Re: Tomcat Problems
One thing that I've noticed with some installs of Fedora is that out of the box the iptables firewall gets setup in a weird way that rejects a lot of connections (even if it's supposedly allowing the ports you want to go thru). Flushing the rules it creates, and putting the ones in that I want fixes the problem. rj At 11:26 AM 9/13/2004, Thomas E. Dukes wrote: Hello, I am running Fedora Core 2 with the stock version of tomcat, 4.1.27-13. I know this is not the latest version but I thought I'd start with what comes with this distribution. I have followed the howto at jakarta.apache.org. First, if I go to http://localhost/examples, I can see the examples and run them with no problems. The problem is http://localhost:8080. According to the howto, I should see a tomcat welcome message. All I get is connection refused. The excerpt from the apahace error log is: [Mon Sep 13 10:26:27 2004] [error] channelSocket.open() connect failed localhost:8019 111 Connection refused [Mon Sep 13 10:26:27 2004] [error] ajp13.connect() failed ajp13:localhost:8019 [Mon Sep 13 10:26:27 2004] [error] ajp13.service() failed to connect endpoint errno=111 Connection refused [Mon Sep 13 10:26:27 2004] [error] ajp13.service() Error forwarding ajp13:localhost:8019 1 1 [Mon Sep 13 10:26:27 2004] [notice] ajp13.done() close endpoint ajp13:localhost:8019 error_state 1 [Mon Sep 13 10:26:27 2004] [error] lb.service() worker failed 12 for ajp13:localhost:8019 [Mon Sep 13 10:26:28 2004] [error] channelUn.connect() connect failed 2 No such file or directory [Mon Sep 13 10:26:28 2004] [error] ajp13.connect() failed ajp13:/opt/33/work/jk2.socket [Mon Sep 13 10:26:28 2004] [error] ajp13.service() failed to connect endpoint errno=2 No such file or directory [Mon Sep 13 10:26:28 2004] [error] ajp13.service() Error forwarding ajp13:/opt/33/work/jk2.socket 1 1 [Mon Sep 13 10:26:28 2004] [notice] channelUn.close(): close unix socket -1 [Mon Sep 13 10:26:28 2004] [notice] ajp13.done() close endpoint ajp13:/opt/33/work/jk2.socket error_state 1 [Mon Sep 13 10:26:28 2004] [error] lb.service() worker failed 12 for ajp13:/opt/33/work/jk2.socket [Mon Sep 13 10:26:28 2004] [error] channelSocket.open() connect failed localhost:8019 111 Connection refused [Mon Sep 13 10:26:28 2004] [error] ajp13.connect() failed ajp13:localhost:8019 [Mon Sep 13 10:26:28 2004] [error] ajp13.service() failed to connect endpoint errno=111 Connection refused [Mon Sep 13 10:26:28 2004] [error] ajp13.service() Error forwarding ajp13:localhost:8019 1 1 [Mon Sep 13 10:26:28 2004] [notice] ajp13.done() close endpoint ajp13:localhost:8019 error_state 1 [Mon Sep 13 10:26:28 2004] [error] lb.service() worker failed 12 for ajp13:localhost:8019 [Mon Sep 13 10:26:28 2004] [error] channelUn.connect() connect failed 2 No such file or directory [Mon Sep 13 10:26:28 2004] [error] ajp13.connect() failed ajp13:/opt/33/work/jk2.socket [Mon Sep 13 10:26:28 2004] [error] ajp13.service() failed to connect endpoint errno=2 No such file or directory [Mon Sep 13 10:26:28 2004] [error] ajp13.service() Error forwarding ajp13:/opt/33/work/jk2.socket 1 1 [Mon Sep 13 10:26:28 2004] [notice] channelUn.close(): close unix socket -1 [Mon Sep 13 10:26:28 2004] [notice] ajp13.done() close endpoint ajp13:/opt/33/work/jk2.socket error_state 1 [Mon Sep 13 10:26:28 2004] [error] lb.service() worker failed 12 for ajp13:/opt/33/work/jk2.socket The first thing I noticed is the ajp13:/opt/33/work/jk2.socket. I don't have this directory or file, anywhere. I'm not sure if I missed installing an rpm or there is a incorrect config file that cam with this distribution somewhere pointing to this. I have searched google and the archive with no success. Any help would be appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL in tomcat standalone with virtual hosts
At 12:01 PM 8/19/2004, Hassan Schroeder wrote: RJ wrote: OK, I've done some more searching I think you're making this harder than it needs to be... That's definitely the story of my life. For those as clueless as me, here's what I did to get it to work: edit up server.xml to define a Connector for each SSL cert, listing port="443", address="xxx.xxx.xxx.xxx", and keystoreFile="path_for_IP_xxx.xxx.xxx.xxx" for each IP's keystore. Thanks to everyone who helped! rj I read one post in the archives that said to create a new connector for each IP, but that doesn't work (at least using the Administration tool -- it only allows one connector on 443). So don't use the Administration tool :-) -- use the text editor of your choice, create the Connector definitions, and you're done. I assure you it works -- that's how my server's configured: two IP addresses, two Connectors, two certs, both using port 443. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL in tomcat standalone with virtual hosts
