回覆: Persist function in host manager working in 9.0.60 but not 10.1.x
Hi Chris, 寄件者: Christopher Schultz 寄件日期: 2023年7月27日 0:35 收件者: users@tomcat.apache.org 主旨: Re: Persist function in host manager working in 9.0.60 but not 10.1.x Mason, On 7/24/23 20:39, Fong Mason wrote: > Last month I setup a new Tomcat instance (10.1.9) since I want to have a try > of Spring 6.x. Everything was working fine until I need to add a new virtual > host. I had followed the instructions in > https://tomcat.apache.org/tomcat-10.1-doc/host-manager-howto.html to add a > new Listener in server.xml. After I added a new virtual host and pressed > “All” under persist configuration, the GUI said “OK - Configuration > persisted” but actually the config is not persisted. I checked the log and > found the following error: > org.apache.catalina.storeconfig.StoreConfig.store Error storing server >java.lang.NoSuchMethodExeption: > org.apache.catalina.realm.CombinedRealm$CombinedRealmCredentialHandler.() > > I tried to upgrade to 10.1.11 but the same problem exists, the same also > happened for 9.0.78. > > Then I downloaded 9.0.60 to try as I have another server running it and the > persist function is working there. This time everything worked as expected. I > tried to look at the source code of 9.0.60 and seems there is no > ComibinedRealmCredentialHandler subclass in 9.0.60 but only in later > versions. I am not sure if this is the cause of the problem though. > > Any suggestion to make persist function work in host manager to work in 10.x? > Many thanks. > > Please find my environment for your reference > OS: Ubuntu Server 20.04.6 LTS > Tomcat: 9.0.78/10.1.9/10.1.11 > JVM: 17.0.7 (17.0.7.+7-Ubuntu-0ubuntu120.04), this is a package provided by > Ubuntu It looks like this is a problem with any use of the CombinedRealmCredentialHander: that class isn't effectively Serializable because the class is private. Can you post the full stack trace? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for your response, please find the full stack trace found in the log of 10.1.11 as follow: (the ones for 9.0.78 and 10.1.9 are basically the same so I don't post them here) 25-Jul-2023 02:47:10.537 SEVERE [http-nio-8080-exec-5] org.apache.catalina.storeconfig.StoreConfig.store Error storing server java.lang.NoSuchMethodException: org.apache.catalina.realm.CombinedRealm$CombinedRealmCredentialHandler.() at java.base/java.lang.Class.getConstructor0(Class.java:3585) at java.base/java.lang.Class.getConstructor(Class.java:2271) at org.apache.catalina.storeconfig.StoreAppender.defaultInstance(StoreAppender.java:334) at org.apache.catalina.storeconfig.StoreAppender.printAttributes(StoreAppender.java:233) at org.apache.catalina.storeconfig.StoreAppender.printAttributes(StoreAppender.java:195) at org.apache.catalina.storeconfig.StoreAppender.printOpenTag(StoreAppender.java:74) at org.apache.catalina.storeconfig.StoreFactoryBase.store(StoreFactoryBase.java:127) at org.apache.catalina.storeconfig.CredentialHandlerSF.store(CredentialHandlerSF.java:58) at org.apache.catalina.storeconfig.StoreFactoryBase.storeElement(StoreFactoryBase.java:171) at org.apache.catalina.storeconfig.RealmSF.storeChildren(RealmSF.java:89) at org.apache.catalina.storeconfig.RealmSF.store(RealmSF.java:49) at org.apache.catalina.storeconfig.StoreFactoryBase.storeElement(StoreFactoryBase.java:171) at org.apache.catalina.storeconfig.StandardEngineSF.storeChildren(StandardEngineSF.java:66) at org.apache.catalina.storeconfig.StoreFactoryBase.store(StoreFactoryBase.java:129) at org.apache.catalina.storeconfig.StandardServiceSF.storeChildren(StandardServiceSF.java:63) at org.apache.catalina.storeconfig.StoreFactoryBase.store(StoreFactoryBase.java:129) at org.apache.catalina.storeconfig.StoreFactoryBase.storeElement(StoreFactoryBase.java:171) at org.apache.catalina.storeconfig.StoreFactoryBase.storeElementArray(StoreFactoryBase.java:192) at org.apache.catalina.storeconfig.StandardServerSF.storeChildren(StandardServerSF.java:97) at org.apache.catalina.storeconfig.StoreFactoryBase.store(StoreFactoryBase.java:129) at org.apache.catalina.storeconfig.StandardServerSF.store(StandardServerSF.java:51) at org.apache.catalina.storeconfig.StoreConfig.store(StoreConfig.java:317) at org.apache.catalina.storeconfig.StoreConfig.store(StoreConfig.java:229) at org.apache.catalina.storeconfig.StoreConfig.storeConfig(StoreConfig.java:106) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
Re: [External] Re: Supporting Proxy Protocol in Tomcat
Mark,
On 7/26/23 13:58, Mark Thomas wrote:
I'm not a huge fan of this feature in general. I prefer supporting
features backed by specifications rather than vendor specific hacks.
