AJP Connector issue

["Fritze, Florian" <fl...@irb.fraunhofer.de>]

Dear Tomcat users,

 

since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me
as an admin have the problem using the
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to connect
the Apache HTTPD with the Tomcat running on localhost. The attribute
secretRequired must be set to "true" or "false" with "false" set the
connection is not possible between Tomcat and Apache HTTPD. With "true" the
Apache development is not ready in the current version to work with the
"secret" attribute. Only the next version of Apache 2.4 supports this
attribute.

So I want to use the newest Tomcat version and an AJP connector but after
the Ghostcat fix release there is this attribute which does not work in my
configuration. 

Are there any suggestions or solutions available that you can deliver me
(links or documentation, etc.)

 

Thanks in advance

Florian Fritze

 

--

Florian Fritze M.A.

Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713

 <ma...@irb.fraunhofer.de> florian.fritze@irb.fraunhofer.de
|  <http://www.irb.fraunhofer.de/> www.irb.fraunhofer.de

 

Re: AJP Connector issue

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 3/19/20 10:57, André Warnier (tomcat/perl) wrote:
> For example : - if all your pairs of httpd server/tomcat server are
> running on the same host, then you do not really have a security
> issue, and adding a secret will not really bring any additional
> security - if all your pairs of httpd server/tomcat server are
> communicating only over an internal (presumed to be fairly safe)
> network, then you do have a limited security issue (limited by how
> "safe" your internal network really is), and a secret may help a
> bit in reducing this already limited security issue - if you have
> pairs of httpd/tomcat which communicate over a public network, then
> you do have a security issue, and adding a secret will help, but it
> is not going to make that security issue really disappear (*).

If you have naked AJP traversing a public network then you are very
much doing it wrong and have zero privacy or security. Adding a secret
will only expose the secret to anyone who cares to look.

> (*) the secret, if correctly implemented, will block any other host
> than your own hosts from connecting to the tomcat AJP Connector,
> and thus from "abusing" your tomcats by sending them invalid or
> malicious requests.

AJP allows the client to present a secret to the server, but it does
so insecurely. Any attacker who can see your AJP traffic can also see
the secret. So adding a secret doesn't really add security in any
meaningful way. Instead of adding a door lock, it instead adds a note
saying "please don't open this door unless you are allowed to do so."

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxW8ACgkQHPApP6U8
pFgjyQ//ZrfYJS2LtqKBrZt0Zj3UlzuclNkZJ+48hcbKuaNo9oUHoUS9HtJG+vqv
id2kwQZYfgWXtsJiEGLqPL6OytULqTMYW7TOj5WqxIqYtlIvwMis4eB8qvql3W08
cQex0qpGWIaxmw05hxN8hg8VABpG5blKmQfTJ6KyDY0G5xSHZXBMyXn0WMth6zNp
xgNXksTEu/CMWOr8rgIH5x6+0/mjv5XM7VA4mBxUuk6HZhJ1+62GMR7Ame5pjbKF
lyT85eU4Qhe1zZPyMoVbabLvNg2U44iC3rAqXGgQ5ZEr/Ky8EQMePQazgDpBKeG0
Kpsxb7HY3Z/O6+kY3S15tbt2b/A9DgbR41MJnw3KcUzR0/3wq/5lOHyBSV8N63ug
qvQdycBrb2pxfZPBBGPI0XvG3IqzdKqtWpmQAq6SBmZ0JAHGp2go9l4eE9kDxcDU
h7KeiNrE8LKO6Ijnth4FbmZOWNkMWwF22fAIeDrE1eQJL2SLE3h2+UHbK+qR8Bk3
Sby9FTSZ+2SoIXgSwc+jQyfpn7HtIqmYqPHhzSlIQJtz/ANHkiG59X+g3epgdnn/
GyBTFrOsirWaQGOJHh/nAE/z6YbhHhTl0hmxNKG1EBwyfDH7+zHRtl+E4Nk1Mkzu
dBNGM2clPrGwDLXTEc44OGpsgaU4QZqhGY29g2qt1xN9r0O40A0=
=GSne
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AJP Connector issue

["André Warnier (tomcat/perl)" <aw...@ice-sa.com>]

On 19.03.2020 12:43, Fritze, Florian wrote:
> Dear Tomcat users,
> 
> since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me as an admin 
> have the problem using the https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module 
> to connect the Apache HTTPD with the Tomcat running on localhost. The attribute 
> secretRequired must be set to „true“ or „false“ with „false“ set the connection is not 
> possible between Tomcat and Apache HTTPD. With „true“ the Apache development is not ready 
> in the current version to work with the „secret“ attribute. Only the next version of 
> Apache 2.4 supports this attribute.
> 
> So I want to use the newest Tomcat version and an AJP connector but after the Ghostcat fix 
> release there is this attribute which does not work in my configuration.
> 
> Are there any suggestions or solutions available that you can deliver me (links or 
> documentation, etc.)
> 
Hello.
It all depends on your configuration, and how your front-end Apache httpd server(s) 
connect to your back-end tomcat server(s).
For example :
- if all your pairs of httpd server/tomcat server are running on the same host, then you 
do not really have a security issue, and adding a secret will not really bring any 
additional security
- if all your pairs of httpd server/tomcat server are communicating only over an internal 
(presumed to be fairly safe) network, then you do have a limited security issue (limited 
by how "safe" your internal network really is), and a secret may help a bit in reducing 
this already limited security issue
- if you have pairs of httpd/tomcat which communicate over a public network, then you do 
have a security issue, and adding a secret will help, but it is not going to make that 
security issue really disappear (*).

But if you want to add a secret anyway, then it depends on how httpd communicates with its 
corresponding tomcat, and there are 2 options :
- using the httpd mod_proxy_ajp module
or
- using the httpd mod_jk module

As I understand from your message, the current mod_proxy_ajp module released with the 
current httpd 2.4, does not support that "secret" yet.
But the currently available mod_jk module does support that option, and the current mod_jk 
module is compatible with any httpd 2.4 version.
And, functionally, mod_proxy_ajp and mod_jk can do the same things.
It is just the setup and configuration (at the httpd level) that is somewhat different 
between the two. (there is no difference at the tomcat level).

So if you are currently using mod_proxy_ajp (**), then if you want to implement this 
"secret" option, you would have to change your httpd configuration, to use mod_jk instead 
of mod_proxy_ajp (temporarily, until the appropriate version of mod_proxy_ajp is released).

(*) the secret, if correctly implemented, will block any other host than your own hosts 
from connecting to the tomcat AJP Connector, and thus from "abusing" your tomcats by 
sending them invalid or malicious requests.
But it would not block someone from intercepting the traffic between your httpds and your 
tomcats and reading it, because the AJP protocol is not encrypted, and because there is no 
implementation available that makes this traffic be encrypted.

(**) If you are currently using mod_proxy_ajp, then it is also likely that you are not 
using the option whereby httpd can do the user authentication, and then pass the 
authenticated user-id along to tomcat, for tomcat to use it.
That means that you are already avoiding one possible security issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: AJP Connector issue

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

RK,

On 3/20/20 13:33, RK Ashburn wrote:
> thanks Chirs. fixed it to an real ip,

In many cases, 0.0.0.0 is basically the same as binding to the
interface which represents the outside world (e.g. eth0, etc.).

See my other reply in this thread to see what I would recommend in
terms of a secure deployment of AJP.