OK, I've done some more searching, and one suggested strategy for trying to have several SSL certificates is to configure each as a service, and have them all listen on different ports. But if you do that, don't they each have to be listening on different ports? What I'm looking for is a way to have several hosts within a single service, each with their own SSL certificate (and different IP address), and have them all listen on 443 for the https connections. They're glad to coexist when listening on 80, so it would seem like the same could work for 443. I apologize if this is a dumb question, but if anyone can shed some light (or links) I'd very much appreciate it. rj At 06:29 PM 8/18/2004, RJ wrote: I've tried searching the archives, but haven't found a good answer to this. I've got standalone tomcat (5.0.27) with connectors for 80 and 443, and several virtual hosts (each with their own IP). I got my first SSL certificate installed fine. However, I can't figure out how to put additional ones in. I read one post in the archives that said to create a new connector for each IP, but that doesn't work (at least using the Administration tool -- it only allows one connector on 443). Thanks in advance! rj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL in tomcat standalone with virtual hosts
I've tried searching the archives, but haven't found a good answer to this. I've got standalone tomcat (5.0.27) with connectors for 80 and 443, and several virtual hosts (each with their own IP). I got my first SSL certificate installed fine. However, I can't figure out how to put additional ones in. I read one post in the archives that said to create a new connector for each IP, but that doesn't work (at least using the Administration tool -- it only allows one connector on 443). Thanks in advance! rj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ant problem compiling tomcat 5.0.25
Hate to reply to my own question, but I finally figured this out. If anybody else has the problem, the solution I found is at: http://glacier.lbl.gov/software-cxx/troubleshooting.html and involves doing this: mv /etc/ant.conf /etc/ant.conf.save I'm using ant 1.6.1 on Fedora core 2 and trying to complile tomcat 5.0.25. rj At 08:15 AM 7/6/2004, RJ wrote: Hopefully an easy question: I'm trying to compile tomcat using ant, which has worked fine a number of times before under RedHat Ent WS on other machines. Now I'm trying the same under the current Fedora, and ant chokes with: Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/tools/ant/launch/Launcher Maybe I'm not looking in the right place, but I can't find anything in the archives on this. Only thing different about this machine is that it's got less RAM (128MB) than the others. Thanks in advance! rj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ant problem compiling tomcat 5.0.25
Hopefully an easy question: I'm trying to compile tomcat using ant, which has worked fine a number of times before under RedHat Ent WS on other machines. Now I'm trying the same under the current Fedora, and ant chokes with: Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/tools/ant/launch/Launcher Maybe I'm not looking in the right place, but I can't find anything in the archives on this. Only thing different about this machine is that it's got less RAM (128MB) than the others. Thanks in advance! rj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSVC to run tomcat?
Hi: I'm certainly no expert, but the way I did it, you don't directly invoke jsvc -- you just edit-up the Tomcat5.sh script, and use it to start and stop tomcat: e.g., on my setup, ./usr/local/tomcat5/bin/jsvc-src/native/Tomcat5.sh start The startup/shutdown script takes care of calling jsvc and giving it the right parameters. rj At 12:02 AM 5/28/2004, Justin Jaynes wrote: I am very impressed with the responsiveness of this list. I appreciate all the help everyone has given me in learning about JSVC for running tomcat as an underpriviledged user on ports 80 and 443. However, I am still running into a problem. I created a tomcat user and group and all tomcat files and web application files are owned by tomcat. I compiled the jsvc and set my scripts to run jsvc with the proper options (I believe), and when I run the script, I get nothing but my prompt back. I run ps -ax and jsvc is NOT a running process. What am I doing wrong? I run the command from my /tomcat/bin: jsvc -Djava.endorsed.dirs=../common/endorsed -cp ./bin/bootstrap.jar -outfile ../logs/catalina.out -errfile ../logs/catalina.err org.apache.catalina.startup.Bootstrap nothing I run the command with the user option, (as in the scripts) again. nothing. No errors, no process. Any help would be greatly apreciated. Justin __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: standalone production?
