You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com> on 2021/04/05 18:58:58 UTC
What exactly does the AJP connector on 8009 do?
We've just gotten a complaint about a vulnerability involving AJP (to
something called "Ghostcat") from a customer. The report from the
security consultant recommends updating to a more recent version of
Tomcat, and I note that we've already started rolling out 7.0.108 to
customers.
Looking at server.xml, the only reference to AJP is in relation to port
8009, and that this connector is commented out in 108, but not in 93.
So what exactly *is* this connector, and what purpose does it serve?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
Posted by Konstantin Kolinko <kn...@gmail.com>.
пн, 5 апр. 2021 г. в 21:59, James H. H. Lampert <ja...@touchtonecorp.com>:
>
> We've just gotten a complaint about a vulnerability involving AJP (to
> something called "Ghostcat") from a customer. The report from the
> security consultant recommends updating to a more recent version of
> Tomcat, and I note that we've already started rolling out 7.0.108 to
> customers.
>
> Looking at server.xml, the only reference to AJP is in relation to port
> 8009, and that this connector is commented out in 108, but not in 93.
>
> So what exactly *is* this connector, and what purpose does it serve?
A well-configured instance of Apache Tomcat should serve requests
either over "http:"/"https:" or over "ajp:", but not both. The clients
for http: protocol are web browsers. The clients for AJP protocol are
web servers (proxies).
See also
https://tomcat.apache.org/connectors-doc/
https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
https://en.wikipedia.org/wiki/Apache_JServ_Protocol
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
André,
On 4/6/21 05:53, André Warnier (tomcat/perl) wrote:
> On 06.04.2021 00:45, James H. H. Lampert wrote:
>> On 4/5/21 1:22 PM, Christopher Schultz wrote:
>>> If you are not running a reverse-proxy in front of Tomcat, then it
>>> does absolutely nothing for you.
>>>
>>> If you *are* running a reverse-proxy in front of Tomcat, then it
>>> *may* do something for you, depending upon what software you are
>>> using and what its configuration is.
>>
>> Thanks.
>>
>> Hmm. We have *something* on one of our cloud servers, that has Tomcat
>> sitting behind httpd (on the same box), and we have load balancing
>> (through a couple of AWS Beanstalks) on our cloud-based product, but I
>> don't know if the AJP port is involved in any of that.
>>
>
> I don't know about AWS Beanstalks
They almost certainly do not support AJP.
> but for Apache httpd, there are some
> tell-tale configuration directives in the Apache httpd configuration
> files, which - if present - will tell you if Apache httpd is
> communicating with the back-end tomcat using the AJP protocol (and hence
> tomcat's AJP Connector).
> Look for either of :
> - ProxyPass instructions mentioning "AJP:"
> - SetHandler jakarta-servlet
> - JkMount
> (case does generally not matter)
+1
> Shortcut :
> - comment-out the AJP Connector in the tomcat configuration
> - restart tomcat
> - and wait for desperate support calls
:)
> (*) This is not a critic : it is very flexible that way; it's just a bit
> more work to search for the right files.
You can also run httpd and have it dump the list of all included files:
$ apachectl -t -D DUMP_INCLUDES
It seems silly that "apachectl" doesn't have a
"--dump-effective-configuration" option which just dumps out EVERYTHING,
as httpd would see the complete configuration.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: What exactly does the AJP connector on 8009 do?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Olaf,
On 4/6/21 12:11, Olaf Kock wrote:
>
> On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:
>>
>> Shortcut :
>> - comment-out the AJP Connector in the tomcat configuration
>> - restart tomcat
>> - and wait for desperate support calls
>>
> That reminds me of the common wisdom in System Administration:
>
> *Everybody* has a dedicated testing system. Always!
>
> *Some* are lucky that they have a completely separate production system.
That's ... amazing.
http://www.quickmeme.com/meme/2gs6
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: What exactly does the AJP connector on 8009 do?
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 4/6/21 9:11 AM, Olaf Kock wrote:
> *Everybody* has a dedicated testing system. Always!
>
> *Some* are lucky that they have a completely separate production system.
We expect disk drives to fail. So we plan for it, using some form of
RAID (full mirroring in my case).
