thanks Chirs. fixed it to an real ip,
On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > RK, > > On 3/20/20 09:57, RK Ashburn wrote: > > I have tested r successful AJP connector with apache proxy on > > (tomcat 7) > > > > 1. For AJP connector adding secretRequired="false" and > address="0.0.0.0" > > resolved my connectivity issue. I suspect the issue you are having > > (with 403) is more like a permissions issue on the site the > > request is > trying to > > reach, than a AJP connector configuration issue. > > binding to "all interfaces" may work, but it's not terribly secure. > Are you really expecting an AJP connection from anywhere in the world? > > - -chris > > > On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < > > florian.fri...@irb.fraunhofer.de> wrote: > > > >> Just to make it clear what from my opinion the problem is: > >> > >> SCHWERWIEGEND [main] > >> org.apache.catalina.core.StandardService.startInternal Failed to > >> start connector [Connector[AJP/1.3-8011]] > >> org.apache.catalina.LifecycleException: Der Start des > >> Protokoll-Handlers ist fehlgeschlagen at > >> > org.apache.catalina.connector.Connector.startInternal(Connector.java:105 > 7) > >> at > >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > >> > >> > at > >> > org.apache.catalina.core.StandardService.startInternal(StandardService.j > ava:440) > >> at > >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > >> > >> > at > >> > org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav > a:766) > >> at > >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > >> > >> > at > >> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at > >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav > a:62) > >> at > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor > Impl.java:43) > >> at java.lang.reflect.Method.invoke(Method.java:498) at > >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) > >> at > >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) > >> Caused by: java.lang.IllegalArgumentException: The AJP > Connector > >> is configured with secretRequired="true" but the secret > >> attribute > is either > >> null or "". This combination is not valid. at > >> > org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java > :274) > >> at > >> > org.apache.catalina.connector.Connector.startInternal(Connector.java:105 > 5) > >> ... 12 more > >> > >> This new "secretRequired" attribute prevents the Tomcat from > >> starting flawlessly. It was first introduced with the Ghostcat > >> release. So this is a wish from me to the Tomcat developers: > >> Please set this new attribute not mandatory but optional. So that > >> I can run the newest > Tomcat > >> without this attribute which I do now with the pre-Ghostcat > >> releases. > >> > >> Have a nice weekend Florian Fritze > >> > >> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und > >> Bau IRB Competence Center Research Services & Open Science > >> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 > >> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de > >> > >> > >> -----Ursprüngliche Nachricht----- Von: André Warnier > >> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 > >> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP > >> Connector issue > >> > >> Ok, so it looks like : - the request is effectively reaching > >> tomcat, and that it is tomcat sending back the 403 response. - > >> the URL is "/", so presumably it is "well-formed" etc. > >> > >> Furthermore, according to something you wrote below, both Apache > httpd and > >> tomcat are running on the same Linux host. > >> > >> This reminds me vaguely of some issue previously (and recently) > discussed > >> on the list, with some request attributes which tomcat did not > >> like.. But I do not remember ptecisely what the issue was, and it > >> also > seems to > >> me that this concerned an IIS front-end, not Apache httpd. > >> > >> Perhaps someone else on the list has a better idea. > >> > >> > >> Incidentally, it also seems that you are, in httpd, proxying > >> *all* requests to tomcat. Which raises the question of why you > >> have a httpd front-end in the > first > >> place. (But that's a later discussion maybe, let's first see why > >> "/" > doesn't work) > >> > >> > >> On 20.03.2020 11:07, Fritze, Florian wrote: > >>> Here is the additional information: > >>> > >>> The error page looks like Tomcat: > >>> > >>> HTTP Status 403 – Forbidden > >>> > >>> _____ > >>> > >>> Type Status Report > >>> > >>> Beschreibung Der Server hat die Anfrage verstanden, verbietet > >>> aber > eine > >> Autorisierung. > >>> > >>> _____ > >>> > >>> Apache Tomcat/8.5.53 > >>> > >>> The Apache HTTPD log file says: > >>> > >>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 > >>> "-" > >> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like > >> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" > >>> > >>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" > >>> 403 > 885 " > >> https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT > >> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) > >> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" > >>> > >>> > >>> > >>> The Tomcat says: > >>> > >>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 > >>> > >>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" > >>> 403 630 > >>> > >>> > >>> > >>> The server on which all is running is: > >>> > >>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 > >>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > >>> > >>> > >>> > >>> There is no new entry in the Apache HTTPD error.log concering > >>> these > >> requests. > >>> > >>> > >>> > >>> Help is appreciated > >>> > >>> Florian Fritze > >>> > >>> -- > >>> > >>> Florian Fritze M.A. > >>> > >>> Fraunhofer-Informationszentrum Raum und Bau IRB > >>> > >>> Competence Center Research Services & Open Science > >>> > >>> Nobelstr. 