-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 RK,
On 3/20/20 13:33, RK Ashburn wrote: > thanks Chirs. fixed it to an real ip, In many cases, 0.0.0.0 is basically the same as binding to the interface which represents the outside world (e.g. eth0, etc.). See my other reply in this thread to see what I would recommend in terms of a secure deployment of AJP. - -chris > On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > RK, > > On 3/20/20 09:57, RK Ashburn wrote: >>>> I have tested r successful AJP connector with apache proxy >>>> on (tomcat 7) >>>> >>>> 1. For AJP connector adding secretRequired="false" and > address="0.0.0.0" >>>> resolved my connectivity issue. I suspect the issue you are >>>> having (with 403) is more like a permissions issue on the >>>> site the request is > trying to >>>> reach, than a AJP connector configuration issue. > > binding to "all interfaces" may work, but it's not terribly > secure. Are you really expecting an AJP connection from anywhere in > the world? > > -chris > >>>> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < >>>> florian.fri...@irb.fraunhofer.de> wrote: >>>> >>>>> Just to make it clear what from my opinion the problem is: >>>>> >>>>> SCHWERWIEGEND [main] >>>>> org.apache.catalina.core.StandardService.startInternal >>>>> Failed to start connector [Connector[AJP/1.3-8011]] >>>>> org.apache.catalina.LifecycleException: Der Start des >>>>> Protokoll-Handlers ist fehlgeschlagen at >>>>> > org.apache.catalina.connector.Connector.startInternal(Connector.java:1 05 > > 7) >>>>> at >>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18 3) >>>>> >>>>> > >>>>> at >>>>> > org.apache.catalina.core.StandardService.startInternal(StandardService .j > > ava:440) >>>>> at >>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18 3) >>>>> >>>>> > >>>>> at >>>>> > org.apache.catalina.core.StandardServer.startInternal(StandardServer.j av > > a:766) >>>>> at >>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18 3) >>>>> >>>>> > >>>>> at >>>>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>> Method) at >>>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j av > > a:62) >>>>> at >>>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess or > > Impl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:498) at >>>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) >>>>> >>>>> at >>>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) >>>>> >>>>> Caused by: java.lang.IllegalArgumentException: The AJP > Connector >>>>> is configured with secretRequired="true" but the secret >>>>> attribute > is either >>>>> null or "". This combination is not valid. at >>>>> > org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.ja va > > :274) >>>>> at >>>>> > org.apache.catalina.connector.Connector.startInternal(Connector.java:1 05 > > 5) >>>>> ... 12 more >>>>> >>>>> This new "secretRequired" attribute prevents the Tomcat >>>>> from starting flawlessly. It was first introduced with the >>>>> Ghostcat release. So this is a wish from me to the Tomcat >>>>> developers: Please set this new attribute not mandatory but >>>>> optional. So that I can run the newest > Tomcat >>>>> without this attribute which I do now with the >>>>> pre-Ghostcat releases. >>>>> >>>>> Have a nice weekend Florian Fritze >>>>> >>>>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum >>>>> und Bau IRB Competence Center Research Services & Open >>>>> Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 >>>>> 711 970-2713 florian.fri...