And so the power supply fails instead.
Also:
The likelihood of a power supply failure is inversely proportional to
its maintenance accessibility.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] Re: What exactly does the AJP connector on 8009 do?
Posted by Olaf Kock <to...@olafkock.de>.
On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:
>
> Shortcut :
> - comment-out the AJP Connector in the tomcat configuration
> - restart tomcat
> - and wait for desperate support calls
>
That reminds me of the common wisdom in System Administration:
*Everybody* has a dedicated testing system. Always!
*Some* are lucky that they have a completely separate production system.
(lost the source)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.
On 06.04.2021 00:45, James H. H. Lampert wrote:
> On 4/5/21 1:22 PM, Christopher Schultz wrote:
>> If you are not running a reverse-proxy in front of Tomcat, then it does absolutely
>> nothing for you.
>>
>> If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for
>> you, depending upon what software you are using and what its configuration is.
>
> Thanks.
>
> Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd
> (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our
> cloud-based product, but I don't know if the AJP port is involved in any of that.
>
I don't know about AWS Beanstalks, but for Apache httpd, there are some tell-tale
configuration directives in the Apache httpd configuration files, which - if present -
will tell you if Apache httpd is communicating with the back-end tomcat using the AJP
protocol (and hence tomcat's AJP Connector).
Look for either of :
- ProxyPass instructions mentioning "AJP:"
- SetHandler jakarta-servlet
- JkMount
(case does generally not matter)
(Note that under Linux(es), your Apache httpd config files may be spread in small chunks
all over the place, generally in locations such as "/etc/apache2/*" or "/etc/httpd/*") (*)
Relevant documentation is available here :
1) http://tomcat.apache.org/connectors-doc/
2) http://tomcat.apache.org/connectors-doc/reference/apache.html
3) http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
4) (more complicated cases) http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule
Also, if Apache httpd uses AJP to communicate with tomcat, then either one of these Apache
httpd add-on modules will be loaded and configured :
- mod_jk
- mod_proxy_ajp
To find out which modules are loaded by Apache httpd, use the following command :
# apache2ctl -M
(Note that the mere fact that a module is loaded, does not necessarily mean that it is
being *used*; but if neither of them is loaded, then you can be pretty sure that Apache
httpd is NOT using AJP)
Shortcut :
- comment-out the AJP Connector in the tomcat configuration
- restart tomcat
- and wait for desperate support calls
(*) This is not a critic : it is very flexible that way; it's just a bit more work to
search for the right files.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 4/5/21 1:22 PM, Christopher Schultz wrote:
> If you are not running a reverse-proxy in front of Tomcat, then it does
> absolutely nothing for you.
>
> If you *are* running a reverse-proxy in front of Tomcat, then it *may*
> do something for you, depending upon what software you are using and
> what its configuration is.
Thanks.
Hmm. We have *something* on one of our cloud servers, that has Tomcat
sitting behind httpd (on the same box), and we have load balancing
(through a couple of AWS Beanstalks) on our cloud-based product, but I
don't know if the AJP port is involved in any of that.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What exactly does the AJP connector on 8009 do?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
James,
On 4/5/21 14:58, James H. H. Lampert wrote:
> We've just gotten a complaint about a vulnerability involving AJP (to
> something called "Ghostcat") from a customer. The report from the
> security consultant recommends updating to a more recent version of
> Tomcat, and I note that we've already started rolling out 7.0.108 to
> customers.
>
> Looking at server.xml, the only reference to AJP is in relation to port
> 8009, and that this connector is commented out in 108, but not in 93.
>
> So what exactly *is* this connector, and what purpose does it serve?
If you are not running a reverse-proxy in front of Tomcat, then it does
absolutely nothing for you.
If you *are* running a reverse-proxy in front of Tomcat, then it *may*
do something for you, depending upon what software you are using and
what its configuration is.
IMHO, it's time for AJP to go. [1]
(This is another reminder to me to get off my butt and post all the
presentations from ApacheCon @Home to the "Presentations" page.)
-chris
[1] https://www.youtube.com/watch?v=qUjUEvGFstI
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org