " >> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT >> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) >> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>> >>> >>> >>> The Tomcat says: >>> >>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 >>> >>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" >>> 403 630 >>> >>> >>> >>> The server on which all is running is: >>> >>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 >>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux >>> >>> >>> >>> There is no new entry in the Apache HTTPD error.log concering >>> these >> requests. >>> >>> >>> >>> Help is appreciated >>> >>> Florian Fritze >>> >>> -- >>> >>> Florian Fritze M.A. >>> >>> Fraunhofer-Informationszentrum Raum und Bau IRB >>> >>> Competence Center Research Services & Open Science >>> >>> Nobelstr. 12, 70569 Stuttgart, Germany >>> >>> Telefon +49 711 970-2713 >>> >>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de >>> >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- Von: André Warnier >>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 >>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP >>> Connector issue >>> >>> >>> >>> On 20.03.2020 08:23, Fritze, Florian wrote: >>> >>>> Hello Chris, >>> >>>> >>> >>>> thanks for the reply. Maybe I am doing something wrong, but >>>> setting >>> >>>> secretRequired="false" does not solve my issue. Let me show >>>> you what I >>> >>>> did and experience: I added <Connector port="8011" >>>> protocol="AJP/1.3" >>> >>>> redirectPort="8443" secretRequired="false" /> to the Tomcat >>> >>>> configuration and the ajp connector on the Apache HTTPD side >>>> connects >>> >>>> to 8011. When I now visit my website I got HTTP Status 403 – >>>> Forbidden >>> >>> >>> >>> And just to make diagnosis a bit quicker : does that 403 error page look >> like an Apache httpd page, or a tomcat page ? (they look quite differemt in >> style). >>> >>> >>> >>> Also, can you check both the httpd logs, and the tomcat logs >>> for that request, and check what they say ? (compare by >>> timestamnp and URI) >>> >>> >>> >>> Also, under what OS does your front-end httpd run ? >>> >>> >>> >>>> >>> >>>> I attached also the error page as a screenshot to this mail. >>>> This >>> >>>> behaviour exists only sice the Ghostcat fix release (I know >>>> that this >>> >>>> has nothing to do with security fix but probably with the >>>> release >> itself). >>> >>>> >>> >>>> Thanks in advance >>> >>>> Florian >>> >>>> >>> >>>> -- >>> >>>> Florian Fritze M.A. >>> >>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence >>>> Center >>> >>>> Research Services & Open Science Nobelstr. 12, 70569 >>>> Stuttgart, >>> >>>> Germany Telefon +49 711 970-2713 >>>> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof er >>>> >>>> .de> | >>> >>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> >>> >>>> >>> >>>> -----Ursprüngliche Nachricht----- >>> >>>> Von: Christopher Schultz >>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> >>> >>>> >>>> Gesendet: Donnerstag, 19. März 2020 20:14 >>> >>>> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>> >>>> Betreff: Re: AJP Connector issue >>> >>>> >>> >>>> > Florian, >>>> > >>>> > On 3/19/20 07:43, Fritze, Florian wrote: >>>> >>>>>> since the Tomcat release with the Ghostcat security fix >>>>>> (Tomcat >>>> >>>>>> 8.5.51) me as an admin have the problem using the >>>> >>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html >>>>>> module to >>>> >>>>>> connect the Apache HTTPD with the Tomcat running on >>>>>> localhost. The >>>> >>>>>> attribute secretRequired must be set to „true“ or „false“ >>>>>> with >>>> >>>>>> „false“ set the connection is not possible between Tomcat >>>>>> and Apache >>> HTTPD. >>>> > >>>> > When you have set secretRequired="false", it's not possible to >>>> > connect? When you try to connect, what DOES happen? >>>> > >>>> >>>>>> With „true“ the Apache development is not ready in the >>>>>> current >>>> >>>>>> version to work with the „secret“ attribute. Only the >>>>>> next version of >>>> >>>>>> Apache >>>> >>>>>> 2.4 supports this attribute. >>>> > Correct. Support for secret= in mod_proxy_ajp was evidently never >>>> > really a priority for anybody until now. >>>> > >>>> >>>>>> So I want to use the newest Tomcat version and an AJP >>>>>> connector but >>>> >>>>>> after the Ghostcat fix release there is this attribute >>>>>> which does not >>>> >>>>>> work in my configuration. >>>> >>>>>> >>>> >>>>>> Are there any suggestions or solutions available that you >>>>>> can deliver >>>> >>>>>> me (links or documentation, etc.) >>>> > >>>> > secretRequired="false" should be all you need. >>>> > >>>> > Of course, to be truly secure, you need to make sure that not just >>>> > anybody can make requests through your AJP interface. Have you > secured >>>> > that interface from potential evildoers? >>>> > >>>> > -chris >>>> >>> >>>> >>> >>>> ------------------------------------------------------------------- - -- >>> >>>> >>>> To unsubscribe, e-mail: >>>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat .a >>>> >>>> pache.org> >>> >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>> >>>> >>> >>> >>> >>> >>> >>> >>>> - --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: >>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat. ap >>> >>> ache.org> >>> >>> For additional commands, e-mail: >>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>> >>> >>> >> >> >> >>> - --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For >> additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8 pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo 0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2 rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ 6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8 /SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+ tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o= =207+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org