@irb.fraunhofer.de | >>>>> www.irb.fraunhofer.de >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- Von: André Warnier >>>>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März >>>>> 2020 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: >>>>> AJP Connector issue >>>>> >>>>> Ok, so it looks like : - the request is effectively >>>>> reaching tomcat, and that it is tomcat sending back the 403 >>>>> response. - the URL is "/", so presumably it is >>>>> "well-formed" etc. >>>>> >>>>> Furthermore, according to something you wrote below, both >>>>> Apache > httpd and >>>>> tomcat are running on the same Linux host. >>>>> >>>>> This reminds me vaguely of some issue previously (and >>>>> recently) > discussed >>>>> on the list, with some request attributes which tomcat did >>>>> not like.. But I do not remember ptecisely what the issue >>>>> was, and it also > seems to >>>>> me that this concerned an IIS front-end, not Apache httpd. >>>>> >>>>> Perhaps someone else on the list has a better idea. >>>>> >>>>> >>>>> Incidentally, it also seems that you are, in httpd, >>>>> proxying *all* requests to tomcat. Which raises the >>>>> question of why you have a httpd front-end in the > first >>>>> place. (But that's a later discussion maybe, let's first >>>>> see why "/" > doesn't work) >>>>> >>>>> >>>>> On 20.03.2020 11:07, Fritze, Florian wrote: >>>>>> Here is the additional information: >>>>>> >>>>>> The error page looks like Tomcat: >>>>>> >>>>>> HTTP Status 403 – Forbidden >>>>>> >>>>>> _____ >>>>>> >>>>>> Type Status Report >>>>>> >>>>>> Beschreibung Der Server hat die Anfrage verstanden, >>>>>> verbietet aber > eine >>>>> Autorisierung. >>>>>> >>>>>> _____ >>>>>> >>>>>> Apache Tomcat/8.5.53 >>>>>> >>>>>> The Apache HTTPD log file says: >>>>>> >>>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 >>>>>> 1042 "-" >>>>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 > (KHTML, like >>>>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>>>>> >>>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico >>>>>> HTTP/1.1" 403 > 885 " >>>>> https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows >>>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like >>>>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" >>>>>> >>>>>> >>>>>> >>>>>> The Tomcat says: >>>>>> >>>>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 >>>>>> 630 >>>>>> >>>>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico >>>>>> HTTP/1.1" 403 630 >>>>>> >>>>>> >>>>>> >>>>>> The server on which all is running is: >>>>>> >>>>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 >>>>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux >>>>>> >>>>>> >>>>>> >>>>>> There is no new entry in the Apache HTTPD error.log >>>>>> concering these >>>>> requests. >>>>>> >>>>>> >>>>>> >>>>>> Help is appreciated >>>>>> >>>>>> Florian Fritze >>>>>> >>>>>> -- >>>>>> >>>>>> Florian Fritze M.A. >>>>>> >>>>>> Fraunhofer-Informationszentrum Raum und Bau IRB >>>>>> >>>>>> Competence Center Research Services & Open Science >>>>>> >>>>>> Nobelstr. 12, 70569 Stuttgart, Germany >>>>>> >>>>>> Telefon +49 711 970-2713 >>>>>> >>>>>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- Von: André Warnier >>>>>> (tomcat/perl) <a...@ice-sa.com> Gesendet: Freitag, 20. März >>>>>> 2020 10:14 An: users@tomcat.apache.org Betreff: Re: AW: >>>>>> AJP Connector issue >>>>>> >>>>>> >>>>>> >>>>>> On 20.03.2020 08:23, Fritze, Florian wrote: >>>>>> >>>>>>> Hello Chris, >>>>>> >>>>>>> >>>>>> >>>>>>> thanks for the reply. Maybe I am doing something wrong, >>>>>>> but setting >>>>>> >>>>>>> secretRequired="false" does not solve my issue. Let me >>>>>>> show you what I >>>>>> >>>>>>> did and experience: I added <Connector port="8011" >>>>>>> protocol="AJP/1.3" >>>>>> >>>>>>> redirectPort="8443" secretRequired="false" /> to the >>>>>>> Tomcat >>>>>> >>>>>>> configuration and the ajp connector on the Apache HTTPD >>>>>>> side connects >>>>>> >>>>>>> to 8011. When I now visit my website I got HTTP Status >>>>>>> 403 – Forbidden >>>>>> >>>>>> >>>>>> >>>>>> And just to make diagnosis a bit quicker : does that 403 >>>>>> error > page look >>>>> like an Apache httpd page, or a tomcat page ? (they look >>>>> quite > differemt in >>>>> style). >>>>>> >>>>>> >>>>>> >>>>>> Also, can you check both the httpd logs, and the tomcat >>>>>> logs for that request, and check what they say ? >>>>>> (compare by timestamnp and URI) >>>>>> >>>>>> >>>>>> >>>>>> Also, under what OS does your front-end httpd run ? >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> I attached also the error page as a screenshot to this >>>>>>> mail. This >>>>>> >>>>>>> behaviour exists only sice the Ghostcat fix release (I >>>>>>> know that this >>>>>> >>>>>>> has nothing to do with security fix but probably with >>>>>>> the release >>>>> itself). >>>>>> >>>>>>> >>>>>> >>>>>>> Thanks in advance >>>>>> >>>>>>> Florian >>>>>> >>>>>>> >>>>>> >>>>>>> -- >>>>>> >>>>>>> Florian Fritze M.A. >>>>>> >>>>>>> Fraunhofer-Informationszentrum Raum und Bau IRB >>>>>>> Competence Center >>>>>> >>>>>>> Research Services & Open Science Nobelstr. 