On Thu, Feb 13, 2020 at 1:04 PM Olivier Jaquemet < olivier.jaque...@jalios.com> wrote:
> > On 13/02/2020 12:41, Mark Thomas wrote: > > On 13/02/2020 09:57, Olivier Jaquemet wrote: > >> I understand the need to introduce a "secured by default" AJP > >> configuration. > >> However, I question one choice that was made for this change : the > >> default behavior of the AJP connector to listen only on the loopback > >> address. > >> > >> [...] > > You can specify "0.0.0.0" (IPv4) or "::" (IPv6) to restore the behaviour > > of listening on any address. > > > > Mark > > Thank you Mark. This should address this use case. > > Would you consider adding this binding information to the documentation > (in the documentation of the address attribute) ? > I would say no. These special address values are not specific to Tomcat, it's like documenting 127.0.0.1 is the IPv4 loopback address [I guess it's more well known ? hopefully ?]. The address specified on the Connector element goes through InetAddress.getByName so it's very flexible, it allows more than simple IP addresses. Rémy > > > To sum up : > When migrating to Tomcat 8.5.51, 9.0.31 (and probably the next 7.0.x as > I saw you had also backported this change to the 7.0.x branch), > if your server architecture is to expose tomcat with an AJP connector, > to a remote distant front server, you can : > > either, *secure your installation* (obviously the recommended way on > untrusted network) : > > - by specifying the valid IP address on which the connector must bind; > This is done with address attribute of the AJP connector. > > - by specifying a shared secret between the front server and the > connector ; This is done with the secret attribute of the AJP connector > > > or else, if you want your server.xml to be agnostic to the running host > and remote front server, change your configuration back to the previous > behavior, *BUT ONLY IF AND ONLY IF you are on trusted network* : > > - by removing explicit bind of AJP connector, by specifying "0.0.0.0" > (IPv4) or "::" (IPv6) in the address attribute of the AJP connector > > - by removing need for shared secret between front and tomcat ; This is > done with the secretRequired="false" attribute of the AJP connector. > > Olivier > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >