On 13/02/2020 12:04, Olivier Jaquemet wrote: > > On 13/02/2020 12:41, Mark Thomas wrote: >> On 13/02/2020 09:57, Olivier Jaquemet wrote: >>> I understand the need to introduce a "secured by default" AJP >>> configuration. >>> However, I question one choice that was made for this change : the >>> default behavior of the AJP connector to listen only on the loopback >>> address. >>> >>> [...] >> You can specify "0.0.0.0" (IPv4) or "::" (IPv6) to restore the behaviour >> of listening on any address. >> >> Mark > > Thank you Mark. This should address this use case. > > Would you consider adding this binding information to the documentation > (in the documentation of the address attribute) ?
The migration guide might be a better place for that sort of thing. Care to suggest a suitable change to this section: http://tomcat.apache.org/migration-9.html#Tomcat_9.0.x_noteable_changes (we can copy the text to the equivalent sections for 8.5.x and 7.0.x)? > To sum up : > When migrating to Tomcat 8.5.51, 9.0.31 (and probably the next 7.0.x as > I saw you had also backported this change to the 7.0.x branch), Correct. > if your server architecture is to expose tomcat with an AJP connector, > to a remote distant front server, you can : > > either, *secure your installation* (obviously the recommended way on > untrusted network) : > > - by specifying the valid IP address on which the connector must bind; > This is done with address attribute of the AJP connector. > > - by specifying a shared secret between the front server and the > connector ; This is done with the secret attribute of the AJP connector > > > or else, if you want your server.xml to be agnostic to the running host > and remote front server, change your configuration back to the previous > behavior, *BUT ONLY IF AND ONLY IF you are on trusted network* : > > - by removing explicit bind of AJP connector, by specifying "0.0.0.0" > (IPv4) or "::" (IPv6) in the address attribute of the AJP connector > > - by removing need for shared secret between front and tomcat ; This is > done with the secretRequired="false" attribute of the AJP connector. Correct. Nice summary. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
