You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Piyush Kumar Nayak <pn...@adobe.com.INVALID> on 2020/03/05 13:52:57 UTC
bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 loopback addresses.
By default, it seems that Tomcat binds to IPv4 loopback
Default connector config :
<Connector protocol="AJP/1.3" port="8014" redirectPort="8447" packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
netstat -ano | findstr 8014
TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616
TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616
TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
Introducing the address attribute like so :
<Connector protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
binds it to IPv6 loopback
TCP [::1]:8014 [::]:0 LISTENING 8616
TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616
TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
Is there a way to make it bind to both the loopbacks. The problem we are facing is our Tomcat installations can have connector configured with IIS or Apache HTTPD.
Apache connector, by default seems to make a socket connection using the address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to the IPv4 loopback.
Thanks,
Piyush.
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Piyush,
On 3/9/20 15:34, Piyush Kumar Nayak wrote:
> There appears to be a change in the behavior of AJP connector in
Tomcat, with respect to the protocol stack of the loopback address it
binds to.
> With older versions it binds to both IPv6 and IPv4 interface, but
with 9.0.31 it appears to bind to IPv4 only, if the address attribute
is removed from the connector config
>
> Tomcat 9.0.16 - default config <Connector port="8009"
> protocol="AJP/1.3" redirectPort="8443" /> netstat -ano | findstr
> 8009 TCP 0.0.0.0:8009 0.0.0.0:0
> LISTENING
19832
> TCP [::]:8009 [::]:0 LISTENING
19832
>
> Tomcat 9.0.31 - note that address attribute is removed... in the
standard config it is set to "::1".
> <Connector protocol="AJP/1.3" port="8009" redirectPort="8443"
secret="seckey" />
> netstat -ano | findstr 8009 TCP 127.0.0.1:8009 0.0.0.0:0
> LISTENING
8964
>
> Even if the default is used it listens to IPv6 only <Connector
> protocol="AJP/1.3" address="::1" port="8009"
redirectPort="8443" secret="seckey" />
> TCP [::1]:8009 [::]:0 LISTENING
3880
>
> As per the docs, the default for ipv6v6only attribute is false.
Should it not listen to both the protocol stacks.
The old default was "no address specified" and so Java would generally
bind to all interfaces.
The new default is "localhost", so it may be sensitive to the
name-resolution that your system performs when you ask it for the
interface for "localhost". If it gives only an IPv4 address, you'll
get IPv4. If only IPv6, then only IPv6. If both, then probably both.
Actually, maybe not. I don't think you can bind to two interfaces at
the same time, unless those interfaces are the "all interfaces"
metainterface.
- -chris
> -----Original Message----- From: Piyush Kumar Nayak
> <pn...@adobe.com.INVALID> Sent: Saturday, March 7, 2020 5:29 PM
> To: Tomcat Users List <us...@tomcat.apache.org> Subject: RE: bind
> Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> Chris, In both the cases, ISAPI and mod_jk, the hostname is set to
> "localhost" Tomcat and webserver are on the same host machine.
>
>
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Friday, March 6, 2020 8:20 PM
> To: users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and
> IPv6 loopback, Tomcat 9.0.31
>
> Piyush,
>
> On 3/5/20 14:40, Piyush Kumar Nayak wrote:
>> Thanks Mark, Two connector configs works. Any ideas, on why the
>> behavior if different for ISAPI and mod_jk modules?
>
> What do your configurations look like for each module?
>
> -chris
>
>> -----Original Message----- From: Mark H. Wood <mw...@iupui.edu>
>> Sent: Thursday, March 5, 2020 10:28 PM To:
>> users@tomcat.apache.org Subject: Re: bind Tomcat to IPv4 and IPv6
>> loopback, Tomcat 9.0.31
>
>> On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak
>> wrote:
>>> Is there a way to get Tomcat's AJP connector to bind to both
>>> IPv4 and IPv6 loopback addresses.
>>>
>>> By default, it seems that Tomcat binds to IPv4 loopback Default
>>> connector config : <Connector protocol="AJP/1.3" port="8014"
>>> redirectPort="8447" packetSize="65535" secret="xxx"
>>> tomcatAuthentication="false"/>
>>>
>>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0
>>> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>>
>>> Introducing the address attribute like so : <Connector
>>> protocol="AJP/1.3" address="::1" port="8014"
>>> redirectPort="8447" packetSize="65535" secret="xxx"
>>> tomcatAuthentication="false"/> binds it to IPv6 loopback TCP
>>> [::1]:8014 [::]:0 LISTENING 8616 TCP [::1]:8014 [::1]:57522
>>> ESTABLISHED 8616 TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
>>>
>>> Is there a way to make it bind to both the loopbacks. The
>>> problem we are facing is our Tomcat installations can have
>>> connector configured with IIS or Apache HTTPD. Apache
>>> connector, by default seems to make a socket connection using
>>> the address ::1 (IPv6 loop back address), whereas IIS connector
>>> tries to bind to the IPv4 loopback.
