You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gaël THEROND <ga...@gmail.com> on 2014/02/07 10:47:28 UTC
Tomcat 7 and manager issues on VirtualHost environnement
Hello everyone,
I'm facing a really strange issue since about two or three days now.
I've got a Tomcat Server, which contain a virtualhost like this:
http://pastebin.com/gDBhTTLH
If I start my tomcat instance, everything is fine, tomcat is launching
correctly without error, and correctly create the virtual host under the
${catalina_base}/conf/Catalina/
I can see on the catalina.out log file that tomcat even create the
manager.xml to be able to have an isolated manager for this host.
the manager.xml file is correct.
However, if I try to upload a WAR I'm facing a 403 error coming from tomcat.
Where I didn't get it, it's that on my main manager everything is fine, I
can log in and load a WAR correctly.
I'm sure that the tomcat-users.xml is correct because if it was not I would
not be able to load/start a WAR on the main manager.
Of course, all directory and path are owned by the tomcat user and the
tomcat itself is launch with this user.
The weird thing, is that sometimes, I can upload the WAR correctly without
403 error but then I can't start the application resulting of another 403
error.
If any futher informations are needed, let me know, I'll provide them as
soon as possible.
Cheers and thanks for any help!
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Gaël THEROND <ga...@gmail.com>.
Ok guys, just find the problem, thanks to your CSRF Hint.
So, it appears that Tomcat Manager is acting weird as soon as you pass
through a reverse proxy as am I.
If I change my DNS to straight point to Tomcat's Server and use the
HTTP-8080 interface, everything is running smoothly.
If I try the same thing using my NGINX proxy, is not working anymore.
The really strange thing here, is that on the Tomcat's log, I can see that
my proxy is correctly sending the client IP/Name and not its one, so I
don't really understand why the manager deny the upload.
So I'll now investigate on my proxy and sniff a little bit the HTTP
exchange to figure out where the error is coming from on my proxy.
Thanks a lot guys!
2014-02-07 Gaël THEROND <ga...@gmail.com>:
> Yep, I'm able to visit the application list, but not upload or start an
> application.
>
> I'll take a look at this CSRF Protection hint.
>
> I'm using the default BASIC Auth provided by Tomcat to authenticate myself
> on the manager.
>
>
> 2014-02-07 Konstantin Kolinko <kn...@gmail.com>:
>
> 2014-02-07 Gaël THEROND <ga...@gmail.com>:
>> > Hello everyone,
>> >
>> > I'm facing a really strange issue since about two or three days now.
>> >
>> > I've got a Tomcat Server, which contain a virtualhost like this:
>> >
>> (....)
>> >
>> > If I start my tomcat instance, everything is fine, tomcat is launching
>> > correctly without error, and correctly create the virtual host under the
>> > ${catalina_base}/conf/Catalina/
>> >
>> > I can see on the catalina.out log file that tomcat even create the
>> > manager.xml to be able to have an isolated manager for this host.
>> >
>> > the manager.xml file is correct.
>> >
>> > However, if I try to upload a WAR I'm facing a 403 error coming from
>> tomcat.
>> > Where I didn't get it, it's that on my main manager everything is fine,
>> I
>> > can log in and load a WAR correctly.
>> >
>>
>> So, you are able to visit the "applications list" page in Manager, but
>> upload of a WAR file results in 403?
>>
>> The page 403 in manager can be result of CSRF protection,
>> For example, if your session has expired. The session is needed,
>> because CsrfPreventionFilter stores protection token in the session.
>>
>> I wonder whether SingleSignOn affects this.
>> What authentication schema are you using? The manager app uses BASIC by
>> default.
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Gaël THEROND <ga...@gmail.com>.
Yep, I'm able to visit the application list, but not upload or start an
application.
I'll take a look at this CSRF Protection hint.
I'm using the default BASIC Auth provided by Tomcat to authenticate myself
on the manager.
2014-02-07 Konstantin Kolinko <kn...@gmail.com>:
> 2014-02-07 Gaël THEROND <ga...@gmail.com>:
> > Hello everyone,
> >
> > I'm facing a really strange issue since about two or three days now.
