Hi.
I think that we are getting complicated and confusing here.
A picture is worth a thousand words, so a little ASCII graphic art may help
clarifying things.
browser <-(1)-> IIS + proxy <-(2)-> tomcat <-> application
- connection (1) can be HTTP or HTTPS (admin choice)
- connection (2) can be HTTP, HTTPS, or AJP (admin choice)
To simplify, let's say that connection (1) is always HTTPS.
In principle, even if connection (1) is HTTPS, IIS should be able to "proxy" the requests
to Tomcat over HTTP,HTTPS, or AJP, depending on the configuration of
a) IIS itself
b) the proxy add-on module inside IIS
A) If you want to do this :
browser <-(HTTPS)-> IIS + proxy <-(AJP)-> tomcat <-> application
then :
- the proxy module to use in IIS is isapi_redirector
- the target Connector/port in tomcat is an AJP connector
- AJP is a protocol similar to HTTP/HTTPS, but it is different from them both, and it does
not support encryption
B) If you want to do this :
browser <-(HTTPS)-> IIS + proxy <-(HTTP)-> tomcat <-> application
then :
- the proxy module to use in IIS is NOT isapi_redirector, it will be some other proxy
module within IIS. I do not know which one or how to configure it, because I am not an IIS
specialist. But it is probably a built-in module in the standard IIS.
- the target Connector/port in tomcat is an HTTP Connector
- HTTP is not encrypted, but it does not matter very much here, because the connection is
only within the same host.
C) If you want to do this :
browser <-(HTTPS)-> IIS + proxy <-(HTTPS)-> tomcat <-> application
then :
- the proxy module to use in IIS is NOT isapi_redirector, it will be some other proxy
module within IIS. same comment as for (B)
- the target Connector/port in tomcat is an HTTPS Connector
- HTTPS is encrypted, but this is taken care of by the proxy module on the IIS side, and
the HTTPS Connector on the Tomcat side.
All 3 solutions above are completely equivalent in terms of forwarding (some) requests to
tomcat.
But maybe something to insist on : only solution (A) above requires isapi_redirector.
workers.properties is something which is /only/ used by isapi_redirector, so if you choose
solutions (B) or (C), you do not need that file at all.
And I do not know if it possible (but presumably it is) to configure IIS to do (B). But
that is something for which in principle we cannot help you on this list, because we are
not IIS specialists here.
Does this make things clearer ?
On 26.02.2020 00:17, Ellen Meiselman wrote:
Hi Chris,
Does this mean that incoming connections require SSL or aso outgoing
(e.g. proxy) connections? I'm super ignorant of IIS configuration.
Incoming connections require SSL or will be upgraded to SSL. So if you
type in http, it will change to https.
Right now because I do not have SSL set as required, I can type in http and
it stays http. At that point, it starts working - I no longer get the 403
from Tomcat.
My recommendation would be to take this opportunity to switch to HTTPS
and dump AJP.
OK, I am willing to try - so to do that, would this be the procedure?
1. Set up certificates in Tomcat (big black box for me, but I'll try to
figure it out)
2. Change the worker.worker1.type to HTTPS
3. Change the worker.worker1.port to 8443
Anything else?
Ellen
On Tue, Feb 25, 2020 at 5:47 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ellen,
Oops pressed SEND before I was done...
On 2/25/20 16:47, Ellen Meiselman wrote:
So it turned out that the logs were mostly set at FINE already, so
Johann’s suggestion was already done.
But I think I now know where the problem lies. Secure IIS request
to > non-secire AJP.
I don’t think this was a problem on the other servers before but
the security has probably been tightened, and it just doesn’t
produce an error - it just won’t allow it.
I have had IIS set to require SSL
Does this mean that incoming connections require SSL or aso outgoing
(e.g. proxy) connections? I'm super ignorant of IIS configuration.
but I turned it off to test and it actually worked all the way
through to the simple.html file. so it’s some sort of policy about
downgrading - which seems quite rational in retrospect. For
example, this HTTP address does work.
http://my.servers.domain.com/exposedApplication/simple.html
I never tried it because I knew I had set SSL to required.
Sometimes you make assumptions that block progress.