I think the PROXY protocol is fairly standard, even if it's not backed
by an RFC. It's published by haproxy, but supported by nginx,
(obviously) haproxy, AWS, httpd[1], and a whole bunch of others
(https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address).
Well, the reality is that people want to use this in the real world and
this is essentially the only way to do it, barring coming up with a
whole new protocol for the purpose (I'm looking at /you/ AJP!).
So why not use /the/ protocol that (a) exists and (b) is supported by
every single product that currently supports this type of thing?
My support for any patch is going to depend on the specifics of the patch.
In addition to the comments in the BZ
- exposing the data as a request attribute is inconsistent with other
mechanisms that solve the same problem (e.g. see RemoteIpFilter)
+1
The whole point of PROXY is to kind of mix-together the capabilities of
both the RemoteIPFilter/Valve (which uses HTTP headers for
source-information) and the top-level idea of a Connector (something
that binds to a socket and pushes bytes around).
The confusing thing here is that those two jobs are performed at
relatively different levels in Tomcat at the moment, as I understand things.
If some kind of UberConnector could be built which essentially does
something like the following, it would be ideal:
public void accept(Socket s) {
ProxyHeader proxyHeader = readProxyHeader(s);
Connector realConnector = getRealConnector();
realConnector.setRemoteIP(proxyHeader.getRemoteIP());
realConnector.setRemotePort(proxyHeader.getRemotePort());
realConnector.takeItAway(s);
}
I'm sure there are other pieces of information that would be good to
pass-through, but the identity of the remote client is the most
interesting one.
- needs to be implemented for all Connectors
I hope not. The connectors should be able to just have a thin layer in
front of them "sipping" the header off the beginning of the connection.
I am *way* out of my depth here when it comes to Tomcat internals and so
I don't want to appear to be telling you (Mark) "how it works/should
work", but conceptually it "seems easy". That may not translate into
"easy implementation" or it may mean "tons of refactoring that we
wouldn't need if we didn't care that much."
- I'd expect it to look more like the SNI processing
SNI processing is very connector-dependent, of course, because it's
HTTPS-only. PROXY should allow HTTP, HTTPS, AJP, SFTP, JDBC, anything.
So if it can be implemented as something that can just "sit in front of"
*any* connector now or in the future of Tomcat, that would be ideal. It
could definitely be implemented as an "optional feature" on a
Connector-by-Connector basis, but my sense is that it can be done
separately and globally.
Again, I'm speaking from a position of profound ignorance, here. Please
don't hear me say "oh, this is easy, Mark... just go do it!" :)
Generally, I don't think implementing this is going to be possible as
some sort of plug-in.
+1 Unless the plug-in is "a whole new set of protocol/endpoint/etc.
handlers" which is a rather serious commitment.
-chris
[1] https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html search for
"haproxy"
On 26/07/2023 17:44, Amit Pande wrote:
Missed to ask this:
Looking the patch, it involves modifying Tomcat code.
Was wondering if it would be possible to refactor this patch and/or
allow Tomcat core code to extend and plug-in the proxy protocol support?
Thanks,
Amit
-Original Message-
From: Amit Pande
Sent: Wednesday, July 26, 2023 11:43 AM
To: Tomcat Users List
Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat
Chris, Mark,
Any thoughts on this?
Mark, if we clean up the patch and re-submit, do you will have any
concerns (specially security wise)?
Thanks,
Amit
-Original Message-
From: Jonathan S. Fisher
Sent: Monday, July 24, 2023 12:41 PM
To: Tomcat Users List
Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat
Just a side note, because we're also very interested in this patch!