- -chris

> On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
>>>> I have tested r successful AJP connector with apache proxy
>>>> on (tomcat 7)
>>>>
>>>> 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
>>>> resolved my connectivity issue. I suspect the issue you are
>>>> having (with 403)  is more like a permissions issue on the
>>>> site the request is
> trying to
>>>> reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly
> secure. Are you really expecting an AJP connection from anywhere in
> the world?
>
> -chris
>
>>>> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
>>>> florian.fritze@irb.fraunhofer.de> wrote:
>>>>
>>>>> Just to make it clear what from my opinion the problem is:
>>>>>
>>>>> SCHWERWIEGEND [main]
>>>>> org.apache.catalina.core.StandardService.startInternal
>>>>> Failed to start connector [Connector[AJP/1.3-8011]]
>>>>> org.apache.catalina.LifecycleException: Der Start des
>>>>> Protokoll-Handlers ist fehlgeschlagen at
>>>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
7)
>>>>> at
>>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>>>>>
>>>>>
>
>>>>>
at
>>>>>
> org.apache.catalina.core.StandardService.startInternal(StandardService
.j
>
>
ava:440)
>>>>> at
>>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>>>>>
>>>>>
>
>>>>>
at
>>>>>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.j
av
>
>
a:766)
>>>>> at
>>>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>>>>>
>>>>>
>
>>>>>
at
>>>>> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>> Method) at
>>>>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
av
>
>
a:62)
>>>>> at
>>>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
or
>
>
Impl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:498) at
>>>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>>>>>
>>>>>
at
>>>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>>>>>
>>>>>
Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
>>>>> is configured with secretRequired="true" but the secret
>>>>> attribute
> is either
>>>>> null or "". This combination is not valid. at
>>>>>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.ja
va
>
>
:274)
>>>>> at
>>>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
5)
>>>>> ... 12 more
>>>>>
>>>>> This new "secretRequired" attribute prevents the Tomcat
>>>>> from starting flawlessly. It was first introduced with the
>>>>> Ghostcat release. So this is a wish from me to the Tomcat
>>>>> developers: Please set this new attribute not mandatory but
>>>>> optional. So that I can run the newest
> Tomcat
>>>>> without this attribute which I do now with the
>>>>> pre-Ghostcat releases.
>>>>>
>>>>> Have a nice weekend Florian Fritze
>>>>>
>>>>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum
>>>>> und Bau IRB Competence Center Research Services & Open
>>>>> Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49
>>>>> 711 970-2713 florian.fritze@irb.fraunhofer.de |
>>>>> www.irb.fraunhofer.de
>>>>>
>>>>>
>>>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März
>>>>> 2020 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW:
>>>>> AJP Connector issue
>>>>>
>>>>> Ok, so it looks like : - the request is effectively
>>>>> reaching tomcat, and that it is tomcat sending back the 403
>>>>> response. - the URL is "/", so presumably it is
>>>>> "well-formed" etc.
>>>>>
>>>>> Furthermore, according to something you wrote below, both
>>>>> Apache
> httpd and
>>>>> tomcat are running on the same Linux host.
>>>>>
>>>>> This reminds me vaguely of some issue previously (and
>>>>> recently)
> discussed
>>>>> on the list, with some request attributes which tomcat did
>>>>> not like.. But I do not remember ptecisely what the issue
>>>>> was, and it also
> seems to
>>>>> me that this concerned an IIS front-end, not Apache httpd.
>>>>>
>>>>> Perhaps someone else on the list has a better idea.
>>>>>
>>>>>
>>>>> Incidentally, it also seems that you are, in httpd,
>>>>> proxying *all* requests to tomcat. Which raises the
>>>>> question of why you have a httpd front-end in the
> first
>>>>> place. (But that's a later discussion maybe, let's first
>>>>> see why "/"
> doesn't work)
>>>>>
>>>>>
>>>>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>>>>> Here is the additional information:
>>>>>>
>>>>>> The error page looks like Tomcat:
>>>>>>
>>>>>> HTTP Status 403 – Forbidden
>>>>>>
>>>>>> _____
>>>>>>
>>>>>> Type Status Report
>>>>>>
>>>>>> Beschreibung Der Server hat die Anfrage verstanden,
>>>>>> verbietet aber
> eine
>>>>> Autorisierung.
>>>>>>
>>>>>> _____
>>>>>>
>>>>>> Apache Tomcat/8.5.53
>>>>>>
>>>>>> The Apache HTTPD log file says:
>>>>>>
>>>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403
>>>>>> 1042 "-"
>>>>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>>> AppleWebKit/537.36
> (KHTML, like
>>>>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>>>>
>>>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico
>>>>>> HTTP/1.1" 403
> 885 "
>>>>> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows
>>>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
>>>>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>>>>
>>>>>>
>>>>>>
>>>>>> The Tomcat says:
>>>>>>
>>>>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403
>>>>>> 630
>>>>>>
>>>>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico
>>>>>> HTTP/1.1" 403 630
>>>>>>
>>>>>>
>>>>>>
>>>>>> The server on which all is running is:
>>>>>>
>>>>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
>>>>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>>>>
>>>>>>
>>>>>>
>>>>>> There is no new entry in the Apache HTTPD error.log
>>>>>> concering these
>>>>> requests.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Help is appreciated
>>>>>>
>>>>>> Florian Fritze
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Florian Fritze M.A.
>>>>>>
>>>>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>>>>
>>>>>> Competence Center Research Services & Open Science
>>>>>>
>>>>>> Nobelstr. 12, 70569 Stuttgart, Germany
>>>>>>
>>>>>> Telefon +49 711 970-2713
>>>>>>
>>>>>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>>>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März
>>>>>> 2020 10:14 An: users@tomcat.apache.org Betreff: Re: AW:
>>>>>> AJP Connector issue
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>>>>>
>>>>>>> Hello Chris,
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> thanks for the reply. Maybe I am doing something wrong,
>>>>>>> but setting
>>>>>>
>>>>>>> secretRequired="false" does not solve my issue. Let me
>>>>>>> show you what I
>>>>>>
>>>>>>> did and experience: I added <Connector port="8011"
>>>>>>> protocol="AJP/1.3"
>>>>>>
>>>>>>> redirectPort="8443" secretRequired="false" /> to the
>>>>>>> Tomcat
>>>>>>
>>>>>>> configuration and the ajp connector on the Apache HTTPD
>>>>>>> side connects
>>>>>>
>>>>>>> to 8011. When I now visit my website I got HTTP Status
>>>>>>> 403 – Forbidden
>>>>>>
>>>>>>
>>>>>>
>>>>>> And just to make diagnosis a bit quicker : does that 403
>>>>>> error
> page look
>>>>> like an Apache httpd page, or a tomcat page ? (they look
>>>>> quite
> differemt in
>>>>> style).
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also, can you check both the httpd logs, and the tomcat
>>>>>> logs for that request, and check what they say ?
>>>>>> (compare by timestamnp and URI)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also, under what OS does your front-end httpd run ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> I attached also the error page as a screenshot to this
>>>>>>> mail. This
>>>>>>
>>>>>>> behaviour exists only sice the Ghostcat fix release (I
>>>>>>> know that this
>>>>>>
>>>>>>> has nothing to do with security fix but probably with
>>>>>>> the release
>>>>> itself).
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Thanks in advance
>>>>>>
>>>>>>> Florian
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> --
>>>>>>
>>>>>>> Florian Fritze M.A.
>>>>>>
>>>>>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>>>>> Competence Center
>>>>>>
>>>>>>> Research Services & Open Science Nobelstr. 12, 70569
>>>>>>> Stuttgart,
>>>>>>
>>>>>>> Germany Telefon +49 711 970-2713
>>>>>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraun
hof
>
>>>>>>>
er
>>>>>>>
>>>>>>>
> .de> |
>>>>>>
>>>>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>
>>>>>>> Von: Christopher Schultz
>>>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.ne
t>>
>>>>>>
>>>>>>>
>>>>>>>
>
>>>>>>>
Gesendet: Donnerstag, 19. März 2020 20:14
>>>>>>
>>>>>>> An:
>>>>>>> users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>>>
>>>>>>>
>>>>>>>
Betreff: Re: AJP Connector issue
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>> Florian,
>>>>>>>
>>>>
>>>>>>>
>>>> On 3/19/20 07:43, Fritze, Florian wrote:
>>>>>>>
>>>>>>>>> since the Tomcat release with the Ghostcat security
>>>>>>>>> fix (Tomcat
>>>>>>>
>>>>>>>>> 8.5.51) me as an admin have the problem using the
>>>>>>>
>>>>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>>>>>>>>>
>>>>>>>>>
module to
>>>>>>>
>>>>>>>>> connect the Apache HTTPD with the Tomcat running
>>>>>>>>> on localhost. The
>>>>>>>
>>>>>>>>> attribute secretRequired must be set to „true“ or
>>>>>>>>> „false“ with
>>>>>>>
>>>>>>>>> „false“ set the connection is not possible between
>>>>>>>>> Tomcat and Apache
>>>>>> HTTPD.
>>>>>>>
>>>>
>>>>>>>
>>>> When you have set secretRequired="false", it's not possible
>>>> to
>>>>>>>
>>>> connect? When you try to connect, what DOES happen?
>>>>>>>
>>>>
>>>>>>>
>>>>>>>>> With „true“ the Apache development is not ready in
>>>>>>>>> the current
>>>>>>>
>>>>>>>>> version to work with the „secret“ attribute. Only
>>>>>>>>> the next version of
>>>>>>>
>>>>>>>>> Apache
>>>>>>>
>>>>>>>>> 2.4 supports this attribute.
>>>>>>>
>>>> Correct. Support for secret= in mod_proxy_ajp was evidently
>>>> never
>>>>>>>
>>>> really a priority for anybody until now.
>>>>>>>
>>>>
>>>>>>>
>>>>>>>>> So I want to use the newest Tomcat version and an
>>>>>>>>> AJP connector but
>>>>>>>
>>>>>>>>> after the Ghostcat fix release there is this
>>>>>>>>> attribute which does not
>>>>>>>
>>>>>>>>> work in my configuration.
>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>>> Are there any suggestions or solutions available
>>>>>>>>> that you can deliver
>>>>>>>
>>>>>>>>> me (links or documentation, etc.)
>>>>>>>
>>>>
>>>>>>>
>>>> secretRequired="false" should be all you need.
>>>>>>>
>>>>
>>>>>>>
>>>> Of course, to be truly secure, you need to make sure that not
>>>> just
>>>>>>>
>>>> anybody can make requests through your AJP interface. Have
>>>> you secured
>>>>>>>
>>>> that interface from potential evildoers?
>>>>>>>
>>>>
>>>>>>>
>>>> -chris
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> ----------------------------------------------------------------
- ---
>>
>>
>>>>>>>
- ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
>> additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl51DYcACgkQHPApP6U8
pFje5BAAp6B59roVhXxRbDwyLP43LtEhdTpLETWKUp2dTsWjL0ryrrC0Wl7krtow
BOVJpDi/b1nMNZqpv9+mNxx+ErsKsE8LvVjPGWvd+UQe0hBRTyoLjViqN1XoOthe
bZVCcI3lJiqw+3EvQgemrWSNwn+jGQjIwoL5QCrTwmjUxaaRZECPqdR5xwOX4l7+
teOOpFfQ1Y+3KdRuKW98APX45GRGZx+/3T2hTXB6YXmzARX6hGYcjY9ZmYJqMl7t
zp5q4iu05YRxc8+TSvhNUW7cg8olcY0oJvCkmM0BKn1pj81xoYU7wdqOv9zYzt8V
grj8HfqdqNm5ZV4Z9hWDHy6gMmEgt5PECxSzi0G7TsQoF26BIAhlEBcYblpuNzxM
7xC/Jidio1saCbrCGaJZ5W5AXPtXqpMvZYgQIcDN5Wn1EGnoGZA2opHymLgKyTVP
3UPmbRRg153vx+ActeZ0uEIAUDSA4eHy++l+HzIgpamdCwxs2Q/jZ3OXOdgjCnUy
kulFbhCYt0FBP+brGK4QQ2RV1x10hw28RF1EHM90Uxb7x/tK8x7ZZnRP6/brstyG
T8mnZz+VTNvX+WkhUNgi1I0bA+B4t5RE1/aRFinDuKGFa2PEtKrqZwT9/H+6HdAb
j8j5izfXWDI+ntPATnGs2B/zvgPr6nsXbJYuJrDJoPlJ3dMTzz4=
=cZf7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: AJP Connector issue

[RK Ashburn <ra...@gmail.com>]

thanks Chirs. fixed it to an real ip,





On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
> > I have tested r successful AJP connector with apache proxy on
> > (tomcat 7)
> >
> > 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
> > resolved my connectivity issue. I suspect the issue you are having
> > (with 403)  is more like a permissions issue on the site the
> > request is
> trying to
> > reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly secure.
> Are you really expecting an AJP connection from anywhere in the world?
>
> - -chris
>
> > On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
> > florian.fritze@irb.fraunhofer.de> wrote:
> >
> >> Just to make it clear what from my opinion the problem is:
> >>
> >> SCHWERWIEGEND [main]
> >> org.apache.catalina.core.StandardService.startInternal Failed to
> >> start connector [Connector[AJP/1.3-8011]]
> >> org.apache.catalina.LifecycleException: Der Start des
> >> Protokoll-Handlers ist fehlgeschlagen at
> >>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:105
> 7)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >>
> org.apache.catalina.core.StandardService.startInternal(StandardService.j
> ava:440)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
> a:766)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at
> >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:62)
> >> at
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:43)
> >> at java.lang.reflect.Method.invoke(Method.java:498) at
> >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> >> at
> >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
> >> Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
> >> is configured with secretRequired="true" but the secret
> >> attribute
> is either
> >> null or "". This combination is not valid. at
> >>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
> :274)
> >> at
> >>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:105
> 5)
> >> ... 12 more
> >>
> >> This new "secretRequired" attribute prevents the Tomcat from
> >> starting flawlessly. It was first introduced with the Ghostcat
> >> release. So this is a wish from me to the Tomcat developers:
> >> Please set this new attribute not mandatory but optional. So that
> >> I can run the newest
> Tomcat
> >> without this attribute which I do now with the pre-Ghostcat
> >> releases.
> >>
> >> Have a nice weekend Florian Fritze
> >>
> >> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
> >> Bau IRB Competence Center Research Services & Open Science
> >> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
> >> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> >>
> >>
> >> -----Ursprüngliche Nachricht----- Von: André Warnier
> >> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
> >> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
> >> Connector issue
> >>
> >> Ok, so it looks like : - the request is effectively reaching
> >> tomcat, and that it is tomcat sending back the 403 response. -
> >> the URL is "/", so presumably it is "well-formed" etc.
> >>
> >> Furthermore, according to something you wrote below, both Apache
> httpd and
> >> tomcat are running on the same Linux host.
> >>
> >> This reminds me vaguely of some issue previously (and recently)
> discussed
> >> on the list, with some request attributes which tomcat did not
> >> like.. But I do not remember ptecisely what the issue was, and it
> >> also
> seems to
> >> me that this concerned an IIS front-end, not Apache httpd.
> >>
> >> Perhaps someone else on the list has a better idea.
> >>
> >>
> >> Incidentally, it also seems that you are, in httpd, proxying
> >> *all* requests to tomcat. Which raises the question of why you
> >> have a httpd front-end in the
> first
> >> place. (But that's a later discussion maybe, let's first see why
> >> "/"
> doesn't work)
> >>
> >>
> >> On 20.03.2020 11:07, Fritze, Florian wrote:
> >>> Here is the additional information:
> >>>
> >>> The error page looks like Tomcat:
> >>>
> >>> HTTP Status 403 – Forbidden
> >>>
> >>> _____
> >>>
> >>> Type Status Report
> >>>
> >>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
> >>> aber
> eine
> >> Autorisierung.
> >>>
> >>> _____
> >>>
> >>> Apache Tomcat/8.5.53
> >>>
> >>> The Apache HTTPD log file says:
> >>>
> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
> >>> "-"
> >> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like
> >> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> >>>
> >>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
> >>> 403
> 885 "
> >> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT
> >> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
> >> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> >>>
> >>>
> >>>
> >>> The Tomcat says:
> >>>
> >>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
> >>>
> >>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
> >>> 403 630
> >>>
> >>>
> >>>
> >>> The server on which all is running is:
> >>>
> >>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
> >>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> >>>
> >>>
> >>>
> >>> There is no new entry in the Apache HTTPD error.log concering
> >>> these
> >> requests.
> >>>
> >>>
> >>>
> >>> Help is appreciated
> >>>
> >>> Florian Fritze
> >>>
> >>> --
> >>>
> >>> Florian Fritze M.A.
> >>>
> >>> Fraunhofer-Informationszentrum Raum und Bau IRB
> >>>
> >>> Competence Center Research Services & Open Science
> >>>
> >>> Nobelstr. 12, 70569 Stuttgart, Germany
> >>>
> >>> Telefon +49 711 970-2713
> >>>
> >>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> -----Ursprüngliche Nachricht----- Von: André Warnier
> >>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
> >>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP
> >>> Connector issue
> >>>
> >>>
> >>>
> >>> On 20.03.2020 08:23, Fritze, Florian wrote:
> >>>
> >>>> Hello Chris,
> >>>
> >>>>
> >>>
> >>>> thanks for the reply. Maybe I am doing something wrong, but
> >>>> setting
> >>>
> >>>> secretRequired="false" does not solve my issue. Let me show
> >>>> you what I
> >>>
> >>>> did and experience: I added <Connector port="8011"
> >>>> protocol="AJP/1.3"
> >>>
> >>>> redirectPort="8443" secretRequired="false" /> to the Tomcat
> >>>
> >>>> configuration and the ajp connector on the Apache HTTPD side
> >>>> connects
> >>>
> >>>> to 8011. When I now visit my website I got HTTP Status 403 –
> >>>> Forbidden
> >>>
> >>>
> >>>
> >>> And just to make diagnosis a bit quicker : does that 403 error
> page look
> >> like an Apache httpd page, or a tomcat page ? (they look quite
> differemt in
> >> style).
> >>>
> >>>
> >>>
> >>> Also, can you check both the httpd logs, and the tomcat logs
> >>> for that request, and check what they say ?  (compare by
> >>> timestamnp and URI)
> >>>
> >>>
> >>>
> >>> Also, under what OS does your front-end httpd run ?
> >>>
> >>>
> >>>
> >>>>
> >>>
> >>>> I attached also the error page as a screenshot to this mail.
> >>>> This
> >>>
> >>>> behaviour exists only sice the Ghostcat fix release (I know
> >>>> that this
> >>>
> >>>> has nothing to do with security fix but probably with the
> >>>> release
> >> itself).
> >>>
> >>>>
> >>>
> >>>> Thanks in advance
> >>>
> >>>> Florian
> >>>
> >>>>
> >>>
> >>>> --
> >>>
> >>>> Florian Fritze M.A.
> >>>
> >>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence
> >>>> Center
> >>>
> >>>> Research Services & Open Science Nobelstr. 12, 70569
> >>>> Stuttgart,
> >>>
> >>>> Germany Telefon +49 711 970-2713
> >>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof
> er
> >>>>
> >>>>
> .de> |
> >>>
> >>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
> >>>
> >>>>
> >>>
> >>>> -----Ursprüngliche Nachricht-----
> >>>
> >>>> Von: Christopher Schultz
> >>>> <ch...@christopherschultz.net>>
> >>>
> >>>>
> >>>>
> Gesendet: Donnerstag, 19. März 2020 20:14
> >>>
> >>>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
> >>>
> >>>> Betreff: Re: AJP Connector issue
> >>>
> >>>>
> >>>
> >>>>
> > Florian,
> >>>>
> >
> >>>>
> > On 3/19/20 07:43, Fritze, Florian wrote:
> >>>>
> >>>>>> since the Tomcat release with the Ghostcat security fix
> >>>>>> (Tomcat
> >>>>
> >>>>>> 8.5.51) me as an admin have the problem using the
> >>>>
> >>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
> >>>>>> module to
> >>>>
> >>>>>> connect the Apache HTTPD with the Tomcat running on
> >>>>>> localhost. The
> >>>>
> >>>>>> attribute secretRequired must be set to „true“ or „false“
> >>>>>> with
> >>>>
> >>>>>> „false“ set the connection is not possible between Tomcat
> >>>>>> and Apache
> >>> HTTPD.
> >>>>
> >
> >>>>
> > When you have set secretRequired="false", it's not possible to
> >>>>
> > connect? When you try to connect, what DOES happen?
> >>>>
> >
> >>>>
> >>>>>> With „true“ the Apache development is not ready in the
> >>>>>> current
> >>>>
> >>>>>> version to work with the „secret“ attribute. Only the
> >>>>>> next version of
> >>>>
> >>>>>> Apache
> >>>>
> >>>>>> 2.4 supports this attribute.
> >>>>
> > Correct. Support for secret= in mod_proxy_ajp was evidently never
> >>>>
> > really a priority for anybody until now.
> >>>>
> >
> >>>>
> >>>>>> So I want to use the newest Tomcat version and an AJP
> >>>>>> connector but
> >>>>
> >>>>>> after the Ghostcat fix release there is this attribute
> >>>>>> which does not
> >>>>
> >>>>>> work in my configuration.
> >>>>
> >>>>>>
> >>>>
> >>>>>> Are there any suggestions or solutions available that you
> >>>>>> can deliver
> >>>>
> >>>>>> me (links or documentation, etc.)
> >>>>
> >
> >>>>
> > secretRequired="false" should be all you need.
> >>>>
> >
> >>>>
> > Of course, to be truly secure, you need to make sure that not just
> >>>>
> > anybody can make requests through your AJP interface. Have you
> > secured
> >>>>
> > that interface from potential evildoers?
> >>>>
> >
> >>>>
> > -chris
> >>>>
> >>>
> >>>>
> >>>
> >>>> -------------------------------------------------------------------
> - --
> >>>
> >>>>
> >>>>
> To unsubscribe, e-mail:
> >>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat
> .a
> >>>>
> >>>>
> pache.org>
> >>>
> >>>> For additional commands, e-mail:
> >>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> >>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>
> - ---------------------------------------------------------------------
> >>>
> >>> To unsubscribe, e-mail:
> >>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.
> ap
> >>>
> >>>
> ache.org>
> >>>
> >>> For additional commands, e-mail:
> >>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>>
> - ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
> >> additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8
> pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo
> 0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g
> cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2
> rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR
> SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY
> zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ
> 6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8
> /SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs
> ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi
> hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+
> tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o=
> =207+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: AW: AW: AJP Connector issue