This HTTPS address does not work - I get the 403 from tomcat.
https://my.servers.domain.com/exposedApplication/simple.html
So - if this makes sense to any of you, please tell me roughly
what I need to do to make the AJP requests as secure as the port 80
requests.
Um...
I know keystores and .pem files are involved, but please give me
the big picture - what port does AJP need to run on, and where do
I go to find out how to tell it to use a “real" cert.
Traditionally, AJP is run over port 8009 but you can always choose any
port you wish as long as both sides of the connection (IIs, Tomcat)
agree on which port to use.
AJP is a non-secure protocol, full stop. You can tunnel it through
other things but, as some have mentioned, since you are using
localhost it's not super important to use encryption.
If you DO need encryption, you have two choices:
1. tunnel AJP over e.g. TLS using a tool like stunnel, which is
actually available for Windows. It's a little more "at home" in *NIX
environments, but I've header it works just as well on Windows. If you
do this, you WILL need to deal with keys and certs.
2. Drop AJP and use HTTPS. I don't believe there aren't any features
you can't get working through HTTP that AJP provides. I think this
also means you no longer need a special IIS redirector plug-in
anymore, so it's 100% vanilla IIS at that point. If you do this, you
WILL need to deal with keys and certs.
But are you sure you need encryption?
If you are using localhost, it's worthless IMHO. If you are traversing
a network -- even a "trusted" one -- it's a hard requirement also IMHO.
My recommendation would be to take this opportunity to switch to HTTPS
and dump AJP.
Also I’ll have to figure out how to shut off port 8080 or require
SSL on tomcat once I get everything going. Actually I’d like to
limit Tomcat to responding to requests from the server itself.
Nothing should be talking to Tomcat but the isapi connector.
Bind to address="127.0.0.1" and only on ports that IIS is using for
proxying. If that means AJP over 8009, then use that. If that means
HTTPS over port 8443, then use that. Just comment-out the connector
you DON'T need.
You'll never really know what protocol the client is using to talk to
the (reverse) proxy, so you have to make some assumptions. If you have
configured IIS to only proxy requests over a secure channel from the
client (which I highly recommend!) then you can assume that all
connections, regardless of protocol or port are indeed secure where it
counts: between the client and the reverse proxy.
If you only want "secure" connections from the client, then you will
want to set both secure="true, scheme="https", and proxyPort="443" on
your <Connector>. This makes Tomcat generate https:// URLs with the
right port number, etc. for redirects, and also won't cause a redirect
storm if the application specifies that it wants to use only "secure"
connections (which I also highly recommend).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpAUACgkQHPApP6U8
pFhTGhAAuvtGHsUj3/67e27AV7LLwMxFBQ/FtsdiXEgx0AjX6iwmgmtqQTvtUchv
aTKoVTPMI+y/2+JOo+BXa7M63Tf7z7OuTbsyTN2b9ooAsWLKQMt0jVycbT65oAEx
kRLgpoWAxgy6dwEu8BF/qW13HA4VCmAuU0PSMzsbFWVEyLuG8K8FA9oT2S0p5tuZ
pbgPFjcda0uGs6KTb2jx+IWHBe22wdBxM4rcOFmhynfTmMpc4klXLpypoNDys/AK
vy1a3xvGGy4d9BxOUs9/h/LZIMfZV+NoE5cEu9VgvURQonnbFjbGspBqljAjiuTn
NplgdovCcfXKSryFDPtxG7q/vmUnrhgxyzW6fqhHjZvCTJXVAXUONTK375EkUNve
5Eada14fISxRR4r2Xyh2f6x/sJBnDkQaDVxD1FVYEAXCDarkq8kvfbWZiSkwEMIv
0NPWppUsMDFI0LG2pwpEwSWtg4bSnPxkF3/AtIKUrreqUMTQQzNfChLkXRm+pzv0
s2+qrCAeQxQ/K4PUknGErOQjcOAI7t5kcmx3u+r9ir9F3DvPISUVaZaCHoVDNzgH
Q3O4DCPZ25N4AgV7hE+vm5rxcEUQkWdCu2uylNJBULqnkgx8vSHHxcif7qhzbf1K
rPoujP3Dsm3UwHcJPqUr4d3pyauxl4YYT6xoz2eP0tQckCMmFvw=
=WS1y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
