Just to make it clear what from my opinion the problem is:
SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal
Failed to start connector [Connector[AJP/1.3-8011]]
org.apache.catalina.LifecycleException: Der Start des
Protokoll-Handlers ist fehlgeschlagen
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: java.lang.IllegalArgumentException: The AJP Connector is
configured with secretRequired="true" but the secret attribute is either null
or "". This combination is not valid.
at
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
... 12 moreThis new "secretRequired" attribute prevents the Tomcat from starting flawlessly. It was first introduced with the Ghostcat release. So this is a wish from me to the Tomcat developers: Please set this new attribute not mandatory but optional. So that I can run the newest Tomcat without this attribute which I do now with the pre-Ghostcat releases. Have a nice weekend Florian Fritze -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de -----Ursprüngliche Nachricht----- Von: André Warnier (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP Connector issue Ok, so it looks like : - the request is effectively reaching tomcat, and that it is tomcat sending back the 403 response. - the URL is "/", so presumably it is "well-formed" etc. Furthermore, according to something you wrote below, both Apache httpd and tomcat are running on the same Linux host. This reminds me vaguely of some issue previously (and recently) discussed on the list, with some request attributes which tomcat did not like.. But I do not remember ptecisely what the issue was, and it also seems to me that this concerned an IIS front-end, not Apache httpd. Perhaps someone else on the list has a better idea. Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat. Which raises the question of why you have a httpd front-end in the first place. (But that's a later discussion maybe, let's first see why "/" doesn't work) On 20.03.2020 11:07, Fritze, Florian wrote: > Here is the additional information: > > The error page looks like Tomcat: > > HTTP Status 403 – Forbidden > > _____ > > Type Status Report > > Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine > Autorisierung. > > _____ > > Apache Tomcat/8.5.53 > > The Apache HTTPD log file says: > > - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 > (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" > > - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 > "https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT 10.0; Win64; > x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 > Safari/537.36 Edg/80.0.361.69" > > > > The Tomcat says: > > - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 > > - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630 > > > > The server on which all is running is: > > Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC > 2020 x86_64 x86_64 x86_64 GNU/Linux > > > > There is no new entry in the Apache HTTPD error.log concering these requests. > > > > Help is appreciated > > Florian Fritze > > -- > > Florian Fritze M.A. > > Fraunhofer-Informationszentrum Raum und Bau IRB > > Competence Center Research Services & Open Science > > Nobelstr. 12, 70569 Stuttgart, Germany > > Telefon +49 711 970-2713 > > florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de > > > > > > -----Ursprüngliche Nachricht----- > Von: André Warnier (tomcat/perl) <a...@ice-sa.com> > Gesendet: Freitag, 20. März 2020 10:14 > An: users@tomcat.apache.org > Betreff: Re: AW: AJP Connector issue > > > > On 20.03.2020 08:23, Fritze, Florian wrote: > >> Hello Chris, > >> > >> thanks for the reply. Maybe I am doing something wrong, but setting > >> secretRequired="false" does not solve my issue. Let me show you what >> I > >> did and experience: I added <Connector port="8011" protocol="AJP/1.3" > >> redirectPort="8443" secretRequired="false" /> to the Tomcat > >> configuration and the ajp connector on the Apache HTTPD side connects > >> to 8011. When I now visit my website I got HTTP Status 403 – >> Forbidden > > > > And just to make diagnosis a bit quicker : does that 403 error page look like > an Apache httpd page, or a tomcat page ? (they look quite differemt in style). > > > > Also, can you check both the httpd logs, and the tomcat logs for that > request, and check what they say ? (compare by timestamnp and URI) > > > > Also, under what OS does your front-end httpd run ? > > > >> > >> I attached also the error page as a screenshot to this mail. This > >> behaviour exists only sice the Ghostcat fix release (I know that this > >> has nothing to do with security fix but probably with the release itself). > >> > >> Thanks in advance > >> Florian > >> > >> -- > >> Florian Fritze M.A. > >> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center > >> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, > >> Germany Telefon +49 711 970-2713 >> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer >> .de> | > >> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> > >> > >> -----Ursprüngliche Nachricht----- > >> Von: Christopher Schultz >> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > >> Gesendet: Donnerstag, 19. März 2020 20:14 > >> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > >> Betreff: Re: AJP Connector issue > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> Florian, > >> > >> On 3/19/20 07:43, Fritze, Florian wrote: > >>> since the Tomcat release with the Ghostcat security fix (Tomcat > >>> 8.5.51) me as an admin have the problem using the > >>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to > >>> connect the Apache HTTPD with the Tomcat running on localhost. The > >>> attribute secretRequired must be set to „true“ or „false“ with > >>> „false“ set the connection is not possible between Tomcat and Apache HTTPD. > >> > >> When you have set secretRequired="false", it's not possible to > >> connect? When you try to connect, what DOES happen? > >> > >>> With „true“ the Apache development is not ready in the current > >>> version to work with the „secret“ attribute. Only the next version >>> of > >>> Apache > >>> 2.4 supports this attribute. > >> Correct. Support for secret= in mod_proxy_ajp was evidently never > >> really a priority for anybody until now. > >> > >>> So I want to use the newest Tomcat version and an AJP connector but > >>> after the Ghostcat fix release there is this attribute which does >>> not > >>> work in my configuration. > >>> > >>> Are there any suggestions or solutions available that you can >>> deliver > >>> me (links or documentation, etc.) > >> > >> secretRequired="false" should be all you need. > >> > >> Of course, to be truly secure, you need to make sure that not just > >> anybody can make requests through your AJP interface. Have you >> secured > >> that interface from potential evildoers? > >> > >> - -chris > >> -----BEGIN PGP SIGNATURE----- > >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > >> > >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8 > >> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC > >> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq > >> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C > >> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L > >> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2 > >> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln > >> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6 > >> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB > >> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9 > >> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh > >> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec= > >> =CYi0 > >> -----END PGP SIGNATURE----- > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: >> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a >> pache.org> > >> For additional commands, e-mail: >> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.ap > ache.org> > > For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
smime.p7s
Description: S/MIME cryptographic signature