> >
> > I've got a Tomcat Server, which contain a virtualhost like this:
> >
> (....)
> >
> > If I start my tomcat instance, everything is fine, tomcat is launching
> > correctly without error, and correctly create the virtual host under the
> > ${catalina_base}/conf/Catalina/
> >
> > I can see on the catalina.out log file that tomcat even create the
> > manager.xml to be able to have an isolated manager for this host.
> >
> > the manager.xml file is correct.
> >
> > However, if I try to upload a WAR I'm facing a 403 error coming from
> tomcat.
> > Where I didn't get it, it's that on my main manager everything is fine, I
> > can log in and load a WAR correctly.
> >
>
> So, you are able to visit the "applications list" page in Manager, but
> upload of a WAR file results in 403?
>
> The page 403 in manager can be result of CSRF protection,
> For example, if your session has expired. The session is needed,
> because CsrfPreventionFilter stores protection token in the session.
>
> I wonder whether SingleSignOn affects this.
> What authentication schema are you using? The manager app uses BASIC by
> default.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-02-07 Gaël THEROND <ga...@gmail.com>:
> Hello everyone,
>
> I'm facing a really strange issue since about two or three days now.
>
> I've got a Tomcat Server, which contain a virtualhost like this:
>
(....)
>
> If I start my tomcat instance, everything is fine, tomcat is launching
> correctly without error, and correctly create the virtual host under the
> ${catalina_base}/conf/Catalina/
>
> I can see on the catalina.out log file that tomcat even create the
> manager.xml to be able to have an isolated manager for this host.
>
> the manager.xml file is correct.
>
> However, if I try to upload a WAR I'm facing a 403 error coming from tomcat.
> Where I didn't get it, it's that on my main manager everything is fine, I
> can log in and load a WAR correctly.
>
So, you are able to visit the "applications list" page in Manager, but
upload of a WAR file results in 403?
The page 403 in manager can be result of CSRF protection,
For example, if your session has expired. The session is needed,
because CsrfPreventionFilter stores protection token in the session.
I wonder whether SingleSignOn affects this.
What authentication schema are you using? The manager app uses BASIC by default.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by André Warnier <aw...@ice-sa.com>.
Gaël THEROND wrote:
> Hello everyone,
>
> I'm facing a really strange issue since about two or three days now.
>
> I've got a Tomcat Server, which contain a virtualhost like this:
>
> http://pastebin.com/gDBhTTLH
>
> If I start my tomcat instance, everything is fine, tomcat is launching
> correctly without error, and correctly create the virtual host under the
> ${catalina_base}/conf/Catalina/
>
> I can see on the catalina.out log file that tomcat even create the
> manager.xml to be able to have an isolated manager for this host.
>
> the manager.xml file is correct.
>
> However, if I try to upload a WAR I'm facing a 403 error coming from tomcat.
> Where I didn't get it, it's that on my main manager everything is fine, I
> can log in and load a WAR correctly.
>
> I'm sure that the tomcat-users.xml is correct because if it was not I would
> not be able to load/start a WAR on the main manager.
>
> Of course, all directory and path are owned by the tomcat user and the
> tomcat itself is launch with this user.
>
> The weird thing, is that sometimes, I can upload the WAR correctly without
> 403 error but then I can't start the application resulting of another 403
> error.
>
> If any futher informations are needed, let me know, I'll provide them as
> soon as possible.
>
In 99% of the cases, it helps if you provide right away the full version of Tomcat, of the
JVM you are using, and on which platform this is running.
If anything, it saves time for the persons who are trying to help you.
It may also save /you/ a lot of time if it reminds someone that this is a know bug in the
version 7.0.xx that you are using, and is corrected in version 7.0.yy; or if some
attribute should be set because your are under platform xyz etc..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Gaël THEROND <ga...@gmail.com>.
Hi guys, thanks for your help and all my appologies,
My bad! I forgot to complete my mail before sending it to you, so I'll
correct everything here.
Tomcat Version: Tomcat 7.0.42 (Same behavior on Tomcat 7.0.50 appears on
our lab).
JDK: 1.7.0_40
OS: Linux Fedora 19 Schrodinger Cat last update.
