You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ryszard Lach <rl...@debian.org> on 2006/08/21 07:55:43 UTC
[users@httpd] Permission to connect to AJP socket
Hi.
I have problem with configuration of mod_proxy_ajp, or, rather, I'm
pretty sure my config is good but there is a problem with kernel
persmissions or even mod_proxy_jk?
Here are the details:
OS: Fedora Core 5
Apache: httpd-2.2.0-5.1.2 (Fedora 5 package)
Config:
<Proxy *> # I don't know if it does mather, leave it just in case
Order Deny,Allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /manager/ ajp://localhost:8109/manager/
Problem: httpd cannot connect to 8109 port. Tomcat is listening on that
port (checked with 'telnet localhost 8109' running as 'apache' user).
error_log:
[debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL //localhost:8109/manager/html
[debug] proxy_util.c(1373): [client 192.168.1.14] proxy: ajp: found worker ajp://localhost:8109/manager/ for ajp:/ /localhost:8109/manager/html
[debug] mod_proxy.c(736): Running scheme ajp handler (attempt 0)
[debug] mod_proxy_ajp.c(474): proxy: AJP: serving URL ajp://localhost:8109/manager/html
[debug] proxy_util.c(1754): proxy: AJP: has acquired connection for (localhost)
[debug] proxy_util.c(1811): proxy: connecting ajp://localhost:8109/manager/html to localhost:8109
[debug] proxy_util.c(1911): proxy: connected /manager/html to localhost:8109
[debug] proxy_util.c(2005): proxy: AJP: fam 2 socket created to connect to localhost
[error] (13)Permission denied: proxy: AJP: attempt to connect to 127.0.0.1:8109 (localhost) failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[error] proxy: AJP: failed to make connection to backend: localhost
[debug] proxy_util.c(1769): proxy: AJP: has released connection for (localhost)
And strace of httpd's process:
32429 socket(PF_NETLINK, SOCK_RAW, 0) = 17
32429 bind(17, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
32429 getsockname(17, {sa_family=AF_NETLINK, pid=32429, groups=00000000}, [12]) = 0
32429 time(NULL) = 1155920517
32429 sendto(17, "\24\0\0\0\26\0\1\3\205\362\345D\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\205\362\345D\255~\0\0\2\10\200 \376\1\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0\205\362\345D\255~\0\0\n\200\20 0\376\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\205\362\345D\255~\0\0\0\0\0\0 \1\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
32429 close(17) = 0
32429 gettimeofday({1155920517, 693251}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 147) = 147
32429 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
32429 fcntl64(17, F_GETFL) = 0x2 (flags O_RDWR)
32429 fcntl64(17, F_SETFL, O_RDWR|O_NONBLOCK) = 0
32429 gettimeofday({1155920517, 693522}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 112) = 112
32429 connect(17, {sa_family=AF_INET, sin_port=htons(8109), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
32429 close(17) = 0
As far as I can see it is not a problem of apache configuration - if it
would be so, httpd process would not try to connect to 127.0.0.1:8109. I
suppose it is a problem with SOCK_RAW option during creation of socket
which could be prohibited for non-root user by the kernel, but since
apache is by default configured to NOT to run as root - it would mean
there is a serious bug in mod_proxy (honestly - I doubt it).
What's going on, then?
T.I.A.
Richard.
--
"First they ignore you. Then they laugh at you. Then they
fight you. Then you win." - Mohandas Gandhi.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Ret: [users@httpd] Permission to connect to AJP socket
Posted by Ryszard Lach <rl...@debian.org>.
On Mon, Aug 21, 2006 at 11:07:53AM +0200, Dietmar.Mueller@eurotours.at wrote:
> Hello Ryszard,
>
> sorry for the stupid question.
> Is tomcat up and listening on localhost:8109 with AJP?
Of course, although it doesn't matter, I cannot see any packet on
interface lo and port 8109, apache does not send anything, because as
you can see in strace output somewhat forbids it.
> 32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 147) = 147
> 32429 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
> 32429 fcntl64(17, F_GETFL) = 0x2 (flags O_RDWR)
> 32429 fcntl64(17, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> 32429 gettimeofday({1155920517, 693522}, NULL) = 0
> 32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 112) = 112
> 32429 connect(17, {sa_family=AF_INET, sin_port=htons(8109),
> sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
> 32429 close(17)
R.