>
>> Two things I would try:
>
>> 1. Two connectors, one with address='::1' and the other with
>> address='127.0.0.1', both with port='8014'.
>
>> 2. Configure the other end explicitly: tell HTTPD and IIS which
>> address to use, and then configure your AJP Connector to match.
>
>> -- Mark H. Wood Lead Technology Analyst
>
>> University Library Indiana University - Purdue University
>> Indianapolis 755 W. Michigan Street Indianapolis, IN 46202
>> 317-274-0749 www.ulib.iupui.edu
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> �B
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB �
�[ X ܚX K��K[XZ[
> �\ \ ][ X ܚX P�� X ] \�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[ �\
> \ Z�[���� X ] \�X �K ܙ B
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muxMACgkQHPApP6U8
pFjFEQ/8C1FStE/TFCkrcoXXIqZzjbkEBGNIhx46ZlcuOgNhepevbsVTja7gb3gI
Q5yyuKGS4AWAnqBJv57ixz375xiAJ+cbixNdun7/CNUprL8GhShcTvkFogaVNRb0
QVuWUfvmnH4a/vIxsQDlSPY/jF/YPMNvRXcxP/TSi1b6v7UaWfNnZ7kGEeMphDbf
5S7dDX3mS/jXgtGeEXWP/39sqhI4D1wLMXA55jRrW0oy6yUgWG+XRTt1tnObUx3W
trfiV/shX5dmxXC2UtN8yK+UmaWchZTeDfWWxV6zrjw5bF6cTDtoMY1ZcXMof5O+
ShAAQW3d8gyItBr43ORKh0FRz89T/OXS+gMJNsM2XJP6RrenoNI4e5fsAPOeDccm
HKKXoFXho6kdhF0aT2Bd5qJ2l+WMr187KGQrXFMRR4YRh+MtyCJjMeqb9NTJz3V6
lnj/NpNx5UUaEWXNuc+umHKfJ16WSWBBBrKzwulp9KBQgVmDp36uv3tWP84+oFv/
EfGquKMSWFVneqsNZW+zsIFKdPrXFzYWrBj2QxKGOJ/4XmQ8Q69G+iG/qg5i+wAe
YgPS05vZ0VREF5/KvLvGjyfR1nZCEjssiQnlsjPCv0TNkRUbN9ki5u62RDhf37f8
e4Yt4HxZ9s3MAJ281vGcPLQ/wjlEox+yC5A6t9zbmNQfX3/1glE=
=gm90
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.
On 10.03.2020 15:44, Martin Grigorov wrote:
> On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Martin,
>>
>> On 3/10/20 04:43, Martin Grigorov wrote:
>>> We can define custom address like "loopback" for which Tomcat will
>>> bind on both "127.0.0.1" and "::1" depending on the values of
>>> java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I
>>> am not sure whether it is worth it
>> This is kind of an interesting suggestion, as would maybe supporting
>> "all" as an alias for both 0.0.0.0 and :: together (the old default
>> behavior, which is no longer possible with a single <Connector>).
>>
>> Are there any examples of these kinds of things in other products, or
>> does everyone just manually define two separate connector-like entities?
>>
>> httpd just does:
>>
>> Listen 0.0.0.0
>> Listen ::
>>
>> Which is pretty simple. Tomcat's <Connector> configuration is a lot
>> more verbose and so repeating it is doubly so.
>>
>
> Another option is to make "address" attribute multi valued, e.g.
> comma/space separated.
>
My 2 cent :
Since the changes were necessary, have been made and are presumably there to stay, and
since this seems to have caused a lot of confusion with a lot of sysadmins, mainly among
the ones which had a working front-end/back-end configuration, which suddenly stopped
working when they made a minor version upgrade. And since even so, it seems that when the
change was made, there was quite an underestimate of the side-effects and the impact this
would have in the practical reality out there, should there not be a separate addition to
the documentation, explaining this AJP Connector and its settings "from the ground up",
starting with the fact that currently, it is basically insecure if used on an open network
(and that this was not its original purpose).
(At least that's my sysadmin-level understanding of what I've read here so far).
And when talking about changing some Connector attributes, maybe a review should be made
first, downwards as well as upwards :
- downwards : ultimately a Connector represents a socket (or more than one ?), at the OS
TCP/IP stack level. Some information from that OS-level socket presumably "filters up"
through whatever layers there can be between it, and the container level and the Java
servlets running inside that container. Is that information liklely to be used at the
application level, and would proposed changes be neutral in that respect ?
