Hello tomcat developers.
Re :
current :
https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations
quote
secretRequired
If this attribute is true, the AJP Connector will only start if the secret attribute is
configured with a non-null, non-zero length value. This attribute only controls whether
the secret attribute is required to be specified for the AJP Connector to start. It does
not control whether workers are required to provide the secret. The default value is true.
This attribute should only be set to false when the Connector is used on a trusted network.
unquote
The above new feature/default has been creating a lot of issues, particularly for
sysadmins, who upgrade to what looks like a minor version level, and find their
front-end/back-end configurations not working anymore.
(Because previously, they did not specify this attribute at all, which defaulted to
"false").
In many cases, this will happen even though the front-end httpd (or IIS) and the back-end
(tomcat) are in fact running on the same host (*), and thus using the loopback interface
to communicate (which also fits well with the new default for "address", which is the
loopback address).
To avoid such surprises for sysadmins, how about the following suggested change, to the
documentation and to the underlying code :
quote
secretRequired
If this attribute is true, the AJP Connector will only start if the secret attribute is
configured with a non-null, non-zero length value. This attribute only controls whether
the secret attribute is required to be specified for the AJP Connector as they did
previouslyto start. It does not control whether workers are required to provide the
secret. This attribute should only be set to false when the Connector is used on a trusted
network. In consequence and as a hint :
The *default* of this attribute is "false", when the "address" attribute is explicitly set
to "127.0.0.1" or "::1", or when it defaults to the loopback address.
The *default* of this attribute is "true", when the "address" attribute is set to any
other IP address.
unquote
The point is to make sure that existing configurations, which often concern a front-end
and a back-end running on the same host, and which often do not contain an explicit
"secretRequired" AJP Connector attribute, would default to working as they did before, but
*only if* the connection is deemed secure anyway, because it is local.
I believe that this alone would already greatly reduce the "stress" caused by this
security-related configuration change.
(*) I currently manage about 30 Apache httpd / tomcat combinations, and in all of them but
one, they are on the same host. And from a historical perspective, I believe that is true
for the majority of httpd/tomcat installations except large load-balancing configurations.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