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jon,

On 3/20/20 13:28, jonmcalexander@wellsfargo.com.INVALID wrote:
> Christopher,
>
> Is there an entry that can go in the AJP connector to restrict
> what
addresses it will listen to requests from? Meaning you can list the IP
addresses of the web servers?

Tomcat has no knowledge of your web servers. But presumably YOU know
where your web servers are and how they should be connecting. If they
are on different hosts, using AJP means that you are communicating
over an insecure channel over a network. Is that acceptable to you? IF
not, you need to either switch protocols (e.g. HTTPS) or tunnel AJP
through something like stunnel.

IMO, if you want to use AJP then you need to do this:

client
 |
 | HTTP
 \/
web server
 |
 | AJP-over-TLS (stunnel)
 |
 |
 \/
app server:8010
 |
 | stunnel unwraps AJP
 |
 \/
app server:8009

In this scenario, Tomcat listens on 127.0.0.1:8009 and stunnel listens
on the public interface and requires mutual TLS in order to connect.
You can also use IP whitelisting if you want to be even more paranoid.

> I know I'm top replying, but Outlook sucks with this. :-(

Just go to the bottom of the message and start typing instead of
typing at the top :)

- -chris

> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Friday, March 20, 2020 11:40
> AM To: users@tomcat.apache.org Subject: Re: AW: AW: AJP Connector
> issue
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
>> I have tested r successful AJP connector with apache proxy on
>> (tomcat 7)
>
>> 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
>> resolved my connectivity issue. I suspect the issue you are
>> having (with 403)  is more like a permissions issue on the site
>> the request is
> trying to
>> reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly
> secure. Are you really expecting an AJP connection from anywhere in
> the world?
>
> -chris
>
>> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
>> florian.fritze@irb.fraunhofer.de> wrote:
>
>>> Just to make it clear what from my opinion the problem is:
>>>
>>> SCHWERWIEGEND [main]
>>> org.apache.catalina.core.StandardService.startInternal Failed
>>> to start connector [Connector[AJP/1.3-8011]]
>>> org.apache.catalina.LifecycleException: Der Start des
>>> Protokoll-Handlers ist fehlgeschlagen at
>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
7)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>>
> org.apache.catalina.core.StandardService.startInternal(StandardService
.j
>
>
ava:440)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.j
av
>
>
a:766)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
av
>
>
a:62)
>>> at
>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
or
>
>
Impl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498) at
>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>>>
>>>
at
>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>>> Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
>>> is configured with secretRequired="true" but the secret
>>> attribute
> is either
>>> null or "". This combination is not valid. at
>>>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.ja
va
>
>
:274)
>>> at
>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
5)
>>> ... 12 more
>>>
>>> This new "secretRequired" attribute prevents the Tomcat from
>>> starting flawlessly. It was first introduced with the Ghostcat
>>> release. So this is a wish from me to the Tomcat developers:
>>> Please set this new attribute not mandatory but optional. So
>>> that I can run the newest
> Tomcat
>>> without this attribute which I do now with the pre-Ghostcat
>>> releases.
>>>
>>> Have a nice weekend Florian Fritze
>>>
>>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
>>> Bau IRB Competence Center Research Services & Open Science
>>> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
>>>  florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>
>>>
>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
>>> Connector issue
>>>
>>> Ok, so it looks like : - the request is effectively reaching
>>> tomcat, and that it is tomcat sending back the 403 response. -
>>> the URL is "/", so presumably it is "well-formed" etc.
>>>
>>> Furthermore, according to something you wrote below, both
>>> Apache
> httpd and
>>> tomcat are running on the same Linux host.
>>>
>>> This reminds me vaguely of some issue previously (and
>>> recently)
> discussed
>>> on the list, with some request attributes which tomcat did not
>>> like.. But I do not remember ptecisely what the issue was, and
>>> it also
> seems to
>>> me that this concerned an IIS front-end, not Apache httpd.
>>>
>>> Perhaps someone else on the list has a better idea.
>>>
>>>
>>> Incidentally, it also seems that you are, in httpd, proxying
>>> *all* requests to tomcat. Which raises the question of why you
>>> have a httpd front-end in the
> first
>>> place. (But that's a later discussion maybe, let's first see
>>> why "/"
> doesn't work)
>>>
>>>
>>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>>> Here is the additional information:
>>>>
>>>> The error page looks like Tomcat:
>>>>
>>>> HTTP Status 403 – Forbidden
>>>>
>>>> _____
>>>>
>>>> Type Status Report
>>>>
>>>> Beschreibung Der Server hat die Anfrage verstanden,
>>>> verbietet aber
> eine
>>> Autorisierung.
>>>>
>>>> _____
>>>>
>>>> Apache Tomcat/8.5.53
>>>>
>>>> The Apache HTTPD log file says:
>>>>
>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
>>>> "-"
>>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like
>>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>>
>>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico
>>>> HTTP/1.1" 403
> 885 "
>>> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT
>>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>>
>>>>
>>>>
>>>> The Tomcat says:
>>>>
>>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
>>>>
>>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>>> 403 630
>>>>
>>>>
>>>>
>>>> The server on which all is running is:
>>>>
>>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
>>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>>
>>>>
>>>> There is no new entry in the Apache HTTPD error.log
>>>> concering these
>>> requests.
>>>>
>>>>
>>>>
>>>> Help is appreciated
>>>>
>>>> Florian Fritze
>>>>
>>>> --
>>>>
>>>> Florian Fritze M.A.
>>>>
>>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>>
>>>> Competence Center Research Services & Open Science
>>>>
>>>> Nobelstr. 12, 70569 Stuttgart, Germany
>>>>
>>>> Telefon +49 711 970-2713
>>>>
>>>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März
>>>> 2020 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP
>>>> Connector issue
>>>>
>>>>
>>>>
>>>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>>>
>>>>> Hello Chris,
>>>>
>>>>>
>>>>
>>>>> thanks for the reply. Maybe I am doing something wrong,
>>>>> but setting
>>>>
>>>>> secretRequired="false" does not solve my issue. Let me
>>>>> show you what I
>>>>
>>>>> did and experience: I added <Connector port="8011"
>>>>> protocol="AJP/1.3"
>>>>
>>>>> redirectPort="8443" secretRequired="false" /> to the
>>>>> Tomcat
>>>>
>>>>> configuration and the ajp connector on the Apache HTTPD
>>>>> side connects
>>>>
>>>>> to 8011. When I now visit my website I got HTTP Status 403
>>>>> – Forbidden
>>>>
>>>>
>>>>
>>>> And just to make diagnosis a bit quicker : does that 403
>>>> error
> page look
>>> like an Apache httpd page, or a tomcat page ? (they look quite
> differemt in
>>> style).
>>>>
>>>>
>>>>
>>>> Also, can you check both the httpd logs, and the tomcat logs
>>>> for that request, and check what they say ?  (compare by
>>>> timestamnp and URI)
>>>>
>>>>
>>>>
>>>> Also, under what OS does your front-end httpd run ?
>>>>
>>>>
>>>>
>>>>>
>>>>
>>>>> I attached also the error page as a screenshot to this
>>>>> mail. This
>>>>
>>>>> behaviour exists only sice the Ghostcat fix release (I
>>>>> know that this
>>>>
>>>>> has nothing to do with security fix but probably with the
>>>>> release
>>> itself).
>>>>
>>>>>
>>>>
>>>>> Thanks in advance
>>>>
>>>>> Florian
>>>>
>>>>>
>>>>
>>>>> --
>>>>
>>>>> Florian Fritze M.A.
>>>>
>>>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence
>>>>> Center
>>>>
>>>>> Research Services & Open Science Nobelstr. 12, 70569
>>>>> Stuttgart,
>>>>
>>>>> Germany Telefon +49 711 970-2713
>>>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunho
f
>
>>>>>
er
>>>>>
>>>>>
> .de> |
>>>>
>>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>>>
>>>>>
>>>>
>>>>> -----Ursprüngliche Nachricht-----
>>>>
>>>>> Von: Christopher Schultz
>>>>> <ch...@christopherschultz.net>
>
>>>>
>>>>>
>>>>>
>
>>>>>
Gesendet: Donnerstag, 19. März 2020 20:14
>>>>
>>>>> An:
>>>>> users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>> Betreff: Re: AJP Connector issue
>>>>
>>>>>
>>>>
>>>>>
>> Florian,
>>>>>
>
>>>>>
>> On 3/19/20 07:43, Fritze, Florian wrote:
>>>>>
>>>>>>> since the Tomcat release with the Ghostcat security
>>>>>>> fix (Tomcat
>>>>>
>>>>>>> 8.5.51) me as an admin have the problem using the
>>>>>
>>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>>>>>>>
>>>>>>>
module to
>>>>>
>>>>>>> connect the Apache HTTPD with the Tomcat running on
>>>>>>> localhost. The
>>>>>
>>>>>>> attribute secretRequired must be set to „true“ or
>>>>>>> „false“ with
>>>>>
>>>>>>> „false“ set the connection is not possible between
>>>>>>> Tomcat and Apache
>>>> HTTPD.
>>>>>
>
>>>>>
>> When you have set secretRequired="false", it's not possible to
>>>>>
>> connect? When you try to connect, what DOES happen?
>>>>>
>
>>>>>
>>>>>>> With „true“ the Apache development is not ready in the
>>>>>>> current
>>>>>
>>>>>>> version to work with the „secret“ attribute. Only the
>>>>>>> next version of
>>>>>
>>>>>>> Apache
>>>>>
>>>>>>> 2.4 supports this attribute.
>>>>>
>> Correct. Support for secret= in mod_proxy_ajp was evidently
>> never
>>>>>
>> really a priority for anybody until now.
>>>>>
>
>>>>>
>>>>>>> So I want to use the newest Tomcat version and an AJP
>>>>>>> connector but
>>>>>
>>>>>>> after the Ghostcat fix release there is this attribute
>>>>>>> which does not
>>>>>
>>>>>>> work in my configuration.
>>>>>
>>>>>>>
>>>>>
>>>>>>> Are there any suggestions or solutions available that
>>>>>>> you can deliver
>>>>>
>>>>>>> me (links or documentation, etc.)
>>>>>
>
>>>>>
>> secretRequired="false" should be all you need.
>>>>>
>
>>>>>
>> Of course, to be truly secure, you need to make sure that not
>> just
>>>>>
>> anybody can make requests through your AJP interface. Have you
>> secured
>>>>>
>> that interface from potential evildoers?
>>>>>
>
>>>>>
>> -chris
>>>>>
>>>>
>>>>>
>>>>
>>>>> ------------------------------------------------------------------
- -
>
>
>>>>>
- ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl51DTIACgkQHPApP6U8
pFjBag/+NdZu0ie11LoyiViT1XIn+66IacdkEtwUBlf0mojh6uMqNKvGn+CzX5Aj
RA2eR1tNWH5/WOyAJM2eoaFi5XbsiykNvgauaJwMdPsoYP1M0/ItGfPJaTEGw+kA
wstRcPgCUqV69BuRMW12yUuokChq7A1G7ls168YCITwLwVF7hdGFSr5JSIkKrP0J
PBKHLjt5chCZ+FAWGSTzWSqgNeLM7S4azM0sj+xOBdjxvmWu12sZnXnjPE7ZGW0w
VYfrWgIrBcMNmr4mCILugUze52CH4FusMgDTUTtr2rkRcJfaWBBgcNULK+2qbD7J
gGe+9aAAvPH4eCXlK8sp5AJ/S4qHDZlXpmnRjqn8Ey1ZW31aTVnq+2KZ8g3T0jeY
1TIC/IZJsZiTmDBUJRR6/yWPLr8O4/6qeG9i47ZQLK1gdGDvz8SzhZ0fXAJC3NXk
aUdz4FzwwD/n2sQJZ34br2YP8YconMmDxkDSo0iroF3BnfCo/R7jwB4AdC+WC6sm
dHS87BMrbFGSnazJxJ/YaGDnlTBzp5Ma8WnmIGuOeXtVxrqGEwL3/ifMABjK/ULB
0w5ephDdr0lLUhe40bKgkPooBhrFLKkk26sO2b7X9JnofN+a9ygr3rS+2iAEGkjm
1fQR7xRUlbRcMLEA53ovXoPgcY01YK1M4DYsvth7iVnsY//UpOE=
=fmei
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: AW: AW: AJP Connector issue