Here is the complete Server.xml corrected:
http://pastebin.com/RNA19WJ4
The early one was a misspasted version (Removed it during the comments
clean :'( ), so the Engine is correctly placed on the physical version of
server.xml
2014-02-07 Neven Cvetkovic <ne...@gmail.com>:
> On Fri, Feb 7, 2014 at 4:47 AM, Gaël THEROND <ga...@gmail.com>
> wrote:
>
> > Hello everyone,
> >
> > I'm facing a really strange issue since about two or three days now.
> >
> > I've got a Tomcat Server, which contain a virtualhost like this:
> >
> > http://pastebin.com/gDBhTTLH
> >
> >
> I am surprised as your server.xml is not valid XML file. You are missing
> <Engine...> start tag.
>
>
> > If I start my tomcat instance, everything is fine, tomcat is launching
> > correctly without error, and correctly create the virtual host under the
> > ${catalina_base}/conf/Catalina/
> >
>
> As Andre pointed out, it would be helpful to know the tomcat version you
> are using, what platform, what jvm, etc...
>
> Will try to replicate your problem, but let's first try to get the correct
> server.xml first...
>
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Neven Cvetkovic <ne...@gmail.com>.
On Fri, Feb 7, 2014 at 4:47 AM, Gaël THEROND <ga...@gmail.com> wrote:
> Hello everyone,
>
> I'm facing a really strange issue since about two or three days now.
>
> I've got a Tomcat Server, which contain a virtualhost like this:
>
> http://pastebin.com/gDBhTTLH
>
>
I am surprised as your server.xml is not valid XML file. You are missing
<Engine...> start tag.
> If I start my tomcat instance, everything is fine, tomcat is launching
> correctly without error, and correctly create the virtual host under the
> ${catalina_base}/conf/Catalina/
>
As Andre pointed out, it would be helpful to know the tomcat version you
are using, what platform, what jvm, etc...
Will try to replicate your problem, but let's first try to get the correct
server.xml first...
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Gaël THEROND <ga...@gmail.com>.
Thanks a lot for your help guys,
And yeah, I was a little bit disturbed by your answer about overlaping of
the two appBase and start asking me if I was drunk when I publish my
configuration ^^
So, basically, I've found my problem, which is a CSRF errors related to the
fact that I'm managing and posting apps from a Domain A through a Proxy on
Domain B which then will forward everything to the tomcat instance on this
domain B BUT as my WebBrowser send the HOST information Tomcat now their is
something strange du to both different origin of the request ;-)
So, I'll made a custom setting on my proxy for those situation and
everything gonna be OK ;-)
2014-02-07 18:07 GMT+01:00 Mark Eggers <it...@yahoo.com>:
> On 2/7/2014 9:01 AM, Caldarale, Charles R wrote:
>
>> From: André Warnier [mailto:aw@ice-sa.com] Subject: Re: Tomcat 7
>>> and manager issues on VirtualHost environnement
>>>
>>
>> <Host name="tomcat" appBase="webapps/admin/" <Host
>>>>> name="development.domain.tld" appBase="webapps/development/"
>>>>>
>>>>
>> The appBase of the two virtual hosts overlap.
>>>>
>>>
>> Do they, really ?
>>>
>>
>> No, they don't. The appBase settings are perfectly fine. You might
>> as well say that all directory paths overlap because they all start
>> with /.
>>
>> - Chuck
>>
>
> Yep,
>
> works fine - just tested, I plead lack of coffee.
>
> Sorry for the noise.
>
> /mde/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Mark Eggers <it...@yahoo.com>.
On 2/7/2014 9:01 AM, Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com] Subject: Re: Tomcat 7
>> and manager issues on VirtualHost environnement
>
>>>> <Host name="tomcat" appBase="webapps/admin/" <Host
>>>> name="development.domain.tld" appBase="webapps/development/"
>
>>> The appBase of the two virtual hosts overlap.
>
>> Do they, really ?
>
> No, they don't. The appBase settings are perfectly fine. You might
> as well say that all directory paths overlap because they all start
> with /.
>
> - Chuck
Yep,
works fine - just tested, I plead lack of coffee.