- upwards : it seems from the accumulated discussions here, that (for example) to
implement some of the changes/improvement, users (sysadmins) may have to go as far as
duplicating the whole Connector tag, to implement the "listen only on localhost" feature
(but, that this depends both on the underlying OS and on the in-between layer between that
OS and the Connector). And, if some application software currently "interrogates" the
Connector to find out about its IP address (or the IP address of the client connected to
it), what answer would it get if the "address" attribute would become multi-value ?
/Could/ it even get such an answer, if the underlying socket is not one, but two ?
I don't know the answer to the above questions, and I don't even know whether they really
are valid questions. But again, I look at this from a sysadmin configurator point of
view, without necessarily a deep understanding on the Java finery underlying all this, and
I'm quite confused and worried that I could inadvertently break some user application and
not really understand why.
And maybe another underlying question : is it really unthinkable to have an AJP connection
capable of running under SSL ? (I mean directly, not under some external setup like
stunnel e.g.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.
On 11.03.2020 09:30, Piyush Kumar Nayak wrote:
> What's the point of " ipv6v6only" attribute. The doc says :
> "If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present."
>
> So if I set address to "::1" and " ipv6v6only" is left to its default, shouldn’t, the connector listen to both the addresses.
>
I guess it depends on the precise meaning of "on a dual stack system" ..
>
> -----Original Message-----
> From: Martin Grigorov <mg...@apache.org>
> Sent: Tuesday, March 10, 2020 8:14 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Martin,
>>
>> On 3/10/20 04:43, Martin Grigorov wrote:
>>> We can define custom address like "loopback" for which Tomcat will
>>> bind on both "127.0.0.1" and "::1" depending on the values of
>>> java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am
>>> not sure whether it is worth it
>> This is kind of an interesting suggestion, as would maybe supporting
>> "all" as an alias for both 0.0.0.0 and :: together (the old default
>> behavior, which is no longer possible with a single <Connector>).
>>
>> Are there any examples of these kinds of things in other products, or
>> does everyone just manually define two separate connector-like entities?
>>
>> httpd just does:
>>
>> Listen 0.0.0.0
>> Listen ::
>>
>> Which is pretty simple. Tomcat's <Connector> configuration is a lot
>> more verbose and so repeating it is doubly so.
>>
>
> Another option is to make "address" attribute multi valued, e.g.
> comma/space separated.
>
> Martin
>
>
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8
>> pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr
>> Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1
>> XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv
>> ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT
>> /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH
>> FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct
>> 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg
>> KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG
>> n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo
>> WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6
>> gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0=
>> =ewrT
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Piyush Kumar Nayak <pn...@adobe.com.INVALID>.
What's the point of " ipv6v6only" attribute. The doc says :
"If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present. "
So if I set address to "::1" and " ipv6v6only" is left to its default, shouldn’t, the connector listen to both the addresses.
-----Original Message-----
From: Martin Grigorov <mg...@apache.org>
Sent: Tuesday, March 10, 2020 8:14 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz < chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 3/10/20 04:43, Martin Grigorov wrote:
> > We can define custom address like "loopback" for which Tomcat will
> > bind on both "127.0.0.1" and "::1" depending on the values of
> > java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am
> > not sure whether it is worth it
> This is kind of an interesting suggestion, as would maybe supporting
> "all" as an alias for both 0.0.0.0 and :: together (the old default
> behavior, which is no longer possible with a single <Connector>).
>
> Are there any examples of these kinds of things in other products, or
> does everyone just manually define two separate connector-like entities?
>
> httpd just does:
>
> Listen 0.0.0.0
> Listen ::
>
> Which is pretty simple. Tomcat's <Connector> configuration is a lot
> more verbose and so repeating it is doubly so.
>
Another option is to make "address" attribute multi valued, e.g.
comma/space separated.
Martin
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8
> pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr
> Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1
> XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv
> ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT
> /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH
> FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct
> 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg
> KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG
> n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo
> WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6
> gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0=
> =ewrT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Martin Grigorov <mg...@apache.org>.
On Tue, Mar 10, 2020 at 3:56 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 3/10/20 04:43, Martin Grigorov wrote:
> > We can define custom address like "loopback" for which Tomcat will
> > bind on both "127.0.0.1" and "::1" depending on the values of
> > java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I
> > am not sure whether it is worth it
> This is kind of an interesting suggestion, as would maybe supporting
> "all" as an alias for both 0.0.0.0 and :: together (the old default
> behavior, which is no longer possible with a single <Connector>).
>
> Are there any examples of these kinds of things in other products, or
> does everyone just manually define two separate connector-like entities?
>
> httpd just does:
>
> Listen 0.0.0.0
> Listen ::
>
> Which is pretty simple. Tomcat's <Connector> configuration is a lot
> more verbose and so repeating it is doubly so.