[jo...@wellsfargo.com.INVALID]

Christopher,

Is there an entry that can go in the AJP connector to restrict what addresses it will listen to requests from? Meaning you can list the IP addresses of the web servers?

I know I'm top replying, but Outlook sucks with this. :-(

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexander@wellsfargo.com


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Friday, March 20, 2020 11:40 AM
To: users@tomcat.apache.org
Subject: Re: AW: AW: AJP Connector issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

RK,

On 3/20/20 09:57, RK Ashburn wrote:
> I have tested r successful AJP connector with apache proxy on (tomcat 
> 7)
>
> 1. For AJP connector adding  secretRequired="false" and
address="0.0.0.0"
> resolved my connectivity issue. I suspect the issue you are having 
> (with 403)  is more like a permissions issue on the site the request 
> is
trying to
> reach, than a AJP connector configuration issue.

binding to "all interfaces" may work, but it's not terribly secure.
Are you really expecting an AJP connection from anywhere in the world?

- -chris

> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < 
> florian.fritze@irb.fraunhofer.de> wrote:
>
>> Just to make it clear what from my opinion the problem is:
>>
>> SCHWERWIEGEND [main]
>> org.apache.catalina.core.StandardService.startInternal Failed to 
>> start connector [Connector[AJP/1.3-8011]]
>> org.apache.catalina.LifecycleException: Der Start des 
>> Protokoll-Handlers ist fehlgeschlagen at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
7)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardService.startInternal(StandardService.j
ava:440)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
a:766)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at 
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>> Caused by: java.lang.IllegalArgumentException: The AJP
Connector
>> is configured with secretRequired="true" but the secret attribute
is either
>> null or "". This combination is not valid. at
>>
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
:274)
>> at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
5)
>> ... 12 more
>>
>> This new "secretRequired" attribute prevents the Tomcat from starting 
>> flawlessly. It was first introduced with the Ghostcat release. So 
>> this is a wish from me to the Tomcat developers:
>> Please set this new attribute not mandatory but optional. So that I 
>> can run the newest
Tomcat
>> without this attribute which I do now with the pre-Ghostcat releases.
>>
>> Have a nice weekend Florian Fritze
>>
>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau 
>> IRB Competence Center Research Services & Open Science Nobelstr. 12, 
>> 70569 Stuttgart, Germany Telefon +49 711 970-2713 
>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>> -----Ursprüngliche Nachricht----- Von: André Warnier
>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP Connector 
>> issue
>>
>> Ok, so it looks like : - the request is effectively reaching tomcat, 
>> and that it is tomcat sending back the 403 response. - the URL is 
>> "/", so presumably it is "well-formed" etc.
>>
>> Furthermore, according to something you wrote below, both Apache
httpd and
>> tomcat are running on the same Linux host.
>>
>> This reminds me vaguely of some issue previously (and recently)
discussed
>> on the list, with some request attributes which tomcat did not like.. 
>> But I do not remember ptecisely what the issue was, and it also
seems to
>> me that this concerned an IIS front-end, not Apache httpd.
>>
>> Perhaps someone else on the list has a better idea.
>>
>>
>> Incidentally, it also seems that you are, in httpd, proxying
>> *all* requests to tomcat. Which raises the question of why you have a 
>> httpd front-end in the
first
>> place. (But that's a later discussion maybe, let's first see why "/"
doesn't work)
>>
>>
>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>> Here is the additional information:
>>>
>>> The error page looks like Tomcat:
>>>
>>> HTTP Status 403 – Forbidden
>>>
>>> _____
>>>
>>> Type Status Report
>>>
>>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
>>> aber
eine
>> Autorisierung.
>>>
>>> _____
>>>
>>> Apache Tomcat/8.5.53
>>>
>>> The Apache HTTPD log file says:
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
>>> "-"
>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like
>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403
885 "
>> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>>
>>>
>>> The Tomcat says:
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403 630
>>>
>>>
>>>
>>> The server on which all is running is:
>>>
>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>>
>>> There is no new entry in the Apache HTTPD error.log concering
>>> these
>> requests.
>>>
>>>
>>>
>>> Help is appreciated
>>>
>>> Florian Fritze
>>>
>>> --
>>>
>>> Florian Fritze M.A.
>>>
>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>
>>> Competence Center Research Services & Open Science
>>>
>>> Nobelstr. 12, 70569 Stuttgart, Germany
>>>
>>> Telefon +49 711 970-2713
>>>
>>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP
>>> Connector issue
>>>
>>>
>>>
>>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>>
>>>> Hello Chris,
>>>
>>>>
>>>
>>>> thanks for the reply. Maybe I am doing something wrong, but
>>>> setting
>>>
>>>> secretRequired="false" does not solve my issue. Let me show
>>>> you what I
>>>
>>>> did and experience: I added <Connector port="8011"
>>>> protocol="AJP/1.3"
>>>
>>>> redirectPort="8443" secretRequired="false" /> to the Tomcat
>>>
>>>> configuration and the ajp connector on the Apache HTTPD side
>>>> connects
>>>
>>>> to 8011. When I now visit my website I got HTTP Status 403 –
>>>> Forbidden
>>>
>>>
>>>
>>> And just to make diagnosis a bit quicker : does that 403 error
page look
>> like an Apache httpd page, or a tomcat page ? (they look quite
differemt in
>> style).
>>>
>>>
>>>
>>> Also, can you check both the httpd logs, and the tomcat logs
>>> for that request, and check what they say ?  (compare by
>>> timestamnp and URI)
>>>
>>>
>>>
>>> Also, under what OS does your front-end httpd run ?
>>>
>>>
>>>
>>>>
>>>
>>>> I attached also the error page as a screenshot to this mail.
>>>> This
>>>
>>>> behaviour exists only sice the Ghostcat fix release (I know
>>>> that this
>>>
>>>> has nothing to do with security fix but probably with the
>>>> release
>> itself).
>>>
>>>>
>>>
>>>> Thanks in advance
>>>
>>>> Florian
>>>
>>>>
>>>
>>>> --
>>>
>>>> Florian Fritze M.A.
>>>
>>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence
>>>> Center
>>>
>>>> Research Services & Open Science Nobelstr. 12, 70569
>>>> Stuttgart,
>>>
>>>> Germany Telefon +49 711 970-2713
>>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof
er
>>>>
>>>>
.de> |
>>>
>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>>
>>>>
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>
>>>> Von: Christopher Schultz
>>>> <ch...@christopherschultz.net>>
>>>
>>>>
>>>>
Gesendet: Donnerstag, 19. März 2020 20:14
>>>
>>>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>> Betreff: Re: AJP Connector issue
>>>
>>>>
>>>
>>>>
> Florian,
>>>>
>
>>>>
> On 3/19/20 07:43, Fritze, Florian wrote:
>>>>
>>>>>> since the Tomcat release with the Ghostcat security fix
>>>>>> (Tomcat
>>>>
>>>>>> 8.5.51) me as an admin have the problem using the
>>>>
>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>>>>>> module to
>>>>
>>>>>> connect the Apache HTTPD with the Tomcat running on
>>>>>> localhost. The
>>>>
>>>>>> attribute secretRequired must be set to „true“ or „false“
>>>>>> with
>>>>
>>>>>> „false“ set the connection is not possible between Tomcat
>>>>>> and Apache
>>> HTTPD.
>>>>
>
>>>>
> When you have set secretRequired="false", it's not possible to
>>>>
> connect? When you try to connect, what DOES happen?
>>>>
>
>>>>
>>>>>> With „true“ the Apache development is not ready in the
>>>>>> current
>>>>
>>>>>> version to work with the „secret“ attribute. Only the
>>>>>> next version of
>>>>
>>>>>> Apache
>>>>
>>>>>> 2.4 supports this attribute.
>>>>
> Correct. Support for secret= in mod_proxy_ajp was evidently never
>>>>
> really a priority for anybody until now.
>>>>
>
>>>>
>>>>>> So I want to use the newest Tomcat version and an AJP
>>>>>> connector but
>>>>
>>>>>> after the Ghostcat fix release there is this attribute
>>>>>> which does not
>>>>
>>>>>> work in my configuration.
>>>>
>>>>>>
>>>>
>>>>>> Are there any suggestions or solutions available that you
>>>>>> can deliver
>>>>
>>>>>> me (links or documentation, etc.)
>>>>
>
>>>>
> secretRequired="false" should be all you need.
>>>>
>
>>>>
> Of course, to be truly secure, you need to make sure that not just
>>>>
> anybody can make requests through your AJP interface. Have you
> secured
>>>>
> that interface from potential evildoers?
>>>>
>
>>>>
> -chris
>>>>
>>>
>>>>
>>>
>>>> -------------------------------------------------------------------
- --
>>>
>>>>
>>>>
To unsubscribe, e-mail:
>>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat
.a
>>>>
>>>>
pache.org>
>>>
>>>> For additional commands, e-mail:
>>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
- ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.
ap
>>>
>>>
ache.org>
>>>
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>
>>>
>>
>>
>>
>>>
- ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
>> additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8
pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo
0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g
cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2
rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR
SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY
zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ
6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8
/SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs
ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi
hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+
tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o=
=207+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: AJP Connector issue