12, 70569 >>>>>>> Stuttgart, >>>>>> >>>>>>> Germany Telefon +49 711 970-2713 >>>>>>> florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraun hof > >>>>>>> er >>>>>>> >>>>>>> > .de> | >>>>>> >>>>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> >>>>>> >>>>>>> >>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>> >>>>>>> Von: Christopher Schultz >>>>>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.ne t>> >>>>>> >>>>>>> >>>>>>> > >>>>>>> Gesendet: Donnerstag, 19. März 2020 20:14 >>>>>> >>>>>>> An: >>>>>>> users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>>>> >>>>>>> >>>>>>> Betreff: Re: AJP Connector issue >>>>>> >>>>>>> >>>>>> >>>>>>> >>>> Florian, >>>>>>> >>>> >>>>>>> >>>> On 3/19/20 07:43, Fritze, Florian wrote: >>>>>>> >>>>>>>>> since the Tomcat release with the Ghostcat security >>>>>>>>> fix (Tomcat >>>>>>> >>>>>>>>> 8.5.51) me as an admin have the problem using the >>>>>>> >>>>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html >>>>>>>>> >>>>>>>>> module to >>>>>>> >>>>>>>>> connect the Apache HTTPD with the Tomcat running >>>>>>>>> on localhost. The >>>>>>> >>>>>>>>> attribute secretRequired must be set to „true“ or >>>>>>>>> „false“ with >>>>>>> >>>>>>>>> „false“ set the connection is not possible between >>>>>>>>> Tomcat and Apache >>>>>> HTTPD. >>>>>>> >>>> >>>>>>> >>>> When you have set secretRequired="false", it's not possible >>>> to >>>>>>> >>>> connect? When you try to connect, what DOES happen? >>>>>>> >>>> >>>>>>> >>>>>>>>> With „true“ the Apache development is not ready in >>>>>>>>> the current >>>>>>> >>>>>>>>> version to work with the „secret“ attribute. Only >>>>>>>>> the next version of >>>>>>> >>>>>>>>> Apache >>>>>>> >>>>>>>>> 2.4 supports this attribute. >>>>>>> >>>> Correct. Support for secret= in mod_proxy_ajp was evidently >>>> never >>>>>>> >>>> really a priority for anybody until now. >>>>>>> >>>> >>>>>>> >>>>>>>>> So I want to use the newest Tomcat version and an >>>>>>>>> AJP connector but >>>>>>> >>>>>>>>> after the Ghostcat fix release there is this >>>>>>>>> attribute which does not >>>>>>> >>>>>>>>> work in my configuration. >>>>>>> >>>>>>>>> >>>>>>> >>>>>>>>> Are there any suggestions or solutions available >>>>>>>>> that you can deliver >>>>>>> >>>>>>>>> me (links or documentation, etc.) >>>>>>> >>>> >>>>>>> >>>> secretRequired="false" should be all you need. >>>>>>> >>>> >>>>>>> >>>> Of course, to be truly secure, you need to make sure that not >>>> just >>>>>>> >>>> anybody can make requests through your AJP interface. Have >>>> you secured >>>>>>> >>>> that interface from potential evildoers? >>>>>>> >>>> >>>>>>> >>>> -chris >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> ---------------------------------------------------------------- - --- >> >> >>>>>>> - --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For >> additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl51DYcACgkQHPApP6U8 pFje5BAAp6B59roVhXxRbDwyLP43LtEhdTpLETWKUp2dTsWjL0ryrrC0Wl7krtow BOVJpDi/b1nMNZqpv9+mNxx+ErsKsE8LvVjPGWvd+UQe0hBRTyoLjViqN1XoOthe bZVCcI3lJiqw+3EvQgemrWSNwn+jGQjIwoL5QCrTwmjUxaaRZECPqdR5xwOX4l7+ teOOpFfQ1Y+3KdRuKW98APX45GRGZx+/3T2hTXB6YXmzARX6hGYcjY9ZmYJqMl7t zp5q4iu05YRxc8+TSvhNUW7cg8olcY0oJvCkmM0BKn1pj81xoYU7wdqOv9zYzt8V grj8HfqdqNm5ZV4Z9hWDHy6gMmEgt5PECxSzi0G7TsQoF26BIAhlEBcYblpuNzxM 7xC/Jidio1saCbrCGaJZ5W5AXPtXqpMvZYgQIcDN5Wn1EGnoGZA2opHymLgKyTVP 3UPmbRRg153vx+ActeZ0uEIAUDSA4eHy++l+HzIgpamdCwxs2Q/jZ3OXOdgjCnUy kulFbhCYt0FBP+brGK4QQ2RV1x10hw28RF1EHM90Uxb7x/tK8x7ZZnRP6/brstyG T8mnZz+VTNvX+WkhUNgi1I0bA+B4t5RE1/aRFinDuKGFa2PEtKrqZwT9/H+6HdAb j8j5izfXWDI+ntPATnGs2B/zvgPr6nsXbJYuJrDJoPlJ3dMTzz4= =cZf7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