Awhile back, I was successfully able to apply this patch and terminate
TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain
socket and the Proxy protocol provided *most *of the relevant/required
information to tomcat. I believe we had to add a Valve to tomcat to
set the Remote IP however as the patch didn't handle that case.
I can find my notes from that experiment, but I do remember getting a
significant boost in throughput and decrease in latency.
+1 for this patch and willing to help out!
On Mon, Jul 24, 2023 at 11:22 AM Amit Pande
wrote:
Thank you, Chris, again for inputs.
And sorry to circle back on this,
Re: [External] Re: Supporting Proxy Protocol in Tomcat
Mark, thankyou for your feedback. I hope to settle some worry here: > I prefer supporting features backed by specifications rather than vendor specific hacks. I totally understand and agree. This is a standardized specification with a control document. Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt The Proxy protocol is actually widely deployed and available today; I'll provide as many references as I know of: HaProxy Support: (See spec doc above) Apache Support: https://roadrunner2.github.io/mod-proxy-protocol/mod_proxy_protocol.html Nginx Support: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol Amazon Web Services Support: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol Google Cloud Support: https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol Cloudflare Support: https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/ DigitalOcean Support: https://docs.digitalocean.com/products/networking/load-balancers/how-to/manage/#proxy-protocol Linode Support: https://www.linode.com/docs/products/networking/nodebalancers/guides/proxy-protocol These are just the usages that I'm aware of. Having support in Tomcat for Proxy Protocol means these load balancers above can speak to Tomcat in a more direct manner. A Google search returns even wider support from everything on databases to some people supporting this through F5 load balancers scripts. Thank you again for your consideration, On Wed, Jul 26, 2023 at 12:58 PM Mark Thomas wrote: > I'm not a huge fan of this feature in general. I prefer supporting > features backed by specifications rather than vendor specific hacks. > > My support for any patch is going to depend on the specifics of the patch. > > In addition to the comments in the BZ > - exposing the data as a request attribute is inconsistent with other >mechanisms that solve the same problem (e.g. see RemoteIpFilter) > > - needs to be implemented for all Connectors > > - I'd expect it to look more like the SNI processing > > Generally, I don't think implementing this is going to be possible as > some sort of plug-in. > > Mark > > > On 26/07/2023 17:44, Amit Pande wrote: > > Missed to ask this: > > > > Looking the patch, it involves modifying Tomcat code. > > Was wondering if it would be possible to refactor this patch and/or > allow Tomcat core code to extend and plug-in the proxy protocol support? > > > > Thanks, > > Amit > > > > -Original Message- > > From: Amit Pande > > Sent: Wednesday, July 26, 2023 11:43 AM > > To: Tomcat Users List > > Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Chris, Mark, > > > > Any thoughts on this? > > > > Mark, if we clean up the patch and re-submit, do you will have any > concerns (specially security wise)? > > > > Thanks, > > Amit > > > > -Original Message- > > From: Jonathan S. Fisher > > Sent: Monday, July 24, 2023 12:41 PM > > To: Tomcat Users List > > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Just a side note, because we're also very interested in this patch! > > > > Awhile back, I was successfully able to apply this patch and terminate > TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket > and the Proxy protocol provided *most *of the relevant/required information > to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP > however as the patch didn't handle that case. > > > > I can find my notes from that experiment, but I do remember getting a > significant boost in throughput and decrease in latency. > > > > +1 for this patch and willing to help out! > > > > On Mon, Jul 24, 2023 at 11:22 AM Amit Pande .invalid> > > wrote: > > > >> Thank you, Chris, again for inputs. > >> And sorry to circle back on this, late. > >> > >> One related question is - does it make sense to use the patch attached > >> in > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > >> And potentially, get it integrated into Tomcat versions? > >> > >> There are concerns from Mark about using the patch in its current > >> state, but I see last comment (#24) on the issue and looks like there > >> are some more points to be concluded. > >> > >> Thanks, > >> Amit > >> > >> -Original Message- > >> From: Christopher Schultz > >> Sent: Wednesday, May 10, 2023 4:21 PM > >> To: users@tomcat.apache.org > >> Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > >> > >> Amit, > >> > >> On 5/10/23 12:59, Amit Pande wrote: > >>> Yes, we intended to have Tomcat run behind a (transparent) TCP proxy > e.g. > >>> > >> https://www/. > >> envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ > >> features%2Fip_transparency=05%7C01%7CAmit.Pande%40veritas.com%7Ca > >> 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 > >>
