You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by js84 <ao...@aon.at> on 2020/02/25 21:07:32 UTC
AW: [OT] At wits end: Difficulties with IIS ISAPI connector
andTomcat
Hello!
What for are you using secret property when running tomcat locally using loopback interface?
I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset it because performance will slow down dramatically if isapi_redirect logfile grows on a Windows machine.)
Best regards,
Johann
Von: Christopher Schultz
Gesendet: Dienstag, 25. Februar 2020 21:42
An: users@tomcat.apache.org
Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ellen,
On 2/25/20 13:10, Ellen Meiselman wrote:
> No, just that I don't know how to set this particular connector up
> another way. I based this on the instructions on the
> isapi_connector site
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> and on the 2 older servers we have which are working.> I'm sort of
> thinking of suggesting that we get rid of IIS entirely and switch
> to Tomcat. Then we can run the necessary Java application and also
> serve all the HTML items we need to using the same web server.
Tomcat is a perfectly good "plain old" web server. Some security
people get all freaked-out when you suggest that Tomcat be exposed
"directly" but IMHO it can't be any worse than IIS.
But also IMHO there are always reasons to use a reverse proxy:
flexibility and availability. When you are restarting Tomcat for
whatever reason, what will clients see if they try to access your
application? CONNECTION REFUSED? :( With the proxy in the way, that is
much less likely. Also, if you want to serve Java web applications,
python web applications, .NET whatevers, you'll be able to do that
much more flexibly with a reverse-proxy in the mix.
- -chris
> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Ellen,
>
> On 2/25/20 12:55, Ellen Meiselman wrote:
>>>> Sorry - no, the quotes were not there except for a 5 minute
>>>> test of a hopeless theory that they might be needed. Right
>>>> now there is no secret at all in the workers.properties, and
> in the
>>>> ajp connector, i have secretRequired ="false".
>>>> Workers.properties: worker.worker1.type=ajp13
>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>>>
>>>> Server.xml: <Connector protocol="AJP/1.3"
>>>> address="127.0.0.1" port="8009" secretRequired="false"
>>>> redirectPort="8443" />
>
> Hmm. I think we've all been operating under the assumption that
> the "secret" (by whatever name) was the source of the problem. It
> appears that was incorrect.
>
> Have a look at Jon's question about file permissions.
>
> Was this a configuration that had been working until recently, or
> is this a new configuration that you haven't (yet) been able to get
> working ?
>
> Any reason not to use HTTP(S) for your protocol instead of AJP?
>
> -chris
>
>>>> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
>>>> chris@christopherschultz.net> wrote:
>>>>
>>>> Ellen,
>>>>
>>>> On 2/25/20 12:06, Ellen Meiselman wrote:
>>>>>>> Yes, everything is on the same server.
>>>>>>>
>>>>>>> workers.properties: # Set properties for worker1
>>>>>>> (ajp13) worker.worker1.type=ajp13
>>>>>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>>>>>> worker.worker1.secret="mySecret".
>>>>
>>>> Just so there is no confusion: your "mySecret" should have
>>>> neither quotes nor the trailing period.
>>>>
>>>> Are those literally in your ISS config file?
>>>>
>>>> -chris
>>>>
>>>>>>> On Tue, Feb 25, 2020 at 11:27 AM
>>>>>>> <jo...@wellsfargo.com.invalid> wrote:
>>>>>>>
>>>>>>>> -----Original Message----- From: Ellen Meiselman
>>>>>>>> <el...@gmail.com> Sent: Tuesday, February 25, 2020
>>>>>>>> 10:01 AM To: Tomcat Users List
>>>>>>>> <us...@tomcat.apache.org> Subject: Re: At wits end:
>>>>>>>> Difficulties with IIS ISAPI connector and Tomcat
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>> I've been testing, and so far, there is no change
>>>>>>>>> in the behavior. I am
>>>>>>>> still getting the same tomcat->based 403 error.
>>>>>>>>
>>>>>>>>> Based on what you said above...
>>>>>>>>>
>>>>>>>>> secretRequired="true" (which is the default, so it
>>>>>>>>> can be removed) secret="xxxxxxx"
>>>>>>>>
>>>>>>>>
>>>>>>>>> ...I removed secretRequired="true" and left secret.
>>>>>>>>> So the connector
>>>>>>>> definition now looks like this:
>>>>>>>>> <Connector protocol="AJP/1.3" address="127.0.0.1"
>>>>>>>>> port="8009" secret="mySecret" redirectPort="8443"
>>>>>>>>> />
>>>>>>>>
>>>>>>>> <SNIP>
>>>>>>>>
>>>>>>>> I'm assuming that your web-front-end is on the same
>>>>>>>> server as your Tomcat instance, based on you having
>>>>>>>> the address set to 127.0.0.1, correct? What do you
>>>>>>>> have in your workers.properties file?
>>>>>>>>
>>>>>>>
>>>>>
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vhr0ACgkQHPApP6U8
pFh5Rg//WTLD7EEH9UVwjEri7uzawYO1IFneURN9LQYaMd7EkrC5NKbwoQieLwwW
3ylab6iSK1mjjKs3SiMVSIgBynDBBym6r7GtAd1xKGjlBHIYpeFFom1Y1W1K/PYg
Cdzdcbu6uOHmwOvprAxlH8IRAkvLTQy1P4dUeNHaoZljdrzVDRuoYJIrnoR3TFhD
1EwrrITH5we9iQ93KoreaxQMqcR5GoxWe8kbVP8rzflZGbeQfpPT5P3XypWaRFIg
8pmyEP+x4U70JvXbAHHtjeiC6iOHjdEmuFBVZZV8bpipikcOEsY+t7WsZ9uJeMkh
Su8A/234t4IX3uPXaQD7f6JBSbiqZ2UtUtCgTjHTAZpY+R5G/CErENz15Imw9n5z
8qpy6plCoXX7gjDSUqt4kzZMzv2ibskI2l3l8B4N6IGym+bozbbpor8lwODnegHg
A1xYbLM4tLCDaN3p+TnMCpVh2JCWpz59azkNoxNFrQtAdvg5oiOP6ktvzg7sXMp3
7FtxzDbaF5xNoDzrsJTImw9+aRWnmngsCDkz3IjZTHJxqjLKktHLz8jMdBJX+1UO
Vu0Xg/ORTv229wEDgoaynLjKRrVHwC1lMgV8LFoVtX3WwOhhmcuEFWWhwOaRcOAA
9QRLLWSBguA1vgxO3Ycd+FDoHa/kFTgK1MXO6ECwDFUUzFCTOGY=
=4Wjy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org