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

RK,

On 3/20/20 09:57, RK Ashburn wrote:
> I have tested r successful AJP connector with apache proxy on
> (tomcat 7)
>
> 1. For AJP connector adding  secretRequired="false" and
address="0.0.0.0"
> resolved my connectivity issue. I suspect the issue you are having
> (with 403)  is more like a permissions issue on the site the
> request is
trying to
> reach, than a AJP connector configuration issue.

binding to "all interfaces" may work, but it's not terribly secure.
Are you really expecting an AJP connection from anywhere in the world?

- -chris

> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
> florian.fritze@irb.fraunhofer.de> wrote:
>
>> Just to make it clear what from my opinion the problem is:
>>
>> SCHWERWIEGEND [main]
>> org.apache.catalina.core.StandardService.startInternal Failed to
>> start connector [Connector[AJP/1.3-8011]]
>> org.apache.catalina.LifecycleException: Der Start des
>> Protokoll-Handlers ist fehlgeschlagen at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
7)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardService.startInternal(StandardService.j
ava:440)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
a:766)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>> Caused by: java.lang.IllegalArgumentException: The AJP
Connector
>> is configured with secretRequired="true" but the secret
>> attribute
is either
>> null or "". This combination is not valid. at
>>
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
:274)
>> at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
5)
>> ... 12 more
>>
>> This new "secretRequired" attribute prevents the Tomcat from
>> starting flawlessly. It was first introduced with the Ghostcat
>> release. So this is a wish from me to the Tomcat developers:
>> Please set this new attribute not mandatory but optional. So that
>> I can run the newest
Tomcat
>> without this attribute which I do now with the pre-Ghostcat
>> releases.
>>
>> Have a nice weekend Florian Fritze
>>
>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
>> Bau IRB Competence Center Research Services & Open Science
>> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>> -----Ursprüngliche Nachricht----- Von: André Warnier
>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
>> Connector issue
>>
>> Ok, so it looks like : - the request is effectively reaching
>> tomcat, and that it is tomcat sending back the 403 response. -
>> the URL is "/", so presumably it is "well-formed" etc.
>>
>> Furthermore, according to something you wrote below, both Apache
httpd and
>> tomcat are running on the same Linux host.
>>
>> This reminds me vaguely of some issue previously (and recently)
discussed
>> on the list, with some request attributes which tomcat did not
>> like.. But I do not remember ptecisely what the issue was, and it
>> also
seems to
>> me that this concerned an IIS front-end, not Apache httpd.
>>
>> Perhaps someone else on the list has a better idea.
>>
>>
>> Incidentally, it also seems that you are, in httpd, proxying
>> *all* requests to tomcat. Which raises the question of why you
>> have a httpd front-end in the
first
>> place. (But that's a later discussion maybe, let's first see why
>> "/"
doesn't work)
>>
>>
>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>> Here is the additional information:
>>>
>>> The error page looks like Tomcat:
>>>
>>> HTTP Status 403 – Forbidden
>>>
>>> _____
>>>
>>> Type Status Report
>>>
>>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
>>> aber
eine
>> Autorisierung.
>>>
>>> _____
>>>
>>> Apache Tomcat/8.5.53
>>>
>>> The Apache HTTPD log file says:
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
>>> "-"
>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like
>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403
885 "
>> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>>
>>>
>>> The Tomcat says:
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
>>>
>>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403 630
>>>
>>>
>>>
>>> The server on which all is running is:
>>>
>>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28
>>> 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>>
>>> There is no new entry in the Apache HTTPD error.log concering
>>> these
>> requests.
>>>
>>>
>>>
>>> Help is appreciated
>>>
>>> Florian Fritze
>>>
>>> --
>>>
>>> Florian Fritze M.A.
>>>
>>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>>
>>> Competence Center Research Services & Open Science
>>>
>>> Nobelstr. 12, 70569 Stuttgart, Germany
>>>
>>> Telefon +49 711 970-2713
>>>
>>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht----- Von: André Warnier
>>> (tomcat/perl) <aw...@ice-sa.com> Gesendet: Freitag, 20. März 2020
>>> 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP
>>> Connector issue
>>>
>>>
>>>
>>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>>
>>>> Hello Chris,
>>>
>>>>
>>>
>>>> thanks for the reply. Maybe I am doing something wrong, but
>>>> setting
>>>
>>>> secretRequired="false" does not solve my issue. Let me show
>>>> you what I
>>>
>>>> did and experience: I added <Connector port="8011"
>>>> protocol="AJP/1.3"
>>>
>>>> redirectPort="8443" secretRequired="false" /> to the Tomcat
>>>
>>>> configuration and the ajp connector on the Apache HTTPD side
>>>> connects
>>>
>>>> to 8011. When I now visit my website I got HTTP Status 403 –
>>>> Forbidden
>>>
>>>
>>>
>>> And just to make diagnosis a bit quicker : does that 403 error
page look
>> like an Apache httpd page, or a tomcat page ? (they look quite
differemt in
>> style).
>>>
>>>
>>>
>>> Also, can you check both the httpd logs, and the tomcat logs
>>> for that request, and check what they say ?  (compare by
>>> timestamnp and URI)
>>>
>>>
>>>
>>> Also, under what OS does your front-end httpd run ?
>>>
>>>
>>>
>>>>
>>>
>>>> I attached also the error page as a screenshot to this mail.
>>>> This
>>>
>>>> behaviour exists only sice the Ghostcat fix release (I know
>>>> that this
>>>
>>>> has nothing to do with security fix but probably with the
>>>> release
>> itself).
>>>
>>>>
>>>
>>>> Thanks in advance
>>>
>>>> Florian
>>>
>>>>
>>>
>>>> --
>>>
>>>> Florian Fritze M.A.
>>>
>>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence
>>>> Center
>>>
>>>> Research Services & Open Science Nobelstr. 12, 70569
>>>> Stuttgart,
>>>
>>>> Germany Telefon +49 711 970-2713
>>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhof
er
>>>>
>>>>
.de> |
>>>
>>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>>
>>>>
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>
>>>> Von: Christopher Schultz
>>>> <ch...@christopherschultz.net>>
>>>
>>>>
>>>>
Gesendet: Donnerstag, 19. März 2020 20:14
>>>
>>>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>> Betreff: Re: AJP Connector issue
>>>
>>>>
>>>
>>>>
> Florian,
>>>>
>
>>>>
> On 3/19/20 07:43, Fritze, Florian wrote:
>>>>
>>>>>> since the Tomcat release with the Ghostcat security fix
>>>>>> (Tomcat
>>>>
>>>>>> 8.5.51) me as an admin have the problem using the
>>>>
>>>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>>>>>> module to
>>>>
>>>>>> connect the Apache HTTPD with the Tomcat running on
>>>>>> localhost. The
>>>>
>>>>>> attribute secretRequired must be set to „true“ or „false“
>>>>>> with
>>>>
>>>>>> „false“ set the connection is not possible between Tomcat
>>>>>> and Apache
>>> HTTPD.
>>>>
>
>>>>
> When you have set secretRequired="false", it's not possible to
>>>>
> connect? When you try to connect, what DOES happen?
>>>>
>
>>>>
>>>>>> With „true“ the Apache development is not ready in the
>>>>>> current
>>>>
>>>>>> version to work with the „secret“ attribute. Only the
>>>>>> next version of
>>>>
>>>>>> Apache
>>>>
>>>>>> 2.4 supports this attribute.
>>>>
> Correct. Support for secret= in mod_proxy_ajp was evidently never
>>>>
> really a priority for anybody until now.
>>>>
>
>>>>
>>>>>> So I want to use the newest Tomcat version and an AJP
>>>>>> connector but
>>>>
>>>>>> after the Ghostcat fix release there is this attribute
>>>>>> which does not
>>>>
>>>>>> work in my configuration.
>>>>
>>>>>>
>>>>
>>>>>> Are there any suggestions or solutions available that you
>>>>>> can deliver
>>>>
>>>>>> me (links or documentation, etc.)
>>>>
>
>>>>
> secretRequired="false" should be all you need.
>>>>
>
>>>>
> Of course, to be truly secure, you need to make sure that not just
>>>>
> anybody can make requests through your AJP interface. Have you
> secured
>>>>
> that interface from potential evildoers?
>>>>
>
>>>>
> -chris
>>>>
>>>
>>>>
>>>
>>>> -------------------------------------------------------------------
- --
>>>
>>>>
>>>>
To unsubscribe, e-mail:
>>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat
.a
>>>>
>>>>
pache.org>
>>>
>>>> For additional commands, e-mail:
>>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
- ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.
ap
>>>
>>>
ache.org>
>>>
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>
>>>
>>>
>>
>>
>>
>>>
- ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
>> additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl508dcACgkQHPApP6U8
pFiKew/6AtF3eRfq8vR4pkWqJNJ20r/QSldWHq0G1H32tey912ENWKoUEwlDLPTo
0mUQxa3WAOZTJku2S+lGYI5zG8GqOc1jgABW7o7PL+yrJP5PQMUocvVEl+7fdo7g
cqI/MufmTu2wtKov5qVWc4qlM0/R5mK9K9+mBmS9+M+GfD6OdyQuUAIAunjCd7B2
rn1xrYagS66hJXF+M5+RYxtuvvhUMhJGY5unNnwqoASUgshnW40qlfP/sGUf1PFR
SN/ah7mbakhnUYsPl1bEoOLF7n8PLFMT2L46rpKaZJq0Yk7g4DeS7zAB1s3x9uMY
zJqUUgjWb5auTB1kZeh4yD477GT4dfVb1fen36Ef1HgGBbF+OH8KfVELQSHklHxZ
6Q4Bxi+tMvqC4WbfsfSp4bQGSJ4IkjdrBL6e1lU+LJqznxXmrxv/OzaV7KF0s/y8
/SQZcr9WCrubHNDUW9uLj1HXHmpDRIqX564tid7DxdhEq2k1eHj3Nris3cIkUuAs
ZTgZudDmIqrifcqv70ArAZ2VFzeIyoThWBoyfdduqGxBOEMd+Q5pjeDxAjVHk5Oi
hxvo2PIcwjmw2y4Mr1fy9rtWk/QlegZHPJrXktroWYbczqDlCtE+ghK516Dhvtm+
tYEXkExGMHZpbqPXcKQ0WXf12fzRsaL1cNezdzjvDyY5aihfT8o=
=207+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: AJP Connector issue

[RK Ashburn <ra...@gmail.com>]

I have tested r successful AJP connector with apache proxy on (tomcat 7)

1. For AJP connector adding  secretRequired="false" and address="0.0.0.0"
resolved my connectivity issue. I suspect the issue you are having (with
403)  is more like a permissions issue on the site the request is trying to
reach, than a AJP connector configuration issue.