12, 70569 Stuttgart, Germany > >>> > >>> Telefon +49 711 970-2713 > >>> > >>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de > >>> > >>> > >>> > >>> > >>> > >>> -----Ursprüngliche Nachricht----- Von: André Warnier > >>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März 2020 > >>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP > >>> Connector issue > >>> > >>> > >>> > >>> On 20.03.2020 08:23, Fritze, Florian wrote: > >>> > >>>> Hello Chris, > >>> > >>>> > >>> > >>>> thanks for the reply. Maybe I am doing something wrong, but > >>>> setting > >>> > >>>> secretRequired="false" does not solve my issue. Let me show > >>>> you what I > >>> > >>>> did and experience: I added <Connector port="8011" > >>>> protocol="AJP/1.3" > >>> > >>>> redirectPort="8443" secretRequired="false" /> to the Tomcat > >>> > >>>> configuration and the ajp connector on the Apache HTTPD side > >>>> connects > >>> > >>>> to 8011. When I now visit my website I got HTTP Status 403 – > >>>> Forbidden > >>> > >>> > >>> > >>> And just to make diagnosis a bit quicker : does that 403 error > page look > >> like an Apache httpd page, or a tomcat page ? (they look quite > differemt in > >> style). > >>> > >>> > >>> > >>> Also, can you check both the httpd logs, and the tomcat logs > >>> for that request, and check what they say ? (compare by > >>> timestamnp and URI) > >>> > >>> > >>> > >>> Also, under what OS does your front-end httpd run ? > >>> > >>> > >>> > >>>> > >>> > >>>> I attached also the error page as a screenshot to this mail. > >>>> This > >>> > >>>> behaviour exists only sice the Ghostcat fix release (I know > >>>> that this > >>> > >>>> has nothing to do with security fix but probably with the > >>>> release > >> itself). > >>> > >>>> > >>> > >>>> Thanks in advance > >>> > >>>> Florian > >>> > >>>> > >>> > >>>> -- > >>> > >>>> Florian Fritze M.A. > >>> > >>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence > >>>> Center > >>> > >>>> Research Services & Open Science Nobelstr. 12, 70569 > >>>> Stuttgart, > >>> > >>>> Germany Telefon +49 711 970-2713 > >>>> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof > er > >>>> > >>>> > .de> | > >>> > >>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> > >>> > >>>> > >>> > >>>> -----Ursprüngliche Nachricht----- > >>> > >>>> Von: Christopher Schultz > >>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > >>> > >>>> > >>>> > Gesendet: Donnerstag, 19. März 2020 20:14 > >>> > >>>> An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > >>> > >>>> Betreff: Re: AJP Connector issue > >>> > >>>> > >>> > >>>> > > Florian, > >>>> > > > >>>> > > On 3/19/20 07:43, Fritze, Florian wrote: > >>>> > >>>>>> since the Tomcat release with the Ghostcat security fix > >>>>>> (Tomcat > >>>> > >>>>>> 8.5.51) me as an admin have the problem using the > >>>> > >>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html > >>>>>> module to > >>>> > >>>>>> connect the Apache HTTPD with the Tomcat running on > >>>>>> localhost. The > >>>> > >>>>>> attribute secretRequired must be set to „true“ or „false“ > >>>>>> with > >>>> > >>>>>> „false“ set the connection is not possible between Tomcat > >>>>>> and Apache > >>> HTTPD. > >>>> > > > >>>> > > When you have set secretRequired="false", it's not possible to > >>>> > > connect? When you try to connect, what DOES happen? > >>>> > > > >>>> > >>>>>> With „true“ the Apache development is not ready in the > >>>>>> current > >>>> > >>>>>> version to work with the „secret“ attribute. Only the > >>>>>> next version of > >>>> > >>>>>> Apache > >>>> > >>>>>> 2.4 supports this attribute. > >>>> > > Correct. Support for secret= in mod_proxy_ajp was evidently never > >>>> > > really a priority for anybody until now. > >>>> > > > >>>> > >>>>>> So I want to use the newest Tomcat version and an AJP > >>>>>> connector but > >>>> > >>>>>> after the Ghostcat fix release there is this attribute > >>>>>> which does not > >>>> > >>>>>> work in my configuration. > >>>> > >>>>>> > >>>> > >>>>>> Are there any suggestions or solutions available that you > >>>>>> can deliver > >>>> > >>>>>> me (links or documentation, etc.) > >>>> > > > >>>> > > secretRequired="false" should be all you need. > >>>> > > > >>>> > > Of course, to be truly secure, you need to make sure that not just > >>>> > > anybody can make requests through your AJP interface. Have you > > secured > >>>> > > that interface from potential evildoers? > >>>> > > > >>>> > > -chris > >>>> > >>> > >>>> > >>> > >>>> ------------------------------------------------------------------- > - -- > >>> > >>>> > >>>> > To unsubscribe, e-mail: > >>>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat > .a > >>>> > >>>> > pache.org> > >>> > >>>> For additional commands, e-mail: > >>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >>> > >>>> > >>> > >>> > >>> > >>> > >>> > >>> > >>>> > - --------------------------------------------------------------------- > >>> > >>> To unsubscribe, e-mail: > >>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat. > ap > >>> > >>> > ache.org> > >>> > >>> For additional commands, e-mail: > >>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >>> > >>> > >>> > >> > >> > >> > >>> > - --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For > >> additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8 > pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo > 0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g > cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2 > rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR > SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY > zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ > 6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8 > /SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs > ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi > hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+ > tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o= > =207+ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
