-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ellen,
Oops pressed SEND before I was done... On 2/25/20 16:47, Ellen Meiselman wrote: > So it turned out that the logs were mostly set at FINE already, so > Johann’s suggestion was already done. > > But I think I now know where the problem lies. Secure IIS request > > to > non-secire AJP. > > I don’t think this was a problem on the other servers before but > the security has probably been tightened, and it just doesn’t > produce an error - it just won’t allow it. > > I have had IIS set to require SSL Does this mean that incoming connections require SSL or aso outgoing (e.g. proxy) connections? I'm super ignorant of IIS configuration. > but I turned it off to test and it actually worked all the way > through to the simple.html file. so it’s some sort of policy about > downgrading - which seems quite rational in retrospect. For > example, this HTTP address does work. > > http://my.servers.domain.com/exposedApplication/simple.html > > I never tried it because I knew I had set SSL to required. > Sometimes you make assumptions that block progress. > > This HTTPS address does not work - I get the 403 from tomcat. > https://my.servers.domain.com/exposedApplication/simple.html > > So - if this makes sense to any of you, please tell me roughly > what I need to do to make the AJP requests as secure as the port 80 > requests. Um... > I know keystores and .pem files are involved, but please give me > the big picture - what port does AJP need to run on, and where do > I go to find out how to tell it to use a “real" cert. Traditionally, AJP is run over port 8009 but you can always choose any port you wish as long as both sides of the connection (IIs, Tomcat) agree on which port to use. AJP is a non-secure protocol, full stop. You can tunnel it through other things but, as some have mentioned, since you are using localhost it's not super important to use encryption. If you DO need encryption, you have two choices: 1. tunnel AJP over e.g. TLS using a tool like stunnel, which is actually available for Windows. It's a little more "at home" in *NIX environments, but I've header it works just as well on Windows. If you do this, you WILL need to deal with keys and certs. 2. Drop AJP and use HTTPS. I don't believe there aren't any features you can't get working through HTTP that AJP provides. I think this also means you no longer need a special IIS redirector plug-in anymore, so it's 100% vanilla IIS at that point. If you do this, you WILL need to deal with keys and certs. But are you sure you need encryption? If you are using localhost, it's worthless IMHO. If you are traversing a network -- even a "trusted" one -- it's a hard requirement also IMHO. My recommendation would be to take this opportunity to switch to HTTPS and dump AJP. > Also I’ll have to figure out how to shut off port 8080 or require > SSL on tomcat once I get everything going. Actually I’d like to > limit Tomcat to responding to requests from the server itself. > Nothing should be talking to Tomcat but the isapi connector. Bind to address="127.0.0.1" and only on ports that IIS is using for proxying. If that means AJP over 8009, then use that. If that means HTTPS over port 8443, then use that. Just comment-out the connector you DON'T need. You'll never really know what protocol the client is using to talk to the (reverse) proxy, so you have to make some assumptions. If you have configured IIS to only proxy requests over a secure channel from the client (which I highly recommend!) then you can assume that all connections, regardless of protocol or port are indeed secure where it counts: between the client and the reverse proxy. If you only want "secure" connections from the client, then you will want to set both secure="true, scheme="https", and proxyPort="443" on your <Connector>. This makes Tomcat generate https:// URLs with the right port number, etc. for redirects, and also won't cause a redirect storm if the application specifies that it wants to use only "secure" connections (which I also highly recommend). - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpAUACgkQHPApP6U8 pFhTGhAAuvtGHsUj3/67e27AV7LLwMxFBQ/FtsdiXEgx0AjX6iwmgmtqQTvtUchv aTKoVTPMI+y/2+JOo+BXa7M63Tf7z7OuTbsyTN2b9ooAsWLKQMt0jVycbT65oAEx kRLgpoWAxgy6dwEu8BF/qW13HA4VCmAuU0PSMzsbFWVEyLuG8K8FA9oT2S0p5tuZ pbgPFjcda0uGs6KTb2jx+IWHBe22wdBxM4rcOFmhynfTmMpc4klXLpypoNDys/AK vy1a3xvGGy4d9BxOUs9/h/LZIMfZV+NoE5cEu9VgvURQonnbFjbGspBqljAjiuTn NplgdovCcfXKSryFDPtxG7q/vmUnrhgxyzW6fqhHjZvCTJXVAXUONTK375EkUNve 5Eada14fISxRR4r2Xyh2f6x/sJBnDkQaDVxD1FVYEAXCDarkq8kvfbWZiSkwEMIv 0NPWppUsMDFI0LG2pwpEwSWtg4bSnPxkF3/AtIKUrreqUMTQQzNfChLkXRm+pzv0 s2+qrCAeQxQ/K4PUknGErOQjcOAI7t5kcmx3u+r9ir9F3DvPISUVaZaCHoVDNzgH Q3O4DCPZ25N4AgV7hE+vm5rxcEUQkWdCu2uylNJBULqnkgx8vSHHxcif7qhzbf1K rPoujP3Dsm3UwHcJPqUr4d3pyauxl4YYT6xoz2eP0tQckCMmFvw= =WS1y -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org