>
Another option is to make "address" attribute multi valued, e.g.
comma/space separated.
Martin
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8
> pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr
> Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1
> XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv
> ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT
> /OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH
> FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct
> 4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg
> KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG
> n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo
> WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6
> gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0=
> =ewrT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 3/10/20 04:43, Martin Grigorov wrote:
> We can define custom address like "loopback" for which Tomcat will
> bind on both "127.0.0.1" and "::1" depending on the values of
> java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I
> am not sure whether it is worth it
This is kind of an interesting suggestion, as would maybe supporting
"all" as an alias for both 0.0.0.0 and :: together (the old default
behavior, which is no longer possible with a single <Connector>).
Are there any examples of these kinds of things in other products, or
does everyone just manually define two separate connector-like entities?
httpd just does:
Listen 0.0.0.0
Listen ::
Which is pretty simple. Tomcat's <Connector> configuration is a lot
more verbose and so repeating it is doubly so.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5nnHEACgkQHPApP6U8
pFirYA/9HvjI2fX//oqTFvmgGXW/7memXkrUkMiQ3JrUhwc5KrSn4CJAamwiqzTr
Lm+CACeEuiMK4qGbQ+NSpfql0k1pb8BUTX7Ut/KW1lsa8t/DY2DU0SNBw3mvnfL1
XoTsAbQgswpoxozZe11ZZyo42O2BCqTcO8Yp2X3K6DUAGvusPl00VMzpYfgsoLCv
ZvxljLPRY5szRfCf7qrXOtPoByxvnKX2coQBIKJ8+MEKIo6ZApNX8OPf2HNGjvPT
/OCRef/+uIXQaGIYOS8OlNxmFLEs/iGPZ2412l0rAA1hArlW4yCe7eDe3RCbiMeH
FKHbqgbTRPNXWTqf3/BqEimcQj6YdXm+k019IDWGS7vhfPkiBci6qbKO9GLVjSct
4R9J++/s5CQp7zC3aM1kS5Paoho+CMevMneD0c6m4lGvM007jX4yr1z3QZxtFzqg
KpcYieJgWGl0pOVw4s5YnngK1WXosb7gyjEN7ktPEE4xdeTk57shceGg1YDDRpyG
n9gtwiXJf1zwUMOq0ttHNNvLdXL+y2Ud7adG5Sjg/5Y3RCP9vAQNdq+CcHS3aLGo
WVfME5zcrSJlpD0arqg5ZNduYMAwgvO1GEnqfFEfEKpPXJNXAzX9YtCm0/ckFMC6
gB7xVv72Ow7kmsftA478+nPCiZTwmkVyLqVoOIr0+OSTn0tiDu0=
=ewrT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
On Mon, Mar 9, 2020 at 9:34 PM Piyush Kumar Nayak <pn...@adobe.com.invalid>
wrote:
> There appears to be a change in the behavior of AJP connector in Tomcat,
> with respect to the protocol stack of the loopback address it binds to.
> With older versions it binds to both IPv6 and IPv4 interface, but with
> 9.0.31 it appears to bind to IPv4 only, if the address attribute is removed
> from the connector config
Do you use java.net.preferIPv4Stack or java.net.preferIPv6Stack system
properties ?
Tomcat Ajp protocol
uses getEndpoint().setAddress(InetAddress.getLoopbackAddress()); [1] which
by default would use ipv6 [2].
netstat would print 127.0.0.1 but the protocol will be tcp6 (first column),
not tcp
1.
https://github.com/apache/tomcat/blob/613babf191855c9bfed845b6926c012965840849/java/org/apache/coyote/ajp/AbstractAjpProtocol.java#L53
2.
https://docs.oracle.com/javase/8/docs/technotes/guides/net/ipv6_guide/index.html
The problem is that the server socket can bind only on one interface (ipv4
or ipv6) or all interfaces (both ipv4 and ipv6 + both loopback and external
ones), but there is no option to bind only all loopback interfaces.
I've just played a bit with this, binding on
netAddress.getLoopbackAddress() gives (Ubuntu 19.10):
tcp6 0 0 127.0.0.1:23456 :::* LISTEN
11756/java
and then I can connect to it by using either "localhost" or "127.0.0.1" as
a hostname for the client socket.
Using "::1" or any of 127.x.y.z different than 127.0.0.1 fails as well. I
need to bind a ServerSocket for those additionally to make it work.
As we have found in one of the mail threads few days ago at the moment the
only way to bind to several addresses is to have two <Connector> elements
in server.xml - one for "127.0.0.1" and another for "::1". If one needs to
listen on 127.0.0.2
then a third <Connector> would be needed.
