On Mon, Feb 24, 2020, 14:19 Ellen Meiselman <elle...@gmail.com> wrote:
> Hi, > > I’m having a lot of trouble configuring the isapi_redirect connector > between IIS and Tomcat. I am running out of ideas so it’s time to ask for > help from the experts. I think the problems remaining are in the tomcat > configuration area, not the IIS area anymore. > > What’s wrong: > The ISAPI module appears to be working and correctly sending AJP requests > to Tomcat on port 8009, at which point Tomcat refuses those requests with a > 403 error. The isapi_redirect.log shows the complete content of the tomcat > response, and no longer shows any errors - in other words, it thinks it is > working. > > Text of the 403 error: > > HTTP Status 403 – Forbidden > Type Status Report > Description The server understood the request but refuses to > authorize it. > Apache Tomcat/8.5.51 > Is IIS returning the 403? If yes, we should see a "dot error" number, such as 403.1 or 403.2, and so on. What does work: > Requests directly to Tomcat on port 8080 to pages within the > connector-exposed web application work fine. > For example, both of these work: > localhost:8080/exposedApplication/simple.html. (viewed on the server’s > browser) > my.servers.domain.com:8080/exposedApplication/simple.html (viewed > anywhere else) > > > What does not work: > Requests that go through IIS and the connector to the connector-exposed > application result in a 403 error. > For example, this does not work: > https:my.servers.domain.com/exposedApplication/simple.html > > > This Windows 2019 setup has the following versions of tomcat, windows, etc: > > Tomcat version 8.5.51 > Isapi_redirect.dll version 1.2.46.0 > IIS 10/Windows server 2019 > > I also have two older, similar Windows Server environments that work > perfectly. They both use these versions: > > Tomcat version 8.5.3 (64 bit) as a service > Isapi_redirect.dll version 1.2.40.0 64 bit > IIS 8/Windows server 2012R2 > > > The component versions between the working and non-working environments > are slightly different, and I think that might be the source of the problem > - there are probably new configuration requirements that I need to be aware > of. I started with the settings used in the working environments and found > that some things needed to be changed to get the connector to work at alll. > For example I had to specify an iPv4 address for the connector where I > didn’t need to before. > > My theories at the moment: > 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about > the allowedRequestAttributesPattern attribute for the AJP connector > possibly causing a 403 error, but I don’t understand how to use it or if it > is needed. > 2. It’s possible that something in the Tomcat permissions settings are > wrong, but I really don’t know where to look. > > > Relevant configuration settings in server.xml, workers.properties and > uriworkermap.properties: > > server.xml > > <Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000" > redirectPort="8443" /> > <Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009" > requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" /> > > <Host name="localhost" appBase=“webapps" unpackWARs="true" > autoDeploy="true"> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > </Host> > > <Host name="127.0.0.1" appBase=“webapps” unpackWARs="true" > autoDeploy="true"> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="127_0_01_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > </Host> > > > workers.properties > > # Set properties for worker1 (ajp13) > worker.worker1.type=ajp13 > worker.worker1.host=127.0.0.1 > worker.worker1.port=8009 > worker.worker1.secret=xxxxxxxx > > uriworkermap.properties > /exposedApplication/*=worker1 > > Any suggestions or new directions will be welcome. > A full stack trace (including any "caused by" statements) from Tomcat *and* IIS would be helpful. >
