-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

RK,

On 3/20/20 09:57, RK Ashburn wrote:
> I have tested r successful AJP connector with apache proxy on
> (tomcat 7)
>
> 1. For AJP connector adding  secretRequired="false" and
address="0.0.0.0"
> resolved my connectivity issue. I suspect the issue you are having
> (with 403)  is more like a permissions issue on the site the
> request is
trying to
> reach, than a AJP connector configuration issue.

binding to "all interfaces" may work, but it's not terribly secure.
Are you really expecting an AJP connection from anywhere in the world?

- -chris

> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
> florian.fri...@irb.fraunhofer.de> wrote:
>
>> Just to make it clear what from my opinion the problem is:
>>
>> SCHWERWIEGEND [main]
>> org.apache.catalina.core.StandardService.startInternal Failed to
>> start connector [Connector[AJP/1.3-8011]]
>> org.apache.catalina.LifecycleException: Der Start des
>> Protokoll-Handlers ist fehlgeschlagen at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
7)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardService.startInternal(StandardService.j
ava:440)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
a:766)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>> Caused by: java.lang.IllegalArgumentException: The AJP
Connector
>> is configured with secretRequired="true" but the secret
>> attribute
is either
>> null or "". This combination is not valid. at
>>
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
:274)
>> at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
5)
>> ... 12 more
>>
>> This new "secretRequired" attribute prevents the Tomcat from
>> starting flawlessly. It was first introduced with the Ghostcat
>> release. So this is a wish from me to the Tomcat developers:
>> Please set this new attribute not mandatory but optional. So that
>> I can run the newest
Tomcat
>> without this attribute which I do now with the pre-Ghostcat
>> releases.
>>
>> Have a nice weekend Florian Fritze
>>
>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
>> Bau IRB Competence Center Research Services & Open Science
>> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>> -----Ursprüngliche Nachricht----- Von: André Warnier
>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
>> Connector issue
>>
>> Ok, so it looks like : - the request is effectively reaching
>> tomcat, and that it is tomcat sending back the 403 response. -
>> the URL is "/", so presumably it is "well-formed" etc.
>>
>> Furthermore, according to something you wrote below, both Apache
httpd and
>> tomcat are running on the same Linux host.
>>
>> This reminds me vaguely of some issue previously (and recently)
discussed
>> on the list, with some request attributes which tomcat did not
>> like.. But I do not remember ptecisely what the issue was, and it
>> also
seems to
>> me that this concerned an IIS front-end, not Apache httpd.
>>
>> Perhaps someone else on the list has a better idea.
>>
>>
>> Incidentally, it also seems that you are, in httpd, proxying
>> *all* requests to tomcat. Which raises the question of why you
>> have a httpd front-end in the
first
>> place. (But that's a later discussion maybe, let's first see why
>> "/"
doesn't work)
>>
>>
>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>> Here is the additional information:
>>>
>>> The error page looks like Tomcat:
>>>
>>> HTTP Status 403 – Forbidden
>>>
>>> _____
>>>
>>> Type Status Report
>>>
>>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
>>> aber
eine
>> Autorisierung.
>>>
>>> _____
>>>
>>> Apache Tomcat/8.5.53
>>>
>>> The Apache HTTPD log file says:
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
>>> "-"
>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like
>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403
885 "
>> https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>>
>>>
>>> The Tomcat says:
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403 630
>>>
>>>
>>>
>>> The server on which all is running is:
>>>
>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>>
>>> There is no new entry in the Apache HTTPD error.log concering
>>> these
>> requests.
>>>
>>>
>>>
>>> Help is appreciated
>>>
>>> Florian Fritze
>>>
>>> --
>>>
>>> Florian Fritze M.A.
>>>
>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>
>>> Competence Center Research Services & Open Science
>>>
>>> Nobelstr. 12, 70569 Stuttgart, Germany
>>>
>>> Telefon +49 711 970-2713
>>>
>>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP
>>> Connector issue
>>>
>>>
>>>
>>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>>
>>>> Hello Chris,
>>>
>>>>
>>>
>>>> thanks for the reply. Maybe I am doing something wrong, but
>>>> setting
>>>
>>>> secretRequired="false" does not solve my issue. Let me show
>>>> you what I