We can define custom address like "loopback" for which Tomcat will bind on
both "127.0.0.1" and "::1" depending on the values
of java.net.preferIPv4Stack and java.net.preferIPv6Addresses, but I am not
sure whether it is worth it
So ugly test code ahead:import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
/**
*
*/
public class Test {
public static class Server {
public static void main(String[] args) throws IOException {
InetAddress[] addr = new InetAddress[] {
InetAddress.getLoopbackAddress(),
InetAddress.getByName("::1") // THIS IS NEEDED for clients
to be able to connect to ::1
};
for (final InetAddress address : addr) {
ServerSocket server = new ServerSocket(23456, 10, address);
server.setReuseAddress(true);
System.out.println("Accepting at " + address);
Thread t = new Thread(() -> {
try {
while (true) {
final Socket accepted = server.accept();
System.out.println("Accepted connection from: " +
accepted);
try (OutputStream outputStream =
accepted.getOutputStream()) {
outputStream.write("Blah".getBytes(StandardCharsets.UTF_8));
}
}
} catch (IOException e) {
e.printStackTrace();
}
});
t.start();
}
System.in.read();
}
}
public static class Client {
public static void main(String[] args) throws IOException {
int portNumber = 23456;
String[] hostNames = new String[] {
"localhost",
"127.0.0.1",
"::1"
};
for (final String hostname : hostNames) {
InetAddress addr = InetAddress.getByName(hostname);
try (
Socket echoSocket = new Socket(addr, portNumber);
BufferedReader in =
new BufferedReader(
new
InputStreamReader(echoSocket.getInputStream()));
) {
System.out.println(hostname + ": Read: " + in.readLine());
}
}
}
}
}
I'll be glad if someone shows me a trick to bind on all loopback interfaces
with one ServerSocket!
Martin
>
>
> Tomcat 9.0.16 - default config
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> netstat -ano | findstr 8009
> TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING
> 19832
> TCP [::]:8009 [::]:0 LISTENING
> 19832
>
> Tomcat 9.0.31 - note that address attribute is removed... in the standard
> config it is set to "::1".
> <Connector protocol="AJP/1.3" port="8009" redirectPort="8443"
> secret="seckey" />
> netstat -ano | findstr 8009
> TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING
> 8964
>
> Even if the default is used it listens to IPv6 only
> <Connector protocol="AJP/1.3" address="::1" port="8009"
> redirectPort="8443" secret="seckey" />
> TCP [::1]:8009 [::]:0 LISTENING 3880
>
As per the docs, the default for ipv6v6only attribute is false. Should it
> not listen to both the protocol stacks.
>
> -Piyush.
>
> -----Original Message-----
> From: Piyush Kumar Nayak <pn...@adobe.com.INVALID>
> Sent: Saturday, March 7, 2020 5:29 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> Chris,
> In both the cases, ISAPI and mod_jk, the hostname is set to "localhost"
> Tomcat and webserver are on the same host machine.
>
>
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Friday, March 6, 2020 8:20 PM
> To: users@tomcat.apache.org
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Piyush,
>
> On 3/5/20 14:40, Piyush Kumar Nayak wrote:
> > Thanks Mark, Two connector configs works. Any ideas, on why the
> > behavior if different for ISAPI and mod_jk modules?
>
> What do your configurations look like for each module?
>
> - -chris
>
> > -----Original Message----- From: Mark H. Wood <mw...@iupui.edu>
> > Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org
> > Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
> >
> > On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak
> > wrote:
> >> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and
> >> IPv6 loopback addresses.
> >>
> >> By default, it seems that Tomcat binds to IPv4 loopback Default
> >> connector config : <Connector protocol="AJP/1.3" port="8014"
> >> redirectPort="8447" packetSize="65535" secret="xxx"
> >> tomcatAuthentication="false"/>
> >>
> >> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING
> >> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
> >> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
> >>
> >> Introducing the address attribute like so : <Connector
> >> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447"
> >> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds
> >> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP
> >> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522
> >> [::1]:8014 ESTABLISHED 6564
> >>
> >> Is there a way to make it bind to both the loopbacks. The problem we
> >> are facing is our Tomcat installations can have connector configured
> >> with IIS or Apache HTTPD. Apache connector, by default seems to make
> >> a socket connection using the address ::1 (IPv6 loop back address),
> >> whereas IIS connector tries to bind to the
> >> IPv4 loopback.
> >
> > Two things I would try:
> >
> > 1. Two connectors, one with address='::1' and the other with
> > address='127.0.0.1', both with port='8014'.
> >
> > 2. Configure the other end explicitly: tell HTTPD and IIS which
> > address to use, and then configure your AJP Connector to match.