The http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html isn't the way for doing jsvc that I used (it didn't work right). You should already have jsvc.tar.gz in the bin dir for tomcat; unpack it, and follow the instructions in INSTALL.txt for building jsvc. There's a page for it at http://jakarta.apache.org/commons/daemon/jsvc.html as well. Then, you use the tomcat/bin/jsvc-src/native/Tomcat5.sh script to start and stop it, after first editing that script to get the values in there right. Mine is as follows (that $DAEMON_HOME/jsvc-src/jsvc \ one was important, since it defaulted to a different directory structure than the one that was created by my jsvc and tomcat unpacking). Then I did chown on the files in the tomcat directory to be my non-root 'tomcat' user, fixed the server.xml to have non-SSL Coyote HTTP/1.1 Connector on port 80 and SSL Coyote HTTP/1.1 Connector on port 443 and it seems to be working like a champ. I also got the logging running by un-commenting the AccessLogValve at the end of server.xml, and changed the pattern=common to pattern=combined so I could get apache-type logs like I had before. MUCH nicer than fooling with those connectors. Now, if I can only figure out why the 'referer' is always blank when somebody first hits my site, I'll be very happy... rj #!/bin/sh ## # # Copyright 2004 The Apache Software Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # # # # # That is for Tomcat-5.0.x (Apache Tomcat/5.0) # # Adapt the following lines to your configuration JAVA_HOME=/usr/java/j2sdk1.4.2_03 CATALINA_HOME=/usr/local/tomcat5 DAEMON_HOME=/usr/local/tomcat5/bin TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS="-Xms64m -Xmx200m" CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar case "$1" in start) # # Start Tomcat # $DAEMON_HOME/jsvc-src/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '&1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ ;; stop) # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID ;; *) echo "Usage tomcat.sh start/stop" exit 1;; esac At 03:19 AM 5/27/2004, Justin Jaynes wrote: I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat logging and the referer
Hello all: After my wonderful experience getting standalone tomcat with SSL running non-root today, there's only one hitch: I'm using the combined log format, and it seems to be OK, except that on the first hit on my site (to the static index.html page) the referer field is always "-". Subsequent hits from pages within the site show the correct referer, but my main interest is that initial one. Anybody have any thoughts on how I can get that to show? rj > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat as 'root' insecure? (again)
Yoav et al: Thanks a million! When editing up the tomcat5.sh script, I also needed to fix the DAEMON_HOME and the reference to it in the 'start' method to go to the right path (it unpacked to something other than the expected /src/native/unix/jsvc ). And chown all the files to my tomcat user. Now if I can just figure out how to get usage logs that are roughly comparable to what Apache put out, I'll be set! (and the issue of SSL, which seems to have gotten a lot of discussion lately). Using tomcat on 80 instead of fooling with that always-painful task of linking to Apache will hopefully make support over the long term a lot easier proposition than trying to keep up with that always-moving target that the connectors pose... Thanks again. rj At 10:35 AM 5/26/2004, Shapira, Yoav wrote: Hi, You're better off grabbing the Tomcat5.sh script from $CATALINA_HOME/bin/jsvc-src/native (you need to unpack jsvc.tar.gz but I think you're already done that). Modify the couple of lines at the top to reflect your proper JAVA_HOME and CATALINA_HOME, and you should be all set. Yoav Shapira Millennium Research Informatics >-Original Message- >From: RJ [mailto:[EMAIL PROTECTED] >Sent: Wednesday, May 26, 2004 10:31 AM >To: Tomcat Users List >Subject: Re: Tomcat as 'root' insecure? (again) > >OK, I've been running tomcat behind apache for ages, and >now I want to go with Yoav's oft-stated advice to just >use tomcat (5.0.24) alone. And I want it on port 80. > >So, I try to use the jsvc approach, telling it to go to >the nonprivileged tomcat user by (from the tomcat site): > >./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ > -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ > org.apache.catalina.startup.Bootstrap -user tomcat > >However, that chokes as follows, as it apparently can't use port >80 as I'm wanting it to. > >I'm sure this must be trivial, but all help would be >appreciated! > >rj > >May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start >SEVERE: Error starting endpoint >java.net.BindException: Permission denied:80 > at >org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint .jav >a:258) > at >org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoin t.ja >va:275) > at >org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) > at >org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 00) > at >org.apache.catalina.core.StandardService.start(StandardService.java:485 ) > at >org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) > at org.apache.catalina.startup.Catalina.start(Catalina.java:556) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 >9) > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp >l.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 >9) > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp >l.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at >org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) >May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start >SEVERE: Catalina.start: >LifecycleException: Protocol handler start failed: java.net.BindException: >Permission denied:80 > at >org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 02) > at >org.apache.catalina.core.StandardService.start(StandardService.java:485 ) > at >org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) > at org.apache.catalina.startup.Catalina.start(Catalina.java:556) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 >9) > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp >l.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at >sun.reflect.NativeMethodAccessorImpl.invoke(Nat
Re: Tomcat as 'root' insecure? (again)
OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1500) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1502) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5160 ms At 04:01 PM 5/25/2004, David Smith wrote: I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]