Re: [External] Re: Supporting Proxy Protocol in Tomcat
I'm not a huge fan of this feature in general. I prefer supporting features backed by specifications rather than vendor specific hacks. My support for any patch is going to depend on the specifics of the patch. In addition to the comments in the BZ - exposing the data as a request attribute is inconsistent with other mechanisms that solve the same problem (e.g. see RemoteIpFilter) - needs to be implemented for all Connectors - I'd expect it to look more like the SNI processing Generally, I don't think implementing this is going to be possible as some sort of plug-in. Mark On 26/07/2023 17:44, Amit Pande wrote: Missed to ask this: Looking the patch, it involves modifying Tomcat code. Was wondering if it would be possible to refactor this patch and/or allow Tomcat core code to extend and plug-in the proxy protocol support? Thanks, Amit -Original Message- From: Amit Pande Sent: Wednesday, July 26, 2023 11:43 AM To: Tomcat Users List Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat Chris, Mark, Any thoughts on this? Mark, if we clean up the patch and re-submit, do you will have any concerns (specially security wise)? Thanks, Amit -Original Message- From: Jonathan S. Fisher Sent: Monday, July 24, 2023 12:41 PM To: Tomcat Users List Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Just a side note, because we're also very interested in this patch! Awhile back, I was successfully able to apply this patch and terminate TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket and the Proxy protocol provided *most *of the relevant/required information to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP however as the patch didn't handle that case. I can find my notes from that experiment, but I do remember getting a significant boost in throughput and decrease in latency. +1 for this patch and willing to help out! On Mon, Jul 24, 2023 at 11:22 AM Amit Pande wrote: Thank you, Chris, again for inputs. And sorry to circle back on this, late. One related question is - does it make sense to use the patch attached in https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? And potentially, get it integrated into Tomcat versions? There are concerns from Mark about using the patch in its current state, but I see last comment (#24) on the issue and looks like there are some more points to be concluded. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Wednesday, May 10, 2023 4:21 PM To: users@tomcat.apache.org Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Amit, On 5/10/23 12:59, Amit Pande wrote: Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. https://www/. envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ features%2Fip_transparency=05%7C01%7CAmit.Pande%40veritas.com%7Ca 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 %7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=W NEV4UQ5q4Nl8SEFHMz7C%2Fj3Qr7pCHpfyvQLeBn56uQ%3D=0 which supports the proxy protocol. Since there is not much action on this https://bz.a/ pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit.Pande%40veritas.com%7Ca85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=mH7TRJny1YUOsG%2BeFXno4xdvsLAjz%2BRkQgCnLfehXvQ%3D=0, does it imply that most of the times Tomcat is running behind HTTP proxies and not TCP proxies? Or does it mean that, Tomcat or applications running in Tomcat does not need the remote client address information? I can't speak for anybody else, but I use Apache httpd as my reverse-proxy and I do terminate TLS. I also use it for load-balancing/fail-over, caching, some authorization, etc. I wouldn't be able to use a TCP load-balancer because I hide multiple services behind my reverse-proxy which run in different places. It's not just s dumb pass-through. Hope that helps, -chris -Original Message- From: Christopher Schultz Sent: Monday, May 8, 2023 3:40 PM To: users@tomcat.apache.org Subject: [External] Re: Supporting Proxy Protocol in Tomcat Amit, On 5/4/23 16:07, Amit Pande wrote: We have a similar requirement as mentioned in the below enhancement request. https://bz/. a%2F=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b787206 08 db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63819350613 56 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL CJ BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3UFyiGJ9ZgtLqUzY9 JM CK2MfwKN3OAOKdr6JmTUGkPw%3D=0 pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit. P ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422 c4 c
RE: [External] Re: Supporting Proxy Protocol in Tomcat
