Think I solved the problem. I added requiredSecret="aSecret" (not the
real security :-)) to the AJP/13 connector in the server.xml of TomEE
and worker.ajp13.secret=aSecret into the workers.properties file. After
the restart of both TomEE and Apache2 the problem was not gone. I found
another error message in the catalina.log: java.net.SocketException:
Protocol family unavailable. On the internet I found that you need to
change the ::1 in the AJP/13 connector in the server.xml into 0.0.0.0 to
switch to IPv4. Now after the restart of TomEE I was able to access my
applications through Apache. Is this the right way? What if I want to
limit the acces between the docker container and Apache2?
On 2020-07-21 12:35, Jonathan Gallimore wrote:
Hi
Can you share the Apache HTTPD set with mod_jk config with us (I assume you
run that in a separate Docker container)? Please don't share any sensitive
config like passwords, keys, etc, just the basics of what we'd need to
reproduce the error you're seeing. We'd be happy to take a look.
There was a recent change in Tomcat where you need to set a secret both in
the Tomcat/TomEE config, and on the mod_jk side. Checking that the AJP port
is open and accessible to HTTPD, and that the secret is set on both sides
would be my first step in troubleshooting this.
The recent changes in AJP were to mitigate CVE-2020-1938 - some details are
here:https://nvd.nist.gov/vuln/detail/CVE-2020-1938 and there are a number
of writeups about the vulnerability on the web. Its worth a read and
understanding the changes.
Jon
On Tue, Jul 21, 2020 at 10:43 AM Marco DE BOOIJ <[email protected]>
wrote:
I had set-up TomEE (8.0.1) in Docker and Apache2 with mod_jk and it
worked. After a crash I lost all configurations. After re-installing
Linux (Mint 20) I re-created the TomEE 8.0.2 container (from tomitribe
on github with 11-jre but the 8-jre has the same problem) and configured
Apache2 (2.4.41) with the mod_jk (1.2.46-1).
I created the container (as before) with docker run -it --name tomee -p
8109:8009 -p 8180:8080 -p 8543:8443 -e TZ=Europe/Brussels -v
/srv/local/tomee:/srv/local/tomee tomee-8.0.2
When I access the applications through the TomEE port I get the reply
but when I go through Apache2 I get a "502 Bad Gateway The proxy server
received an invalid response from an upstream server". In the mod_jk.log
I find:
[Fri Jul 17 11:09:27.272 2020] [1075:140607154546432] [debug]
ajp_get_endpoint::jk_ajp_common.c (3357): (ajp13_worker) acquired
connection pool slot=0 after 0 retries
[Fri Jul 17 11:09:27.272 2020] [1075:140607154546432] [debug]
ajp_marshal_into_msgb::jk_ajp_common.c (681): (ajp13_worker) ajp
marshaling done
[Fri Jul 17 11:09:27.272 2020] [1075:140607154546432] [debug]
ajp_service::jk_ajp_common.c (2588): processing ajp13_worker with 2 retries
[Fri Jul 17 11:09:27.272 2020] [1075:140607154546432] [debug]
ajp_send_request::jk_ajp_common.c (1719): (ajp13_worker) no usable
connection found, will create a new one.
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
jk_open_socket::jk_connect.c (674): socket TCP_NODELAY set to On
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
jk_open_socket::jk_connect.c (798): trying to connect socket 17 to
127.0.0.1:8109
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
jk_open_socket::jk_connect.c (824): socket 17 [127.0.0.1:44262 ->
127.0.0.1:8109] connected
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
ajp_connection_tcp_send_message::jk_ajp_common.c (1264): sending to
ajp13 pos=4 len=462 max=8192
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
ajp_send_request::jk_ajp_common.c (1779): (ajp13_worker) request body to
send 0 - request body to resend 0
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
jk_shutdown_socket::jk_connect.c (931): About to shutdown socket 17
[errno=107]
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
jk_shutdown_socket::jk_connect.c (940): Failed sending SHUT_WR for
socket 17 [errno=107]
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [info]
ajp_connection_tcp_get_message::jk_ajp_common.c (1347): (ajp13_worker)
can't receive the response header message from tomcat, network problems
or tomcat (127.0.0.1:8109) is down (errno=104)
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
ajp_abort_endpoint::jk_ajp_common.c (818): (ajp13_worker) aborting
endpoint with socket 17
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [error]
ajp_get_reply::jk_ajp_common.c (2256): (ajp13_worker) Tomcat is down or
refused connection. No response has been sent to the client (yet)
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [info]
ajp_service::jk_ajp_common.c (2775): (ajp13_worker) sending request to
tomcat failed (recoverable), (attempt=1)
[Fri Jul 17 11:09:27.273 2020] [1075:140607154546432] [debug]
ajp_service::jk_ajp_common.c (2624): (ajp13_worker) retry 1, sleeping
for 100 ms before retrying
I only commented out the AJP 1.3 connector part from the server.xml
without changing. I changed the port in workers.properties to 8109.
On the internet I found old problems but these should have been solved
in the version that I use. Did anybody had this problem and solved it?