On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
florian.fritze@irb.fraunhofer.de> wrote:

> Just to make it clear what from my opinion the problem is:
>
> SCHWERWIEGEND [main]
> org.apache.catalina.core.StandardService.startInternal Failed to start
> connector [Connector[AJP/1.3-8011]]
>         org.apache.catalina.LifecycleException: Der Start des
> Protokoll-Handlers ist fehlgeschlagen
>                 at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
>                 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                 at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
>                 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                 at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
>                 at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                 at
> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>                 at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>                 at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>                 at java.lang.reflect.Method.invoke(Method.java:498)
>                 at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>                 at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>         Caused by: java.lang.IllegalArgumentException: The AJP Connector
> is configured with secretRequired="true" but the secret attribute is either
> null or "". This combination is not valid.
>                 at
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
>                 at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
>                 ... 12 more
>
> This new "secretRequired" attribute prevents the Tomcat from starting
> flawlessly. It was first introduced with the Ghostcat release.
> So this is a wish from me to the Tomcat developers: Please set this new
> attribute not mandatory but optional. So that I can run the newest Tomcat
> without this attribute which I do now with the pre-Ghostcat releases.
>
> Have a nice weekend
> Florian Fritze
>
> --
> Florian Fritze M.A.
> Fraunhofer-Informationszentrum Raum und Bau IRB
> Competence Center Research Services & Open Science
> Nobelstr. 12, 70569 Stuttgart, Germany
> Telefon +49 711 970-2713
> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>
>
> -----Ursprüngliche Nachricht-----
> Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
> Gesendet: Freitag, 20. März 2020 13:34
> An: users@tomcat.apache.org
> Betreff: Re: AW: AW: AJP Connector issue
>
> Ok, so it looks like :
> - the request is effectively reaching tomcat, and that it is tomcat
> sending back the 403 response.
> - the URL is "/", so presumably it is "well-formed" etc.
>
> Furthermore, according to something you wrote below, both Apache httpd and
> tomcat are running on the same Linux host.
>
> This reminds me vaguely of some issue previously (and recently) discussed
> on the list, with some request attributes which tomcat did not like..
> But I do not remember ptecisely what the issue was, and it also seems to
> me that this concerned an IIS front-end, not Apache httpd.
>
> Perhaps someone else on the list has a better idea.
>
>
> Incidentally, it also seems that you are, in httpd, proxying *all*
> requests to tomcat.
> Which raises the question of why you have a httpd front-end in the first
> place.
> (But that's a later discussion maybe, let's first see why "/" doesn't work)
>
>
> On 20.03.2020 11:07, Fritze, Florian wrote:
> > Here is the additional information:
> >
> > The error page looks like Tomcat:
> >
> > HTTP Status 403 – Forbidden
> >
> >    _____
> >
> > Type Status Report
> >
> > Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine
> Autorisierung.
> >
> >    _____
> >
> > Apache Tomcat/8.5.53
> >
> > The Apache HTTPD log file says:
> >
> > - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> >
> > - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "
> https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0;
> Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149
> Safari/537.36 Edg/80.0.361.69"
> >
> >
> >
> > The Tomcat says:
> >
> > - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
> >
> > - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
> >
> >
> >
> > The server on which all is running is:
> >
> > Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC
> > 2020 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > There is no new entry in the Apache HTTPD error.log concering these
> requests.
> >
> >
> >
> > Help is appreciated
> >
> > Florian Fritze
> >
> > --
> >
> > Florian Fritze M.A.
> >
> > Fraunhofer-Informationszentrum Raum und Bau IRB
> >
> > Competence Center Research Services & Open Science
> >
> > Nobelstr. 12, 70569 Stuttgart, Germany
> >
> > Telefon +49 711 970-2713
> >
> > florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
> > Gesendet: Freitag, 20. März 2020 10:14
> > An: users@tomcat.apache.org
> > Betreff: Re: AW: AJP Connector issue
> >
> >
> >
> > On 20.03.2020 08:23, Fritze, Florian wrote:
> >
> >> Hello Chris,
> >
> >>
> >
> >> thanks for the reply. Maybe I am doing something wrong, but setting
> >
> >> secretRequired="false" does not solve my issue. Let me show you what
> >> I
> >
> >> did and experience: I added <Connector port="8011" protocol="AJP/1.3"
> >
> >> redirectPort="8443" secretRequired="false" /> to the Tomcat
> >
> >> configuration and the ajp connector on the Apache HTTPD side connects
> >
> >> to 8011. When I now visit my website I got HTTP Status 403 –
> >> Forbidden
> >
> >
> >
> > And just to make diagnosis a bit quicker : does that 403 error page look
> like an Apache httpd page, or a tomcat page ? (they look quite differemt in
> style).
> >
> >
> >
> > Also, can you check both the httpd logs, and the tomcat logs for that
> > request, and check what they say ?  (compare by timestamnp and URI)
> >
> >
> >
> > Also, under what OS does your front-end httpd run ?
> >
> >
> >
> >>
> >
> >> I attached also the error page as a screenshot to this mail. This
> >
> >> behaviour exists only sice the Ghostcat fix release (I know that this
> >
> >> has nothing to do with security fix but probably with the release
> itself).
> >
> >>
> >
> >> Thanks in advance
> >
> >> Florian
> >
> >>
> >
> >> --
> >
> >> Florian Fritze M.A.
> >
> >> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center
> >
> >> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,
> >
> >> Germany Telefon +49 711 970-2713
> >> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer
> >> .de> |
> >
> >> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
> >
> >>
> >
> >> -----Ursprüngliche Nachricht-----
> >
> >> Von: Christopher Schultz
> >> <ch...@christopherschultz.net>>
> >
> >> Gesendet: Donnerstag, 19. März 2020 20:14
> >
> >> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
> >
> >> Betreff: Re: AJP Connector issue
> >
> >>
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >
> >> Hash: SHA256
> >
> >>
> >
> >> Florian,
> >
> >>
> >
> >> On 3/19/20 07:43, Fritze, Florian wrote:
> >
> >>> since the Tomcat release with the Ghostcat security fix (Tomcat
> >
> >>> 8.5.51) me as an admin have the problem using the
> >
> >>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
> >
> >>> connect the Apache HTTPD with the Tomcat running on localhost. The
> >
> >>> attribute secretRequired must be set to „true“ or „false“ with
> >
> >>> „false“ set the connection is not possible between Tomcat and Apache
> HTTPD.
> >
> >>
> >
> >> When you have set secretRequired="false", it's not possible to
> >
> >> connect? When you try to connect, what DOES happen?
> >
> >>
> >
> >>> With „true“ the Apache development is not ready in the current
> >
> >>> version to work with the „secret“ attribute. Only the next version
> >>> of
> >
> >>> Apache
> >
> >>> 2.4 supports this attribute.
> >
> >> Correct. Support for secret= in mod_proxy_ajp was evidently never
> >
> >> really a priority for anybody until now.
> >
> >>
> >
> >>> So I want to use the newest Tomcat version and an AJP connector but
> >
> >>> after the Ghostcat fix release there is this attribute which does
> >>> not
> >
> >>> work in my configuration.
> >
> >>>
> >
> >>> Are there any suggestions or solutions available that you can
> >>> deliver
> >
> >>> me (links or documentation, etc.)
> >
> >>
> >
> >> secretRequired="false" should be all you need.
> >
> >>
> >
> >> Of course, to be truly secure, you need to make sure that not just
> >
> >> anybody can make requests through your AJP interface. Have you
> >> secured
> >
> >> that interface from potential evildoers?
> >
> >>
> >
> >> - -chris
> >
> >> -----BEGIN PGP SIGNATURE-----
> >
> >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> >>
> >
> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
> >
> >> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
> >
> >> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
> >
> >> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
> >
> >> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
> >
> >> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
> >
> >> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
> >
> >> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
> >
> >> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
> >
> >> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
> >
> >> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
> >
> >> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
> >
> >> =CYi0
> >
> >> -----END PGP SIGNATURE-----
> >
> >>
> >
> >> ---------------------------------------------------------------------
> >
> >> To unsubscribe, e-mail:
> >> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a
> >> pache.org>
> >
> >> For additional commands, e-mail:
> >> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> >
> >>
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> >
> > To unsubscribe, e-mail:
> > users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.ap
> > ache.org>
> >
> > For additional commands, e-mail:
> > users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: AW: AW: AW: AJP Connector issue

["André Warnier (tomcat/perl)" <aw...@ice-sa.com>]

Hi Florian.

The log below shows clearly "The AJP Connector is configured with secretRequired="true"".
This probably comes from the fact that in your AJP Connector configuration, you either
- have an explicit secretRequired="true" attribute
or
- you do not mention this attribute, and it defaults to "true"

To get the previous behaviour (without secret), you now *must* specify : 
secretRequired="false".
This is one of the changes in the latest tomcat versions compared to the previous one, and 
this was motivated by security reasons.
So I doubt that there is any chance for that change to be reversed.


On 20.03.2020 13:49, Fritze, Florian wrote:
> Just to make it clear what from my opinion the problem is:
> 
> SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8011]]
> 	org.apache.catalina.LifecycleException: Der Start des Protokoll-Handlers ist fehlgeschlagen
> 		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
> 		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> 		at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
> 		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> 		at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
> 		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> 		at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
> 		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 		at java.lang.reflect.Method.invoke(Method.java:498)
> 		at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> 		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
> 	Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
> 		at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
> 		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
> 		... 12 more
> 
> This new "secretRequired" attribute prevents the Tomcat from starting flawlessly. It was first introduced with the Ghostcat release.
> So this is a wish from me to the Tomcat developers: Please set this new attribute not mandatory but optional. So that I can run the newest Tomcat without this attribute which I do now with the pre-Ghostcat releases.
> 
> Have a nice weekend
> Florian Fritze
> 
> --
> Florian Fritze M.A.
> Fraunhofer-Informationszentrum Raum und Bau IRB
> Competence Center Research Services & Open Science
> Nobelstr. 12, 70569 Stuttgart, Germany
> Telefon +49 711 970-2713
> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
> Gesendet: Freitag, 20. März 2020 13:34
> An: users@tomcat.apache.org
> Betreff: Re: AW: AW: AJP Connector issue
> 
> Ok, so it looks like :
> - the request is effectively reaching tomcat, and that it is tomcat sending back the 403 response.
> - the URL is "/", so presumably it is "well-formed" etc.
> 
> Furthermore, according to something you wrote below, both Apache httpd and tomcat are running on the same Linux host.
> 
> This reminds me vaguely of some issue previously (and recently) discussed on the list, with some request attributes which tomcat did not like..
> But I do not remember ptecisely what the issue was, and it also seems to me that this concerned an IIS front-end, not Apache httpd.
> 
> Perhaps someone else on the list has a better idea.
> 
> 
> Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat.
> Which raises the question of why you have a httpd front-end in the first place.
> (But that's a later discussion maybe, let's first see why "/" doesn't work)
> 
> 
> On 20.03.2020 11:07, Fritze, Florian wrote:
>> Here is the additional information:
>>
>> The error page looks like Tomcat:
>>
>> HTTP Status 403 – Forbidden
>>
>>     _____
>>
>> Type Status Report
>>
>> Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung.
>>
>>     _____
>>
>> Apache Tomcat/8.5.53
>>
>> The Apache HTTPD log file says:
>>
>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>
>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>
>>
>>
>> The Tomcat says:
>>
>> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
>>
>> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
>>
>>
>>
>> The server on which all is running is:
>>
>> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC
>> 2020 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>
>> There is no new entry in the Apache HTTPD error.log concering these requests.
>>
>>
>>
>> Help is appreciated
>>
>> Florian Fritze
>>
>> --
>>
>> Florian Fritze M.A.
>>
>> Fraunhofer-Informationszentrum Raum und Bau IRB
>>
>> Competence Center Research Services & Open Science
>>
>> Nobelstr. 12, 70569 Stuttgart, Germany
>>
>> Telefon +49 711 970-2713
>>
>> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
>> Gesendet: Freitag, 20. März 2020 10:14
>> An: users@tomcat.apache.org
>> Betreff: Re: AW: AJP Connector issue
>>
>>
>>
>> On 20.03.2020 08:23, Fritze, Florian wrote:
>>
>>> Hello Chris,
>>
>>>
>>
>>> thanks for the reply. Maybe I am doing something wrong, but setting
>>
>>> secretRequired="false" does not solve my issue. Let me show you what
>>> I
>>
>>> did and experience: I added <Connector port="8011" protocol="AJP/1.3"
>>
>>> redirectPort="8443" secretRequired="false" /> to the Tomcat
>>
>>> configuration and the ajp connector on the Apache HTTPD side connects
>>
>>> to 8011. When I now visit my website I got HTTP Status 403 –
>>> Forbidden
>>
>>
>>
>> And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style).
>>
>>
>>
>> Also, can you check both the httpd logs, and the tomcat logs for that
>> request, and check what they say ?  (compare by timestamnp and URI)
>>
>>
>>
>> Also, under what OS does your front-end httpd run ?
>>
>>
>>
>>>
>>
>>> I attached also the error page as a screenshot to this mail. This
>>
>>> behaviour exists only sice the Ghostcat fix release (I know that this
>>
>>> has nothing to do with security fix but probably with the release itself).
>>
>>>
>>
>>> Thanks in advance
>>
>>> Florian
>>
>>>
>>
>>> --
>>
>>> Florian Fritze M.A.
>>
>>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center
>>
>>> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,
>>
>>> Germany Telefon +49 711 970-2713
>>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer
>>> .de> |
>>
>>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
>>
>>>
>>
>>> -----Ursprüngliche Nachricht-----
>>
>>> Von: Christopher Schultz
>>> <ch...@christopherschultz.net>>
>>
>>> Gesendet: Donnerstag, 19. März 2020 20:14
>>
>>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
>>
>>> Betreff: Re: AJP Connector issue
>>
>>>
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>>> Hash: SHA256
>>
>>>
>>
>>> Florian,
>>
>>>
>>
>>> On 3/19/20 07:43, Fritze, Florian wrote:
>>
>>>> since the Tomcat release with the Ghostcat security fix (Tomcat
>>
>>>> 8.5.51) me as an admin have the problem using the
>>
>>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
>>
>>>> connect the Apache HTTPD with the Tomcat running on localhost. The
>>
>>>> attribute secretRequired must be set to „true“ or „false“ with
>>
>>>> „false“ set the connection is not possible between Tomcat and Apache HTTPD.
>>
>>>
>>
>>> When you have set secretRequired="false", it's not possible to
>>
>>> connect? When you try to connect, what DOES happen?
>>
>>>
>>
>>>> With „true“ the Apache development is not ready in the current
>>
>>>> version to work with the „secret“ attribute. Only the next version
>>>> of
>>
>>>> Apache
>>
>>>> 2.4 supports this attribute.
>>
>>> Correct. Support for secret= in mod_proxy_ajp was evidently never
>>
>>> really a priority for anybody until now.
>>
>>>
>>
>>>> So I want to use the newest Tomcat version and an AJP connector but
>>
>>>> after the Ghostcat fix release there is this attribute which does
>>>> not
>>
>>>> work in my configuration.
>>
>>>>
>>
>>>> Are there any suggestions or solutions available that you can
>>>> deliver
>>
>>>> me (links or documentation, etc.)
>>
>>>
>>
>>> secretRequired="false" should be all you need.
>>
>>>
>>
>>> Of course, to be truly secure, you need to make sure that not just
>>
>>> anybody can make requests through your AJP interface. Have you
>>> secured
>>
>>> that interface from potential evildoers?
>>
>>>
>>
>>> - -chris
>>
>>> -----BEGIN PGP SIGNATURE-----
>>
>>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>>>
>>
>>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
>>
>>> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
>>
>>> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
>>
>>> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
>>
>>> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
>>
>>> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
>>
>>> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
>>
>>> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
>>
>>> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
>>
>>> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
>>
>>> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
>>
>>> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
>>
>>> =CYi0
>>
>>> -----END PGP SIGNATURE-----
>>
>>>
>>
>>> ---------------------------------------------------------------------
>>
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a
>>> pache.org>
>>
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>
>>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail:
>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.ap
>> ache.org>
>>
>> For additional commands, e-mail:
>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: AW: AW: AJP Connector issue

