mod_proxy_ajp backport for "secret" attribute to 2.4.x

[Rainer Jung <ra...@kippdata.de>]

Just a heads up: the support for the "secret" atribute in mod_proxy_ajp 
has not been backported:

https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

Tomcat hardened its AJP connector in the latest patch releases and by 
default now requires the proxy to send such a "secret". This can be 
turned off but is not recommended.

I think we should backport r1738878 plus small struct layout adjustments 
for compatibility in 2.4.x.

I could not yet test it, but the diff seems to apply well apart from 
struct layout, which we need to trivially adjust anyays (move new 
members to end of struct).

If anyone would be able to test and propose before I get to it, that 
would be great.

Regards,

Rainer

Re: mod_proxy_ajp backport for "secret" attribute to 2.4.x

[Eric Covener <co...@gmail.com>]

On Sun, Feb 23, 2020 at 11:00 AM Rainer Jung <ra...@kippdata.de> wrote:
>
> Just a heads up: the support for the "secret" atribute in mod_proxy_ajp
> has not been backported:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
>
> Tomcat hardened its AJP connector in the latest patch releases and by
> default now requires the proxy to send such a "secret". This can be
> turned off but is not recommended.
>
> I think we should backport r1738878 plus small struct layout adjustments
> for compatibility in 2.4.x.
>
> I could not yet test it, but the diff seems to apply well apart from
> struct layout, which we need to trivially adjust anyays (move new
> members to end of struct).
>
> If anyone would be able to test and propose before I get to it, that
> would be great.

My svn merge did not seem to have any struct issues, just one weird
conflict in mod_proxy parsing the properties.

I tested against the new tomcat w/ a secret specified in server.xml
and it seemed to work OOTB with secret=xxx

I will propose as a showstopper for 2.4.