> >
> > -- Mark H. Wood Lead Technology Analyst
> >
> > University Library Indiana University - Purdue University Indianapolis
> > 755 W. Michigan Street Indianapolis, IN 46202
> > 317-274-0749 www.ulib.iupui.edu
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8
> pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA
> VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe
> 5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk
> FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl
> E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp
> kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC
> rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH
> OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9
> XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch
> QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm
> TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8=
> =/AOd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
> [ X ܚX K K[XZ[
> \ \ ][ X ܚX P X ]
> \ X K ܙ B ܈ Y ] [ۘ[ [X[ K[XZ[
> \ \ Z [ X ]
> \ X K ܙ B
>
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Piyush Kumar Nayak <pn...@adobe.com.INVALID>.
There appears to be a change in the behavior of AJP connector in Tomcat, with respect to the protocol stack of the loopback address it binds to.
With older versions it binds to both IPv6 and IPv4 interface, but with 9.0.31 it appears to bind to IPv4 only, if the address attribute is removed from the connector config
Tomcat 9.0.16 - default config
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
netstat -ano | findstr 8009
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 19832
TCP [::]:8009 [::]:0 LISTENING 19832
Tomcat 9.0.31 - note that address attribute is removed... in the standard config it is set to "::1".
<Connector protocol="AJP/1.3" port="8009" redirectPort="8443" secret="seckey" />
netstat -ano | findstr 8009
TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING 8964
Even if the default is used it listens to IPv6 only
<Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" secret="seckey" />
TCP [::1]:8009 [::]:0 LISTENING 3880
As per the docs, the default for ipv6v6only attribute is false. Should it not listen to both the protocol stacks.
-Piyush.
-----Original Message-----
From: Piyush Kumar Nayak <pn...@adobe.com.INVALID>
Sent: Saturday, March 7, 2020 5:29 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Chris,
In both the cases, ISAPI and mod_jk, the hostname is set to "localhost"
Tomcat and webserver are on the same host machine.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, March 6, 2020 8:20 PM
To: users@tomcat.apache.org
Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Piyush,
On 3/5/20 14:40, Piyush Kumar Nayak wrote:
> Thanks Mark, Two connector configs works. Any ideas, on why the
> behavior if different for ISAPI and mod_jk modules?
What do your configurations look like for each module?
- -chris
> -----Original Message----- From: Mark H. Wood <mw...@iupui.edu>
> Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak
> wrote:
>> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and
>> IPv6 loopback addresses.
>>
>> By default, it seems that Tomcat binds to IPv4 loopback Default
>> connector config : <Connector protocol="AJP/1.3" port="8014"
>> redirectPort="8447" packetSize="65535" secret="xxx"
>> tomcatAuthentication="false"/>
>>
>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING
>> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>
>> Introducing the address attribute like so : <Connector
>> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447"
>> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds
>> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP
>> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522
>> [::1]:8014 ESTABLISHED 6564
>>
>> Is there a way to make it bind to both the loopbacks. The problem we
>> are facing is our Tomcat installations can have connector configured
>> with IIS or Apache HTTPD. Apache connector, by default seems to make
>> a socket connection using the address ::1 (IPv6 loop back address),
>> whereas IIS connector tries to bind to the
>> IPv4 loopback.
>
> Two things I would try:
>
> 1. Two connectors, one with address='::1' and the other with
> address='127.0.0.1', both with port='8014'.
>
> 2. Configure the other end explicitly: tell HTTPD and IIS which
> address to use, and then configure your AJP Connector to match.
>
> -- Mark H. Wood Lead Technology Analyst
>
> University Library Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street Indianapolis, IN 46202
> 317-274-0749 www.ulib.iupui.edu
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8
pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA
VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe
5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk
FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl
E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp
kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC
rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH
OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9
XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch
QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm
TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8=
=/AOd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
�B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB � �[ X ܚX K��K[XZ[
�\ \ ][ X ܚX P�� X ]
\�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
�\ \ Z�[���� X ]
\�X �K ܙ B
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Piyush Kumar Nayak <pn...@adobe.com.INVALID>.
Chris,
In both the cases, ISAPI and mod_jk, the hostname is set to "localhost"
Tomcat and webserver are on the same host machine.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, March 6, 2020 8:20 PM
To: users@tomcat.apache.org
Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Piyush,
On 3/5/20 14:40, Piyush Kumar Nayak wrote:
> Thanks Mark, Two connector configs works. Any ideas, on why the
> behavior if different for ISAPI and mod_jk modules?
What do your configurations look like for each module?
- -chris
> -----Original Message----- From: Mark H. Wood <mw...@iupui.edu>
> Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak
> wrote:
>> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and
>> IPv6 loopback addresses.