["Fritze, Florian" <fl...@irb.fraunhofer.de>]

Just to make it clear what from my opinion the problem is:

SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8011]]
	org.apache.catalina.LifecycleException: Der Start des Protokoll-Handlers ist fehlgeschlagen
		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.lang.reflect.Method.invoke(Method.java:498)
		at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
	Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
		at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
		... 12 more

This new "secretRequired" attribute prevents the Tomcat from starting flawlessly. It was first introduced with the Ghostcat release.
So this is a wish from me to the Tomcat developers: Please set this new attribute not mandatory but optional. So that I can run the newest Tomcat without this attribute which I do now with the pre-Ghostcat releases.

Have a nice weekend
Florian Fritze

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de


-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat/perl) <aw...@ice-sa.com> 
Gesendet: Freitag, 20. März 2020 13:34
An: users@tomcat.apache.org
Betreff: Re: AW: AW: AJP Connector issue

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending back the 403 response.
- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and tomcat are running on the same Linux host.

This reminds me vaguely of some issue previously (and recently) discussed on the list, with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me that this concerned an IIS front-end, not Apache httpd.

Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:
> Here is the additional information:
> 
> The error page looks like Tomcat:
> 
> HTTP Status 403 – Forbidden
> 
>    _____
> 
> Type Status Report
> 
> Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung.
> 
>    _____
> 
> Apache Tomcat/8.5.53
> 
> The Apache HTTPD log file says:
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> 
> 
> 
> The Tomcat says:
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
> 
> 
> 
> The server on which all is running is:
> 
> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 
> 2020 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> There is no new entry in the Apache HTTPD error.log concering these requests.
> 
> 
> 
> Help is appreciated
> 
> Florian Fritze
> 
> --
> 
> Florian Fritze M.A.
> 
> Fraunhofer-Informationszentrum Raum und Bau IRB
> 
> Competence Center Research Services & Open Science
> 
> Nobelstr. 12, 70569 Stuttgart, Germany
> 
> Telefon +49 711 970-2713
> 
> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> 
> 
> 
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
> Gesendet: Freitag, 20. März 2020 10:14
> An: users@tomcat.apache.org
> Betreff: Re: AW: AJP Connector issue
> 
> 
> 
> On 20.03.2020 08:23, Fritze, Florian wrote:
> 
>> Hello Chris,
> 
>>
> 
>> thanks for the reply. Maybe I am doing something wrong, but setting
> 
>> secretRequired="false" does not solve my issue. Let me show you what 
>> I
> 
>> did and experience: I added <Connector port="8011" protocol="AJP/1.3"
> 
>> redirectPort="8443" secretRequired="false" /> to the Tomcat
> 
>> configuration and the ajp connector on the Apache HTTPD side connects
> 
>> to 8011. When I now visit my website I got HTTP Status 403 – 
>> Forbidden
> 
> 
> 
> And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style).
> 
> 
> 
> Also, can you check both the httpd logs, and the tomcat logs for that 
> request, and check what they say ?  (compare by timestamnp and URI)
> 
> 
> 
> Also, under what OS does your front-end httpd run ?
> 
> 
> 
>>
> 
>> I attached also the error page as a screenshot to this mail. This
> 
>> behaviour exists only sice the Ghostcat fix release (I know that this
> 
>> has nothing to do with security fix but probably with the release itself).
> 
>>
> 
>> Thanks in advance
> 
>> Florian
> 
>>
> 
>> --
> 
>> Florian Fritze M.A.
> 
>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center
> 
>> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,
> 
>> Germany Telefon +49 711 970-2713 
>> florian.fritze@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer
>> .de> |
> 
>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
> 
>>
> 
>> -----Ursprüngliche Nachricht-----
> 
>> Von: Christopher Schultz 
>> <ch...@christopherschultz.net>>
> 
>> Gesendet: Donnerstag, 19. März 2020 20:14
> 
>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
> 
>> Betreff: Re: AJP Connector issue
> 
>>
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
> 
>> Hash: SHA256
> 
>>
> 
>> Florian,
> 
>>
> 
>> On 3/19/20 07:43, Fritze, Florian wrote:
> 
>>> since the Tomcat release with the Ghostcat security fix (Tomcat
> 
>>> 8.5.51) me as an admin have the problem using the
> 
>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
> 
>>> connect the Apache HTTPD with the Tomcat running on localhost. The
> 
>>> attribute secretRequired must be set to „true“ or „false“ with
> 
>>> „false“ set the connection is not possible between Tomcat and Apache HTTPD.
> 
>>
> 
>> When you have set secretRequired="false", it's not possible to
> 
>> connect? When you try to connect, what DOES happen?
> 
>>
> 
>>> With „true“ the Apache development is not ready in the current
> 
>>> version to work with the „secret“ attribute. Only the next version 
>>> of
> 
>>> Apache
> 
>>> 2.4 supports this attribute.
> 
>> Correct. Support for secret= in mod_proxy_ajp was evidently never
> 
>> really a priority for anybody until now.
> 
>>
> 
>>> So I want to use the newest Tomcat version and an AJP connector but
> 
>>> after the Ghostcat fix release there is this attribute which does 
>>> not
> 
>>> work in my configuration.
> 
>>>
> 
>>> Are there any suggestions or solutions available that you can 
>>> deliver
> 
>>> me (links or documentation, etc.)
> 
>>
> 
>> secretRequired="false" should be all you need.
> 
>>
> 
>> Of course, to be truly secure, you need to make sure that not just
> 
>> anybody can make requests through your AJP interface. Have you 
>> secured
> 
>> that interface from potential evildoers?
> 
>>
> 
>> - -chris
> 
>> -----BEGIN PGP SIGNATURE-----
> 
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
>>
> 
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
> 
>> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
> 
>> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
> 
>> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
> 
>> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
> 
>> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
> 
>> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
> 
>> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
> 
>> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
> 
>> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
> 
>> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
> 
>> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
> 
>> =CYi0
> 
>> -----END PGP SIGNATURE-----
> 
>>
> 
>> ---------------------------------------------------------------------
> 
>> To unsubscribe, e-mail: 
>> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a
>> pache.org>
> 
>> For additional commands, e-mail: 
>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> 
>>
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> 
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.ap
> ache.org>
> 
> For additional commands, e-mail: 
> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: AJP Connector issue

["André Warnier (tomcat/perl)" <aw...@ice-sa.com>]

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending back the 403 
response.
- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and tomcat are 
running on the same Linux host.

This reminds me vaguely of some issue previously (and recently) discussed on the list, 
with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me that this 
concerned an IIS front-end, not Apache httpd.

Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:
> Here is the additional information:
> 
> The error page looks like Tomcat:
> 
> HTTP Status 403 – Forbidden
> 
>    _____
> 
> Type Status Report
> 
> Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung.
> 
>    _____
> 
> Apache Tomcat/8.5.53
> 
> The Apache HTTPD log file says:
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> 
> 
> 
> The Tomcat says:
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
> 
> 
> 
> The server on which all is running is:
> 
> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> There is no new entry in the Apache HTTPD error.log concering these requests.
> 
> 
> 
> Help is appreciated
> 
> Florian Fritze
> 
> --
> 
> Florian Fritze M.A.
> 
> Fraunhofer-Informationszentrum Raum und Bau IRB
> 
> Competence Center Research Services & Open Science
> 
> Nobelstr. 12, 70569 Stuttgart, Germany
> 
> Telefon +49 711 970-2713
> 
> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> 
> 
> 
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
> Gesendet: Freitag, 20. März 2020 10:14
> An: users@tomcat.apache.org
> Betreff: Re: AW: AJP Connector issue
> 
> 
> 
> On 20.03.2020 08:23, Fritze, Florian wrote:
> 
>> Hello Chris,
> 
>>
> 
>> thanks for the reply. Maybe I am doing something wrong, but setting
> 
>> secretRequired="false" does not solve my issue. Let me show you what I
> 
>> did and experience: I added <Connector port="8011" protocol="AJP/1.3"
> 
>> redirectPort="8443" secretRequired="false" /> to the Tomcat
> 
>> configuration and the ajp connector on the Apache HTTPD side connects
> 
>> to 8011. When I now visit my website I got HTTP Status 403 – Forbidden
> 
> 
> 
> And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style).
> 
> 
> 
> Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ?  (compare by timestamnp and URI)
> 
> 
> 
> Also, under what OS does your front-end httpd run ?
> 
> 
> 
>>
> 
>> I attached also the error page as a screenshot to this mail. This
> 
>> behaviour exists only sice the Ghostcat fix release (I know that this
> 
>> has nothing to do with security fix but probably with the release itself).
> 
>>
> 
>> Thanks in advance
> 
>> Florian
> 
>>
> 
>> --
> 
>> Florian Fritze M.A.
> 
>> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center
> 
>> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,
> 
>> Germany Telefon +49 711 970-2713 florian.fritze@irb.fraunhofer.de<ma...@irb.fraunhofer.de> |
> 
>> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>
> 
>>
> 
>> -----Ursprüngliche Nachricht-----
> 
>> Von: Christopher Schultz <ch...@christopherschultz.net>>
> 
>> Gesendet: Donnerstag, 19. März 2020 20:14
> 
>> An: users@tomcat.apache.org<ma...@tomcat.apache.org>
> 
>> Betreff: Re: AJP Connector issue
> 
>>
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
> 
>> Hash: SHA256
> 
>>
> 
>> Florian,
> 
>>
> 
>> On 3/19/20 07:43, Fritze, Florian wrote:
> 
>>> since the Tomcat release with the Ghostcat security fix (Tomcat
> 
>>> 8.5.51) me as an admin have the problem using the
> 
>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
> 
>>> connect the Apache HTTPD with the Tomcat running on localhost. The
> 
>>> attribute secretRequired must be set to „true“ or „false“ with
> 
>>> „false“ set the connection is not possible between Tomcat and Apache HTTPD.
> 
>>
> 
>> When you have set secretRequired="false", it's not possible to
> 
>> connect? When you try to connect, what DOES happen?
> 
>>
> 
>>> With „true“ the Apache development is not ready in the current
> 
>>> version to work with the „secret“ attribute. Only the next version of
> 
>>> Apache
> 
>>> 2.4 supports this attribute.
> 
>> Correct. Support for secret= in mod_proxy_ajp was evidently never
> 
>> really a priority for anybody until now.
> 
>>
> 
>>> So I want to use the newest Tomcat version and an AJP connector but
> 
>>> after the Ghostcat fix release there is this attribute which does not
> 
>>> work in my configuration.
> 
>>>
> 
>>> Are there any suggestions or solutions available that you can deliver
> 
>>> me (links or documentation, etc.)
> 
>>
> 
>> secretRequired="false" should be all you need.
> 
>>
> 
>> Of course, to be truly secure, you need to make sure that not just
> 
>> anybody can make requests through your AJP interface. Have you secured
> 
>> that interface from potential evildoers?
> 
>>
> 
>> - -chris
> 
>> -----BEGIN PGP SIGNATURE-----
> 
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
>>
> 
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
> 
>> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
> 
>> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
> 
>> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
> 
>> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
> 
>> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
> 
>> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
> 
>> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
> 
>> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
> 
>> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
> 
>> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
> 
>> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
> 
>> =CYi0
> 
>> -----END PGP SIGNATURE-----
> 
>>
> 
>> ---------------------------------------------------------------------
> 
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
> 
>> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> 
>>
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
> 
> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: AW: AJP Connector issue