Missed to ask this: Looking the patch, it involves modifying Tomcat code. Was wondering if it would be possible to refactor this patch and/or allow Tomcat core code to extend and plug-in the proxy protocol support? Thanks, Amit -Original Message- From: Amit Pande Sent: Wednesday, July 26, 2023 11:43 AM To: Tomcat Users List Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat Chris, Mark, Any thoughts on this? Mark, if we clean up the patch and re-submit, do you will have any concerns (specially security wise)? Thanks, Amit -Original Message- From: Jonathan S. Fisher Sent: Monday, July 24, 2023 12:41 PM To: Tomcat Users List Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Just a side note, because we're also very interested in this patch! Awhile back, I was successfully able to apply this patch and terminate TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket and the Proxy protocol provided *most *of the relevant/required information to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP however as the patch didn't handle that case. I can find my notes from that experiment, but I do remember getting a significant boost in throughput and decrease in latency. +1 for this patch and willing to help out! On Mon, Jul 24, 2023 at 11:22 AM Amit Pande wrote: > Thank you, Chris, again for inputs. > And sorry to circle back on this, late. > > One related question is - does it make sense to use the patch attached > in > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > And potentially, get it integrated into Tomcat versions? > > There are concerns from Mark about using the patch in its current > state, but I see last comment (#24) on the issue and looks like there > are some more points to be concluded. > > Thanks, > Amit > > -Original Message- > From: Christopher Schultz > Sent: Wednesday, May 10, 2023 4:21 PM > To: users@tomcat.apache.org > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > Amit, > > On 5/10/23 12:59, Amit Pande wrote: > > Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. > > > https://www/. > envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ > features%2Fip_transparency=05%7C01%7CAmit.Pande%40veritas.com%7Ca > 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 > %7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi > LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=W > NEV4UQ5q4Nl8SEFHMz7C%2Fj3Qr7pCHpfyvQLeBn56uQ%3D=0 > which supports the proxy protocol. > > > > Since there is not much action on this > https://bz.a/ > pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit.Pande%40veritas.com%7Ca85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=mH7TRJny1YUOsG%2BeFXno4xdvsLAjz%2BRkQgCnLfehXvQ%3D=0, > does it imply that most of the times Tomcat is running behind HTTP proxies > and not TCP proxies? > > Or does it mean that, Tomcat or applications running in Tomcat does > > not > need the remote client address information? > > I can't speak for anybody else, but I use Apache httpd as my > reverse-proxy and I do terminate TLS. I also use it for > load-balancing/fail-over, caching, some authorization, etc. I wouldn't > be able to use a TCP load-balancer because I hide multiple services > behind my reverse-proxy which run in different places. It's not just s dumb > pass-through. > > Hope that helps, > -chris > > > -Original Message- > > From: Christopher Schultz > > Sent: Monday, May 8, 2023 3:40 PM > > To: users@tomcat.apache.org > > Subject: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Amit, > > > > On 5/4/23 16:07, Amit Pande wrote: > >> We have a similar requirement as mentioned in the below enhancement > request. > >> > >> https://bz/. > >> a%2F=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b787206 > >> 08 > >> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63819350613 > >> 56 > >> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL > >> CJ > >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3UFyiGJ9ZgtLqUzY9 > >> JM > >> CK2MfwKN3OAOKdr6JmTUGkPw%3D=0 > >> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit. > >> P > >> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422 > >> c4 > >> c > >> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZ > >> sb > >> 3 > >> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > >> D% > >> 7 > >> C3000%7C%7C%7C=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D > >> > >> e > >> served=0 > >> > >> Is there any plan to add this support in Tomcat in future releases? > > > > Nothing at the moment that I know of. > > > > I thought that markt had looked at this a while
RE: [External] Re: Supporting Proxy Protocol in Tomcat
Chris, Mark, Any thoughts on this? Mark, if we clean up the patch and re-submit, do you will have any concerns (specially security wise)? Thanks, Amit -Original Message- From: Jonathan S. Fisher Sent: Monday, July 24, 2023 12:41 PM To: Tomcat Users List Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Just a side note, because we're also very interested in this patch! Awhile back, I was successfully able to apply this patch and terminate TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket and the Proxy protocol provided *most *of the relevant/required information to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP however as the patch didn't handle that case. I can find my notes from that experiment, but I do remember getting a significant boost in throughput and decrease in latency. +1 for this patch and willing to help out! On Mon, Jul 24, 2023 at 11:22 AM Amit Pande wrote: > Thank you, Chris, again for inputs. > And sorry to circle back on this, late. > > One related question is - does it make sense to use the patch attached > in > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > And potentially, get it integrated