Sorry for the noise.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7 and manager issues on VirtualHost environnement
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Tomcat 7 and manager issues on VirtualHost environnement
> > > <Host name="tomcat" appBase="webapps/admin/"
> > > <Host name="development.domain.tld" appBase="webapps/development/"
> > The appBase of the two virtual hosts overlap.
> Do they, really ?
No, they don't. The appBase settings are perfectly fine. You might as well say that all directory paths overlap because they all start with /.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Mark Eggers <it...@yahoo.com>.
On 2/7/2014 8:36 AM, André Warnier wrote:
> Mark Eggers wrote:
>> On 2/7/2014 1:47 AM, Gaël THEROND wrote:
> ...>
>> <Host name="tomcat" appBase="webapps/admin/"
> ...
>
>> <Host name="development.domain.tld" appBase="webapps/development/"
> ..
>
>>
>> The appBase of the two virtual hosts overlap.
>
> Do they, really ?
Ack,
This will teach me to post without coffee - sorry for the noise :|
BTW - my setup works with the following configuration (7.0.50, jre
1.7.0_51, Fedora 20).
<Host name="localhost" appBase="webapps/localhost"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="mars" appBase="webapps/mars"
unpackWARs="true" autoDeploy="true">
<Alias>mars.mdeggers.org</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="mars_access_log"
suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="phobos" appBase="webapps/phobos"
unpackWARs="true" autoDeploy="true">
<Alias>phobos.mdeggers.org</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="phobos_access_log"
suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
Manager webapp for mars and phobos are using a docBase and pointing to
the manager webapp for localhost.
I've uploaded, deployed, undeployed several times and cannot reproduce
the 403.
Again, sorry for the noise.
. . . off to drink coffee.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by André Warnier <aw...@ice-sa.com>.
Mark Eggers wrote:
> On 2/7/2014 1:47 AM, Gaël THEROND wrote:
...>
> <Host name="tomcat" appBase="webapps/admin/"
...
> <Host name="development.domain.tld" appBase="webapps/development/"
..
>
> The appBase of the two virtual hosts overlap.
Do they, really ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and manager issues on VirtualHost environnement
Posted by Mark Eggers <it...@yahoo.com>.
On 2/7/2014 1:47 AM, Gaël THEROND wrote:
> Hello everyone,
>
> I'm facing a really strange issue since about two or three days now.
>
> I've got a Tomcat Server, which contain a virtualhost like this:
>
> http://pastebin.com/gDBhTTLH
>
> If I start my tomcat instance, everything is fine, tomcat is launching
> correctly without error, and correctly create the virtual host under the
> ${catalina_base}/conf/Catalina/
>
> I can see on the catalina.out log file that tomcat even create the
> manager.xml to be able to have an isolated manager for this host.
>
> the manager.xml file is correct.
>
> However, if I try to upload a WAR I'm facing a 403 error coming from tomcat.
> Where I didn't get it, it's that on my main manager everything is fine, I
> can log in and load a WAR correctly.
>
> I'm sure that the tomcat-users.xml is correct because if it was not I would
> not be able to load/start a WAR on the main manager.
>
> Of course, all directory and path are owned by the tomcat user and the
> tomcat itself is launch with this user.
>
> The weird thing, is that sometimes, I can upload the WAR correctly without
> 403 error but then I can't start the application resulting of another 403
> error.
>
> If any futher informations are needed, let me know, I'll provide them as
> soon as possible.
>
> Cheers and thanks for any help!
>
From your server.xml:
<Host name="tomcat" appBase="webapps/admin/"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="tomcat_access_log." suffix=".log"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="development.domain.tld" appBase="webapps/development/"
unpackWARs="true" autoDeploy="true" deployOnStartup="false">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs/development"
prefix="devel_access_log." suffix=".log"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
The appBase of the two virtual hosts overlap. Make sure they're
completely separate directories.
Here's the reference for appBase:
http://tomcat.apache.org/tomcat-7.0-doc/config/host.html
And read the automatic deployment section to figure out what happens
when you've overlapped them.
http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Automatic_Application_Deployment
One way to set up virtual hosts so that this doesn't happen:
http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts
. . . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org