So it turned out that the logs were mostly set at FINE already, so Johann’s suggestion was already done.
But I think I now know where the problem lies. Secure IIS request > to > non-secire AJP. I don’t think this was a problem on the other servers before but the security has probably been tightened, and it just doesn’t produce an error - it just won’t allow it. I have had IIS set to require SSL, but I turned it off to test and it actually worked all the way through to the simple.html file. so it’s some sort of policy about downgrading - which seems quite rational in retrospect. For example, this HTTP address does work. http://my.servers.domain.com/exposedApplication/simple.html <http://my.servers.domain.com/exposedApplication/simple.html> I never tried it because I knew I had set SSL to required. Sometimes you make assumptions that block progress. This HTTPS address does not work - I get the 403 from tomcat. https://my.servers.domain.com/exposedApplication/simple.html <http://my.servers.domain.com/exposedApplication/simple.html> So - if this makes sense to any of you, please tell me roughly what I need to do to make the AJP requests as secure as the port 80 requests. I know keystores and .pem files are involved, but please give me the big picture - what port does AJP need to run on, and where do I go to find out how to tell it to use a “real" cert. Also I’ll have to figure out how to shut off port 8080 or require SSL on tomcat once I get everything going. Actually I’d like to limit Tomcat to responding to requests from the server itself. Nothing should be talking to Tomcat but the isapi connector. Thanks, Ellen I > On Feb 25, 2020, at 4:07 PM, js84 <aon.913111...@aon.at> wrote: > > Hello! > > What for are you using secret property when running tomcat locally using > loopback interface? > > I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset > it because performance will slow down dramatically if isapi_redirect logfile > grows on a Windows machine.) > > Best regards, > Johann > > Von: Christopher Schultz > Gesendet: Dienstag, 25. Februar 2020 21:42 > An: users@tomcat.apache.org > Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ellen, > > On 2/25/20 13:10, Ellen Meiselman wrote: >> No, just that I don't know how to set this particular connector up >> another way. I based this on the instructions on the >> isapi_connector site >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html >> and on the 2 older servers we have which are working.> I'm sort of >> thinking of suggesting that we get rid of IIS entirely and switch >> to Tomcat. Then we can run the necessary Java application and also >> serve all the HTML items we need to using the same web server. > Tomcat is a perfectly good "plain old" web server. Some security > people get all freaked-out when you suggest that Tomcat be exposed > "directly" but IMHO it can't be any worse than IIS. > > But also IMHO there are always reasons to use a reverse proxy: > flexibility and availability. When you are restarting Tomcat for > whatever reason, what will clients see if they try to access your > application? CONNECTION REFUSED? :( With the proxy in the way, that is > much less likely. Also, if you want to serve Java web applications, > python web applications, .NET whatevers, you'll be able to do that > much more flexibly with a reverse-proxy in the mix. > > - -chris > >> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> Ellen, >> >> On 2/25/20 12:55, Ellen Meiselman wrote: >>>>> Sorry - no, the quotes were not there except for a 5 minute >>>>> test of a hopeless theory that they might be needed. Right >>>>> now there is no secret at all in the workers.properties, and >> in the >>>>> ajp connector, i have secretRequired ="false". >>>>> Workers.properties: worker.worker1.type=ajp13 >>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>> >>>>> Server.xml: <Connector protocol="AJP/1.3" >>>>> address="127.0.0.1" port="8009" secretRequired="false" >>>>> redirectPort="8443" /> >> >> Hmm. I think we've all been operating under the assumption that >> the "secret" (by whatever name) was the source of the problem. It >> appears that was incorrect. >> >> Have a look at Jon's question about file permissions. >> >> Was this a configuration that had been working until recently, or >> is this a new configuration that you haven't (yet) been able to get >> working ? >> >> Any reason not to use HTTP(S) for your protocol instead of AJP? >> >> -chris >> >>>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < >>>>> ch...@christopherschultz.net> wrote: >>>>> >>>>> Ellen, >>>>> >>>>> On 2/25/20 12:06, Ellen Meiselman wrote: >>>>>>>> Yes, everything is on the same server. >>>>>>>> >>>>>>>> workers.properties: # Set properties for worker1 >>>>>>>> (ajp13) worker.worker1.type=ajp13 >>>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009 >>>>>>>> worker.worker1.secret="mySecret". >>>>> >>>>> Just so there is no confusion: your "mySecret" should have >>>>> neither quotes nor the trailing period. >>>>> >>>>> Are those literally in your ISS config file? >>>>> >>>>> -chris >>>>> >>>>>>>> On Tue, Feb 25, 2020 at 11:27 AM >>>>>>>> <jonmcalexan...@wellsfargo.com.invalid> wrote: >>>>>>>> >>>>>>>>> -----Original Message----- From: Ellen Meiselman >>>>>>>>> <elle...@gmail.com> Sent: Tuesday, February 25, 2020 >>>>>>>>> 10:01 AM To: Tomcat Users List >>>>>>>>> <users@tomcat.apache.org> Subject: Re: At wits end: >>>>>>>>> Difficulties with IIS ISAPI connector and Tomcat >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> I've been testing, and so far, there is no change >>>>>>>>>> in the behavior. I am >>>>>>>>> still getting the same tomcat->based 403 error. >>>>>>>>> >>>>>>>>>> Based on what you said above... >>>>>>>>>> >>>>>>>>>> secretRequired="true" (which is the default, so it >>>>>>>>>> can be removed) secret="xxxxxxx" >>>>>>>>> >>>>>>>>> >>>>>>>>>> ...I removed secretRequired="true" and left secret. >>>>>>>>>> So the connector >>>>>>>>> definition now looks like this: >>>>>>>>>> <Connector protocol="AJP/1.3" address="127.0.0.1" >>>>>>>>>> port="8009" secret="mySecret" redirectPort="8443" >>>>>>>>>> /> >>>>>>>>> >>>>>>>>> <SNIP> >>>>>>>>> >>>>>>>>> I'm assuming that your web-front-end is on the same >>>>>>>>> server as your Tomcat instance, based on you having >>>>>>>>> the address set to 127.0.0.1, correct? What do you >>>>>>>>> have in your workers.properties file? >>>>>>>>> >>>>>>>> >>>>>> >>>>>> ------------------------------------------------------------------ > - --- >>>>>> >>>>>> >> >>>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: >>>>>> users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>> >>> >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vhr0ACgkQHPApP6U8 > pFh5Rg//WTLD7EEH9UVwjEri7uzawYO1IFneURN9LQYaMd7EkrC5NKbwoQieLwwW > 3ylab6iSK1mjjKs3SiMVSIgBynDBBym6r7GtAd1xKGjlBHIYpeFFom1Y1W1K/PYg > Cdzdcbu6uOHmwOvprAxlH8IRAkvLTQy1P4dUeNHaoZljdrzVDRuoYJIrnoR3TFhD > 1EwrrITH5we9iQ93KoreaxQMqcR5GoxWe8kbVP8rzflZGbeQfpPT5P3XypWaRFIg > 8pmyEP+x4U70JvXbAHHtjeiC6iOHjdEmuFBVZZV8bpipikcOEsY+t7WsZ9uJeMkh > Su8A/234t4IX3uPXaQD7f6JBSbiqZ2UtUtCgTjHTAZpY+R5G/CErENz15Imw9n5z > 8qpy6plCoXX7gjDSUqt4kzZMzv2ibskI2l3l8B4N6IGym+bozbbpor8lwODnegHg > A1xYbLM4tLCDaN3p+TnMCpVh2JCWpz59azkNoxNFrQtAdvg5oiOP6ktvzg7sXMp3 > 7FtxzDbaF5xNoDzrsJTImw9+aRWnmngsCDkz3IjZTHJxqjLKktHLz8jMdBJX+1UO > Vu0Xg/ORTv229wEDgoaynLjKRrVHwC1lMgV8LFoVtX3WwOhhmcuEFWWhwOaRcOAA > 9QRLLWSBguA1vgxO3Ycd+FDoHa/kFTgK1MXO6ECwDFUUzFCTOGY= > =4Wjy > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