>>
>> By default, it seems that Tomcat binds to IPv4 loopback Default
>> connector config : <Connector protocol="AJP/1.3" port="8014"
>> redirectPort="8447" packetSize="65535" secret="xxx"
>> tomcatAuthentication="false"/>
>>
>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING
>> 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>
>> Introducing the address attribute like so : <Connector
>> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447"
>> packetSize="65535" secret="xxx" tomcatAuthentication="false"/> binds
>> it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616 TCP
>> [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522
>> [::1]:8014 ESTABLISHED 6564
>>
>> Is there a way to make it bind to both the loopbacks. The problem we
>> are facing is our Tomcat installations can have connector configured
>> with IIS or Apache HTTPD. Apache connector, by default seems to make
>> a socket connection using the address ::1 (IPv6 loop back address),
>> whereas IIS connector tries to bind to the
>> IPv4 loopback.
>
> Two things I would try:
>
> 1. Two connectors, one with address='::1' and the other with
> address='127.0.0.1', both with port='8014'.
>
> 2. Configure the other end explicitly: tell HTTPD and IIS which
> address to use, and then configure your AJP Connector to match.
>
> -- Mark H. Wood Lead Technology Analyst
>
> University Library Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street Indianapolis, IN 46202
> 317-274-0749 www.ulib.iupui.edu
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8
pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA
VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe
5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk
FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl
E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp
kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC
rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH
OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9
XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch
QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm
TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8=
=/AOd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Piyush,
On 3/5/20 14:40, Piyush Kumar Nayak wrote:
> Thanks Mark, Two connector configs works. Any ideas, on why the
> behavior if different for ISAPI and mod_jk modules?
What do your configurations look like for each module?
- -chris
> -----Original Message----- From: Mark H. Wood <mw...@iupui.edu>
> Sent: Thursday, March 5, 2020 10:28 PM To: users@tomcat.apache.org
> Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
>
> On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak
> wrote:
>> Is there a way to get Tomcat's AJP connector to bind to both IPv4
>> and IPv6 loopback addresses.
>>
>> By default, it seems that Tomcat binds to IPv4 loopback Default
>> connector config : <Connector protocol="AJP/1.3" port="8014"
>> redirectPort="8447" packetSize="65535" secret="xxx"
>> tomcatAuthentication="false"/>
>>
>> netstat -ano | findstr 8014 TCP 127.0.0.1:8014 0.0.0.0:0
>> LISTENING 8616 TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED
>> 8616 TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>>
>> Introducing the address attribute like so : <Connector
>> protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447"
>> packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
>> binds it to IPv6 loopback TCP [::1]:8014 [::]:0 LISTENING 8616
>> TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 TCP [::1]:57522
>> [::1]:8014 ESTABLISHED 6564
>>
>> Is there a way to make it bind to both the loopbacks. The problem
>> we are facing is our Tomcat installations can have connector
>> configured with IIS or Apache HTTPD. Apache connector, by default
>> seems to make a socket connection using the address ::1 (IPv6
>> loop back address), whereas IIS connector tries to bind to the
>> IPv4 loopback.
>
> Two things I would try:
>
> 1. Two connectors, one with address='::1' and the other with
> address='127.0.0.1', both with port='8014'.
>
> 2. Configure the other end explicitly: tell HTTPD and IIS which
> address to use, and then configure your AJP Connector to match.
>
> -- Mark H. Wood Lead Technology Analyst
>
> University Library Indiana University - Purdue University
> Indianapolis 755 W. Michigan Street Indianapolis, IN 46202
> 317-274-0749 www.ulib.iupui.edu
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5iYv0ACgkQHPApP6U8
pFj1zQ//ad7HvYwxxRINeF0UFw2bA1cIOcvJ2E5tFqDvdEtu52RIkQQaqNF2cMlA
VCE3M2HZFL2WvazAAVWFpzt3pIU0fe7BPAJneNF850maFHQ+05Agh3MKd/2VUjhe
5rad1JeNqRlXAAmPCEqOCewxj2z9+yEyNu/x2hHlEpFVdSpeTjGQbhiAEBL50qjk
FICEtw9QrCXw9JHCtPC5XBcbbkoUboejbeTdKz6n31djkwFpLigISgEds8haF7Kl
E7jx46/rqXxOUyRR9JFzWjGUC5Aim51WDn+gJruUhkd/CLAUcIHbbG6G3J7FKQGp
kYah8/sBCjCxuHVQtzmj6CopuYr+EkLNTe9GZyLnVDlQCv5GGSmwlsNSehRMEVbC
rDjoRbbaG/tDjtO9dao8w1Okae91DobzwdpM1XIKIuYgUuU83f+bz4P0KfCfeVzH
OH/YEmSFChynlYU31dd7HJTqdJUOVT2kTK3qncon2PEDHBoyEC+/F1wTFb16WlG9
XCG31UqhxGXxJ5p8Z5ts4jgaTRgNEMJQk19MCKfQcF6TAE8zXrOIRaTArB5eh1Ch
QgvUU2MFAYIoAup+5vQtaX52+9YM2CMPFy6IMdikNFCsy1O/2K11H7vf+K18xsmm
TOYf6up+AfAkcPTlzKfBhY0zjInVuYRZpM+oXqZm6oAC/TNH2G8=
=/AOd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Piyush Kumar Nayak <pn...@adobe.com.INVALID>.