--
"First they ignore you. Then they laugh at you. Then they
fight you. Then you win." - Mohandas Gandhi.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Ret: [users@httpd] Permission to connect to AJP socket
Posted by Di...@eurotours.at.
Hello Ryszard,
sorry for the stupid question.
Is tomcat up and listening on localhost:8109 with AJP?
regards Dietmar
Ryszard Lach <rl...@debian.org> am 21.08.2006 07:55:43
Bitte antworten an users@httpd.apache.org
An: Apache Users Mailing List <us...@httpd.apache.org>
Kopie:
Thema: [users@httpd] Permission to connect to AJP socket
Hi.
I have problem with configuration of mod_proxy_ajp, or, rather, I'm
pretty sure my config is good but there is a problem with kernel
persmissions or even mod_proxy_jk?
Here are the details:
OS: Fedora Core 5
Apache: httpd-2.2.0-5.1.2 (Fedora 5 package)
Config:
<Proxy *> # I don't know if it does mather, leave it just in case
Order Deny,Allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /manager/ ajp://localhost:8109/manager/
Problem: httpd cannot connect to 8109 port. Tomcat is listening on that
port (checked with 'telnet localhost 8109' running as 'apache' user).
error_log:
[debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL
//localhost:8109/manager/html
[debug] proxy_util.c(1373): [client 192.168.1.14] proxy: ajp: found worker
ajp://localhost:8109/manager/ for ajp:/ /localhost:8109/manager/html
[debug] mod_proxy.c(736): Running scheme ajp handler (attempt 0)
[debug] mod_proxy_ajp.c(474): proxy: AJP: serving URL
ajp://localhost:8109/manager/html
[debug] proxy_util.c(1754): proxy: AJP: has acquired connection for
(localhost)
[debug] proxy_util.c(1811): proxy: connecting
ajp://localhost:8109/manager/html to localhost:8109
[debug] proxy_util.c(1911): proxy: connected /manager/html to
localhost:8109
[debug] proxy_util.c(2005): proxy: AJP: fam 2 socket created to connect to
localhost
[error] (13)Permission denied: proxy: AJP: attempt to connect to
127.0.0.1:8109 (localhost) failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[error] proxy: AJP: failed to make connection to backend: localhost
[debug] proxy_util.c(1769): proxy: AJP: has released connection for
(localhost)
And strace of httpd's process:
32429 socket(PF_NETLINK, SOCK_RAW, 0) = 17
32429 bind(17, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
32429 getsockname(17, {sa_family=AF_NETLINK, pid=32429, groups=00000000},
[12]) = 0
32429 time(NULL) = 1155920517
32429 sendto(17, "\24\0\0\0\26\0\1\3\205\362\345D\0\0\0\0\0\0\0\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 32429 recvmsg(17,
{msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\205\362\345D\255~\0\0\2\10\200 \376\1\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0,
groups=00000000},
msg_iov(1)=[{"@\0\0\0\24\0\2\0\205\362\345D\255~\0\0\n\200\20 0\376\1"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0,
groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\205\362\345D\255~\0\0\0\0\0\0 \1\0\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
32429 close(17) = 0
32429 gettimeofday({1155920517, 693251}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 147) = 147
32429 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
32429 fcntl64(17, F_GETFL) = 0x2 (flags O_RDWR)
32429 fcntl64(17, F_SETFL, O_RDWR|O_NONBLOCK) = 0
32429 gettimeofday({1155920517, 693522}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 112) = 112
32429 connect(17, {sa_family=AF_INET, sin_port=htons(8109),
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
32429 close(17) = 0
As far as I can see it is not a problem of apache configuration - if it
would be so, httpd process would not try to connect to 127.0.0.1:8109. I
suppose it is a problem with SOCK_RAW option during creation of socket
which could be prohibited for non-root user by the kernel, but since
apache is by default configured to NOT to run as root - it would mean
there is a serious bug in mod_proxy (honestly - I doubt it).
What's going on, then?
T.I.A.
Richard.
--
"First they ignore you. Then they laugh at you. Then they
fight you. Then you win." - Mohandas Gandhi.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org