into Tomcat versions? > > There are concerns from Mark about using the patch in its current > state, but I see last comment (#24) on the issue and looks like there > are some more points to be concluded. > > Thanks, > Amit > > -Original Message- > From: Christopher Schultz > Sent: Wednesday, May 10, 2023 4:21 PM > To: users@tomcat.apache.org > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > Amit, > > On 5/10/23 12:59, Amit Pande wrote: > > Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. > > > https://www/. > envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ > features%2Fip_transparency=05%7C01%7CAmit.Pande%40veritas.com%7Ca > 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 > %7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi > LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=W > NEV4UQ5q4Nl8SEFHMz7C%2Fj3Qr7pCHpfyvQLeBn56uQ%3D=0 > which supports the proxy protocol. > > > > Since there is not much action on this > https://bz.a/ > pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit.Pande%40veritas.com%7Ca85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=mH7TRJny1YUOsG%2BeFXno4xdvsLAjz%2BRkQgCnLfehXvQ%3D=0, > does it imply that most of the times Tomcat is running behind HTTP proxies > and not TCP proxies? > > Or does it mean that, Tomcat or applications running in Tomcat does > > not > need the remote client address information? > > I can't speak for anybody else, but I use Apache httpd as my > reverse-proxy and I do terminate TLS. I also use it for > load-balancing/fail-over, caching, some authorization, etc. I wouldn't > be able to use a TCP load-balancer because I hide multiple services > behind my reverse-proxy which run in different places. It's not just s dumb > pass-through. > > Hope that helps, > -chris > > > -Original Message- > > From: Christopher Schultz > > Sent: Monday, May 8, 2023 3:40 PM > > To: users@tomcat.apache.org > > Subject: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Amit, > > > > On 5/4/23 16:07, Amit Pande wrote: > >> We have a similar requirement as mentioned in the below enhancement > request. > >> > >> https://bz/. > >> a%2F=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b787206 > >> 08 > >> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63819350613 > >> 56 > >> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL > >> CJ > >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3UFyiGJ9ZgtLqUzY9 > >> JM > >> CK2MfwKN3OAOKdr6JmTUGkPw%3D=0 > >> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830=05%7C01%7CAmit. > >> P > >> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422 > >> c4 > >> c > >> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZ > >> sb > >> 3 > >> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > >> D% > >> 7 > >> C3000%7C%7C%7C=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D > >> > >> e > >> served=0 > >> > >> Is there any plan to add this support in Tomcat in future releases? > > > > Nothing at the moment that I know of. > > > > I thought that markt had looked at this a while back and said it > > didn't > look too difficult. It does require Tomcat to handle the stream > directly and not just rely on Java's SSLServerSocket. I thought that > had been done at some point, but it may not have. Handling the stream > directly may have some other advantages as well, though it definitely > makes the code more complicated. > > > >> Also, since this was requested long time back and
Re: Persist function in host manager working in 9.0.60 but not 10.1.x
Mason, On 7/24/23 20:39, Fong Mason wrote: Last month I setup a new Tomcat instance (10.1.9) since I want to have a try of Spring 6.x. Everything was working fine until I need to add a new virtual host. I had followed the instructions in https://tomcat.apache.org/tomcat-10.1-doc/host-manager-howto.html to add a new Listener in server.xml. After I added a new virtual host and pressed “All” under persist configuration, the GUI said “OK - Configuration persisted” but actually the config is not persisted. I checked the log and found the following error: org.apache.catalina.storeconfig.StoreConfig.store Error storing server java.lang.NoSuchMethodExeption: org.apache.catalina.realm.CombinedRealm$CombinedRealmCredentialHandler.() I tried to upgrade to 10.1.11 but the same problem exists, the same also happened for 9.0.78. Then I downloaded 9.0.60 to try as I have another server running it and the persist function is working there. This time everything worked as expected. I tried to look at the source code of 9.0.60 and seems there is no ComibinedRealmCredentialHandler subclass in 9.0.60 but only in later versions. I am not sure if this is the cause of the problem though. Any suggestion to make persist function work in host manager to work in 10.x? Many thanks. Please find my environment for your reference OS: Ubuntu Server 20.04.6 LTS Tomcat: 9.0.78/10.1.9/10.1.11 JVM: 17.0.7 (17.0.7.+7-Ubuntu-0ubuntu120.04), this is a package provided by Ubuntu It looks like this is a problem with any use of the CombinedRealmCredentialHander: that class isn't effectively Serializable because the class is private. Can you post the full stack trace? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