Thanks Mark,
Two connector configs works.
Any ideas, on why the behavior if different for ISAPI and mod_jk modules?
-----Original Message-----
From: Mark H. Wood <mw...@iupui.edu>
Sent: Thursday, March 5, 2020 10:28 PM
To: users@tomcat.apache.org
Subject: Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak wrote:
> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 loopback addresses.
>
> By default, it seems that Tomcat binds to IPv4 loopback Default
> connector config :
> <Connector protocol="AJP/1.3" port="8014" redirectPort="8447"
> packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
>
> netstat -ano | findstr 8014
> TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616 TCP 127.0.0.1:8014
> 127.0.0.1:57510 ESTABLISHED 8616 TCP 127.0.0.1:57510 127.0.0.1:8014
> ESTABLISHED 11800
>
> Introducing the address attribute like so :
> <Connector protocol="AJP/1.3" address="::1" port="8014"
> redirectPort="8447" packetSize="65535" secret="xxx"
> tomcatAuthentication="false"/> binds it to IPv6 loopback TCP
> [::1]:8014 [::]:0 LISTENING 8616 TCP [::1]:8014 [::1]:57522
> ESTABLISHED 8616 TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
>
> Is there a way to make it bind to both the loopbacks. The problem we are facing is our Tomcat installations can have connector configured with IIS or Apache HTTPD.
> Apache connector, by default seems to make a socket connection using the address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to the IPv4 loopback.
Two things I would try:
1. Two connectors, one with address='::1' and the other with
address='127.0.0.1', both with port='8014'.
2. Configure the other end explicitly: tell HTTPD and IIS which
address to use, and then configure your AJP Connector to match.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by "Mark H. Wood" <mw...@iupui.edu>.
On Thu, Mar 05, 2020 at 01:52:57PM +0000, Piyush Kumar Nayak wrote:
> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 loopback addresses.
>
> By default, it seems that Tomcat binds to IPv4 loopback
> Default connector config :
> <Connector protocol="AJP/1.3" port="8014" redirectPort="8447" packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
>
> netstat -ano | findstr 8014
> TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616
> TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616
> TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>
> Introducing the address attribute like so :
> <Connector protocol="AJP/1.3" address="::1" port="8014" redirectPort="8447" packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
> binds it to IPv6 loopback
> TCP [::1]:8014 [::]:0 LISTENING 8616
> TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616
> TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
>
> Is there a way to make it bind to both the loopbacks. The problem we are facing is our Tomcat installations can have connector configured with IIS or Apache HTTPD.
> Apache connector, by default seems to make a socket connection using the address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to the IPv4 loopback.
Two things I would try:
1. Two connectors, one with address='::1' and the other with
address='127.0.0.1', both with port='8014'.
2. Configure the other end explicitly: tell HTTPD and IIS which
address to use, and then configure your AJP Connector to match.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Check this thread:
https://lists.apache.org/thread.html/r1f83f0c731a8737fdf4dad13ae402acd2fdc1ab1a86605af5b496a5f%40%3Cusers.tomcat.apache.org%3E
On Thu, Mar 5, 2020 at 3:53 PM Piyush Kumar Nayak <pn...@adobe.com.invalid>
wrote:
>
> Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6
> loopback addresses.
>
> By default, it seems that Tomcat binds to IPv4 loopback
> Default connector config :
> <Connector protocol="AJP/1.3" port="8014" redirectPort="8447"
> packetSize="65535" secret="xxx" tomcatAuthentication="false"/>
>
> netstat -ano | findstr 8014
> TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616
> TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616
> TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800
>
> Introducing the address attribute like so :
> <Connector protocol="AJP/1.3" address="::1" port="8014"
> redirectPort="8447" packetSize="65535" secret="xxx"
> tomcatAuthentication="false"/>
> binds it to IPv6 loopback
> TCP [::1]:8014 [::]:0 LISTENING 8616
> TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616
> TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564
>
> Is there a way to make it bind to both the loopbacks. The problem we are
> facing is our Tomcat installations can have connector configured with IIS
> or Apache HTTPD.
> Apache connector, by default seems to make a socket connection using the
> address ::1 (IPv6 loop back address), whereas IIS connector tries to bind
> to the IPv4 loopback.
>
> Thanks,
> Piyush.
>