You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/02/22 07:41:00 UTC
[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to
tomcat
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
Rainer Jung <ra...@kippdata.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #19 from Rainer Jung <ra...@kippdata.de> ---
It would be useful to backport this eature to 2.4.x.
The newest Tomcat releases hardened the AJP connector by demanding a "secret"
by default, so they are no longer compatibel with mod_proxy_ajp out-of-the-box.
One has to explicitly set secretRequired="false" on the TC AJP connector to be
able to use it with mod_proxy_ajp (and thereby increase attack surface).
r1738878 plus small struct layout adjustments for compatibility should do it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org