>>>
>>>> did and experience: I added <Connector port="8011"
>>>> protocol="AJP/1.3"
>>>
>>>> redirectPort="8443" secretRequired="false" /> to the Tomcat
>>>
>>>> configuration and the ajp connector on the Apache HTTPD side
>>>> connects
>>>
>>>> to 8011. When I now visit my website I got HTTP Status 403 –
>>>> Forbidden
>>>
>>>
>>>
>>> And just to make diagnosis a bit quicker : does that 403 error
page look
>> like an Apache httpd page, or a tomcat page ? (they look quite
differemt in
>> style).
>>>
>>>
>>>
>>> Also, can you check both the httpd logs, and the tomcat logs
>>> for that request, and check what they say ?  (compare by
>>> timestamnp and URI)
>>>
>>>
>>>
>>> Also, under what OS does your front-end httpd run ?
>>>
>>>
>>>
>>>>
>>>
>>>> I attached also the error page as a screenshot to this mail.
>>>> This
>>>
>>>> behaviour exists only sice the Ghostcat fix release (I know
>>>> that this
>>>
>>>> has nothing to do with security fix but probably with the
>>>> release
>> itself).
>>>
>>>>
>>>
>>>> Thanks in advance
>>>
>>>> Florian
>>>
>>>>
>>>
>>>> --
>>>
>>>> Florian Fritze M.A.
>>>
>>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence
>>>> Center
>>>
>>>> Research Services & Open Science Nobelstr. 12, 70569
>>>> Stuttgart,
>>>
>>>> Germany Telefon +49 711 970-2713
>>>> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof
er
>>>>
>>>>
.de> |
>>>
>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>>
>>>>
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>
>>>> Von: Christopher Schultz
>>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>
>>>
>>>>
>>>>
Gesendet: Donnerstag, 19. März 2020 20:14
>>>
>>>> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
>>>
>>>> Betreff: Re: AJP Connector issue
>>>
>>>>
>>>
>>>>
> Florian,
>>>>
>
>>>>
> On 3/19/20 07:43, Fritze, Florian wrote:
>>>>
>>>>>> since the Tomcat release with the Ghostcat security fix
>>>>>> (Tomcat
>>>>
>>>>>> 8.5.51) me as an admin have the problem using the
>>>>
>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>>>>>> module to
>>>>
>>>>>> connect the Apache HTTPD with the Tomcat running on
>>>>>> localhost. The
>>>>
>>>>>> attribute secretRequired must be set to „true“ or „false“
>>>>>> with
>>>>
>>>>>> „false“ set the connection is not possible between Tomcat
>>>>>> and Apache
>>> HTTPD.
>>>>
>
>>>>
> When you have set secretRequired="false", it's not possible to
>>>>
> connect? When you try to connect, what DOES happen?
>>>>
>
>>>>
>>>>>> With „true“ the Apache development is not ready in the
>>>>>> current
>>>>
>>>>>> version to work with the „secret“ attribute. Only the
>>>>>> next version of
>>>>
>>>>>> Apache
>>>>
>>>>>> 2.4 supports this attribute.
>>>>
> Correct. Support for secret= in mod_proxy_ajp was evidently never
>>>>
> really a priority for anybody until now.
>>>>
>
>>>>
>>>>>> So I want to use the newest Tomcat version and an AJP
>>>>>> connector but
>>>>
>>>>>> after the Ghostcat fix release there is this attribute
>>>>>> which does not
>>>>
>>>>>> work in my configuration.
>>>>
>>>>>>
>>>>
>>>>>> Are there any suggestions or solutions available that you
>>>>>> can deliver
>>>>
>>>>>> me (links or documentation, etc.)
>>>>
>
>>>>
> secretRequired="false" should be all you need.
>>>>
>
>>>>
> Of course, to be truly secure, you need to make sure that not just
>>>>
> anybody can make requests through your AJP interface. Have you
> secured
>>>>
> that interface from potential evildoers?
>>>>
>
>>>>
> -chris
>>>>
>>>
>>>>
>>>
>>>> -------------------------------------------------------------------
- --
>>>
>>>>
>>>>
To unsubscribe, e-mail:
>>>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat
.a
>>>>
>>>>
pache.org>
>>>
>>>> For additional commands, e-mail:
>>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
- ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail:
>>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat.
ap
>>>
>>>
ache.org>
>>>
>>> For additional commands, e-mail:
>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
>>>
>>>
>>>
>>
>>
>>
>>>
- ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
>> additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8
pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo
0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g
cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2
rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR
SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY
zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ
6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8
/SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs
ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi
hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+
tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o=
=207+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to