["Fritze, Florian" <fl...@irb.fraunhofer.de>]

Here is the additional information:

The error page looks like Tomcat:

HTTP Status 403 – Forbidden

  _____

Type Status Report

Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung.

  _____

Apache Tomcat/8.5.53

The Apache HTTPD log file says:

- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"

- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"



The Tomcat says:

- - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630

- - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630



The server on which all is running is:

Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux



There is no new entry in the Apache HTTPD error.log concering these requests.



Help is appreciated

Florian Fritze

--

Florian Fritze M.A.

Fraunhofer-Informationszentrum Raum und Bau IRB

Competence Center Research Services & Open Science

Nobelstr. 12, 70569 Stuttgart, Germany

Telefon +49 711 970-2713

florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de





-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat/perl) <aw...@ice-sa.com>
Gesendet: Freitag, 20. März 2020 10:14
An: users@tomcat.apache.org
Betreff: Re: AW: AJP Connector issue



On 20.03.2020 08:23, Fritze, Florian wrote:

> Hello Chris,

>

> thanks for the reply. Maybe I am doing something wrong, but setting

> secretRequired="false" does not solve my issue. Let me show you what I

> did and experience: I added <Connector port="8011" protocol="AJP/1.3"

> redirectPort="8443" secretRequired="false" /> to the Tomcat

> configuration and the ajp connector on the Apache HTTPD side connects

> to 8011. When I now visit my website I got HTTP Status 403 – Forbidden



And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style).



Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ?  (compare by timestamnp and URI)



Also, under what OS does your front-end httpd run ?



>

> I attached also the error page as a screenshot to this mail. This

> behaviour exists only sice the Ghostcat fix release (I know that this

> has nothing to do with security fix but probably with the release itself).

>

> Thanks in advance

> Florian

>

> --

> Florian Fritze M.A.

> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center

> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,

> Germany Telefon +49 711 970-2713 florian.fritze@irb.fraunhofer.de<ma...@irb.fraunhofer.de> |

> www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>

>

> -----Ursprüngliche Nachricht-----

> Von: Christopher Schultz <ch...@christopherschultz.net>>

> Gesendet: Donnerstag, 19. März 2020 20:14

> An: users@tomcat.apache.org<ma...@tomcat.apache.org>

> Betreff: Re: AJP Connector issue

>

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA256

>

> Florian,

>

> On 3/19/20 07:43, Fritze, Florian wrote:

>> since the Tomcat release with the Ghostcat security fix (Tomcat

>> 8.5.51) me as an admin have the problem using the

>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to

>> connect the Apache HTTPD with the Tomcat running on localhost. The

>> attribute secretRequired must be set to „true“ or „false“ with

>> „false“ set the connection is not possible between Tomcat and Apache HTTPD.

>

> When you have set secretRequired="false", it's not possible to

> connect? When you try to connect, what DOES happen?

>

>> With „true“ the Apache development is not ready in the current

>> version to work with the „secret“ attribute. Only the next version of

>> Apache

>> 2.4 supports this attribute.

> Correct. Support for secret= in mod_proxy_ajp was evidently never

> really a priority for anybody until now.

>

>> So I want to use the newest Tomcat version and an AJP connector but

>> after the Ghostcat fix release there is this attribute which does not

>> work in my configuration.

>>

>> Are there any suggestions or solutions available that you can deliver

>> me (links or documentation, etc.)

>

> secretRequired="false" should be all you need.

>

> Of course, to be truly secure, you need to make sure that not just

> anybody can make requests through your AJP interface. Have you secured

> that interface from potential evildoers?

>

> - -chris

> -----BEGIN PGP SIGNATURE-----

> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

>

> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8

> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC

> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq

> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C

> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L

> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2

> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln

> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6

> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB

> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9

> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh

> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=

> =CYi0

> -----END PGP SIGNATURE-----

>

> ---------------------------------------------------------------------

> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>

> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>

>





---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>

For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>

Re: AW: AJP Connector issue

["André Warnier (tomcat/perl)" <aw...@ice-sa.com>]

On 20.03.2020 08:23, Fritze, Florian wrote:
> Hello Chris,
> 
> thanks for the reply. Maybe I am doing something wrong, but setting
> secretRequired="false" does not solve my issue. Let me show you what I did
> and experience: I added <Connector port="8011" protocol="AJP/1.3"
> redirectPort="8443" secretRequired="false" /> to the Tomcat configuration
> and the ajp connector on the Apache HTTPD side connects to 8011. When I now
> visit my website I got HTTP Status 403 – Forbidden

And just to make diagnosis a bit quicker : does that 403 error page look like an Apache 
httpd page, or a tomcat page ? (they look quite differemt in style).

Also, can you check both the httpd logs, and the tomcat logs for that request, and check 
what they say ?  (compare by timestamnp and URI)

Also, under what OS does your front-end httpd run ?

> 
> I attached also the error page as a screenshot to this mail. This behaviour
> exists only sice the Ghostcat fix release (I know that this has nothing to
> do with security fix but probably with the release itself).
> 
> Thanks in advance
> Florian
> 
> --
> Florian Fritze M.A.
> Fraunhofer-Informationszentrum Raum und Bau IRB
> Competence Center Research Services & Open Science
> Nobelstr. 12, 70569 Stuttgart, Germany
> Telefon +49 711 970-2713
> florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de
> 
> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz <ch...@christopherschultz.net>
> Gesendet: Donnerstag, 19. März 2020 20:14
> An: users@tomcat.apache.org
> Betreff: Re: AJP Connector issue
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Florian,
> 
> On 3/19/20 07:43, Fritze, Florian wrote:
>> since the Tomcat release with the Ghostcat security fix (Tomcat
>> 8.5.51) me as an admin have the problem using the
>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
>> connect the Apache HTTPD with the Tomcat running on localhost. The
>> attribute secretRequired must be set to „true“ or „false“ with „false“
>> set the connection is not possible between Tomcat and Apache HTTPD.
> 
> When you have set secretRequired="false", it's not possible to connect? When
> you try to connect, what DOES happen?
> 
>> With „true“ the Apache development is not ready in the current version
>> to work with the „secret“ attribute. Only the next version of Apache
>> 2.4 supports this attribute.
> Correct. Support for secret= in mod_proxy_ajp was evidently never really a
> priority for anybody until now.
> 
>> So I want to use the newest Tomcat version and an AJP connector but
>> after the Ghostcat fix release there is this attribute which does not
>> work in my configuration.
>>
>> Are there any suggestions or solutions available that you can deliver
>> me (links or documentation, etc.)
> 
> secretRequired="false" should be all you need.
> 
> Of course, to be truly secure, you need to make sure that not just anybody
> can make requests through your AJP interface. Have you secured that
> interface from potential evildoers?
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
> bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
> cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
> rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
> 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
> qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
> aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
> iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
> Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
> ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
> sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
> =CYi0
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: AJP Connector issue

["Fritze, Florian" <fl...@irb.fraunhofer.de>]

Hello Chris,

thanks for the reply. Maybe I am doing something wrong, but setting
secretRequired="false" does not solve my issue. Let me show you what I did
and experience: I added <Connector port="8011" protocol="AJP/1.3"
redirectPort="8443" secretRequired="false" /> to the Tomcat configuration
and the ajp connector on the Apache HTTPD side connects to 8011. When I now
visit my website I got HTTP Status 403 – Forbidden

I attached also the error page as a screenshot to this mail. This behaviour
exists only sice the Ghostcat fix release (I know that this has nothing to
do with security fix but probably with the release itself).

Thanks in advance
Florian

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fritze@irb.fraunhofer.de | www.irb.fraunhofer.de

-----Ursprüngliche Nachricht-----
Von: Christopher Schultz <ch...@christopherschultz.net> 
Gesendet: Donnerstag, 19. März 2020 20:14
An: users@tomcat.apache.org
Betreff: Re: AJP Connector issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Florian,

On 3/19/20 07:43, Fritze, Florian wrote:
> since the Tomcat release with the Ghostcat security fix (Tomcat
> 8.5.51) me as an admin have the problem using the 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to 
> connect the Apache HTTPD with the Tomcat running on localhost. The 
> attribute secretRequired must be set to „true“ or „false“ with „false“ 
> set the connection is not possible between Tomcat and Apache HTTPD.

When you have set secretRequired="false", it's not possible to connect? When
you try to connect, what DOES happen?

> With „true“ the Apache development is not ready in the current version 
> to work with the „secret“ attribute. Only the next version of Apache 
> 2.4 supports this attribute.
Correct. Support for secret= in mod_proxy_ajp was evidently never really a
priority for anybody until now.

> So I want to use the newest Tomcat version and an AJP connector but 
> after the Ghostcat fix release there is this attribute which does not 
> work in my configuration.
>
> Are there any suggestions or solutions available that you can deliver 
> me (links or documentation, etc.)

secretRequired="false" should be all you need.

Of course, to be truly secure, you need to make sure that not just anybody
can make requests through your AJP interface. Have you secured that
interface from potential evildoers?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
=CYi0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AJP Connector issue

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Florian,

On 3/19/20 07:43, Fritze, Florian wrote:
> since the Tomcat release with the Ghostcat security fix (Tomcat
> 8.5.51) me as an admin have the problem using the
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
> connect the Apache HTTPD with the Tomcat running on localhost. The
> attribute secretRequired must be set to „true“ or „false“ with
> „false“ set the connection is not possible between Tomcat and
> Apache HTTPD.

When you have set secretRequired="false", it's not possible to
connect? When you try to connect, what DOES happen?

> With „true“ the Apache development is not ready in the current
> version to work with the „secret“ attribute. Only the next version
> of Apache 2.4 supports this attribute.
Correct. Support for secret= in mod_proxy_ajp was evidently never
really a priority for anybody until now.

> So I want to use the newest Tomcat version and an AJP connector
> but after the Ghostcat fix release there is this attribute which
> does not work in my configuration.
>
> Are there any suggestions or solutions available that you can
> deliver me (links or documentation, etc.)

secretRequired="false" should be all you need.

Of course, to be truly secure, you need to make sure that not just
anybody can make requests through your AJP interface. Have you secured
that interface from potential evildoers?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
=CYi0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org