Wow, I think I’ve gotten more help in 10 minutes from this users group than in 2 weeks from anywhere else I’ve tried.
I’ll try to respond as quickly as I can but I want to test your various suggestions, so it might be tomorrow before I can do them justice. Thank you all so much! Ellen Meiselman elle...@gmail.com > On Feb 24, 2020, at 3:42 PM, Mark Thomas <ma...@apache.org> wrote: > > On 24/02/2020 20:19, Ellen Meiselman wrote: >> Hi, >> >> I’m having a lot of trouble configuring the isapi_redirect connector between >> IIS and Tomcat. I am running out of ideas so it’s time to ask for help from >> the experts. I think the problems remaining are in the tomcat configuration >> area, not the IIS area anymore. >> >> What’s wrong: >> The ISAPI module appears to be working and correctly sending AJP requests to >> Tomcat on port 8009, at which point Tomcat refuses those requests with a 403 >> error. The isapi_redirect.log shows the complete content of the tomcat >> response, and no longer shows any errors - in other words, it thinks it is >> working. > > I'd agree. If you see a response back from Tomcat then IIS is working. > > You should also see an entry in the access log. > >> Text of the 403 error: >> >> HTTP Status 403 – Forbidden >> Type Status Report >> Description The server understood the request but refuses to authorize >> it. >> Apache Tomcat/8.5.51 > > OK. That also indicates that IIS is passing the request to Tomcat > correctly processing the response. > > <snip/> > >> This Windows 2019 setup has the following versions of tomcat, windows, etc: >> >> Tomcat version 8.5.51 >> Isapi_redirect.dll version 1.2.46.0 >> IIS 10/Windows server 2019 > > Thank you. It really helps when people provide that information. It > saves a lot of time. > > <snip/> > >> My theories at the moment: >> 1. Maybe allowedRequestAttributesPattern is a problem? I saw a note about >> the allowedRequestAttributesPattern attribute for the AJP connector possibly >> causing a 403 error, but I don’t understand how to use it or if it is needed. >> 2. It’s possible that something in the Tomcat permissions settings are >> wrong, but I really don’t know where to look. > > You shouldn't need to set allowedRequestAttributesPattern. > > I think it might be Tomcat configuration. Any again, very helpfully, we > have ... > >> Relevant configuration settings in server.xml, workers.properties and >> uriworkermap.properties: >> >> server.xml >> >> <Connector port="8080" protocol="HTTP/1.1” connectionTimeout=“20000" >> redirectPort="8443" /> >> <Connector protocol="AJP/1.3” address=“127.0.0.1" port="8009" >> requiredSecret="true" secret=“xxxxxxxx" redirectPort="8443" /> >> >> <Host name="localhost" appBase=“webapps" unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> <Host name="127.0.0.1" appBase=“webapps” unpackWARs="true" >> autoDeploy="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="127_0_01_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> </Host> >> >> >> workers.properties >> >> # Set properties for worker1 (ajp13) >> worker.worker1.type=ajp13 >> worker.worker1.host=127.0.0.1 >> worker.worker1.port=8009 >> worker.worker1.secret=xxxxxxxx >> >> >> uriworkermap.properties >> /exposedApplication/*=worker1 >> >> >> Any suggestions or new directions will be welcome. > > My best guess would be that the value for secret is not the same between > workers.properties and Tomcat. > > I have a 2019 server test environment. I'll try and replicate what you > have with a clean 8.5.51 install and the examples application and see > what happens. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
