tomcat 7.0.100 AJP connector with mod_jk on another host

Question

After upgrading tomcat7 to 7.0.100, the AJP connector was only listening on 127.0.0.1. Initially I edited the wrong server.xml in /etc/tomcat7/server.xml which was not used. The right one is /var/lib/tomcat7/conf/server.xml at least for me. I added these two parameters:

address="0.0.0.0"
requiredSecret="false"

Now it listens on all interfaces, as before. However when I try to access it using mod_jk I get a 403. A sniffer conifrms that this is comming from the AJP connector. So I tried to set

allowedRequestAttributesPattern=".*"

Which does not solve the issue. Any ideas?

Try address="0.0.0.0" in the connector. – Schrute Mar 05 '20 at 01:19 — Schrute, Mar 05 '20 at 01:19

user562826 · Answer 1 · 2020-03-05T16:34:46.983

try this:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="0.0.0.0" allowedRequestAttributesPattern=".*" secretRequired="false" />

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

changes made in 7.0.100:

Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt)

score 0 · Answer 2 · answered Mar 06 '20 at 06:56

The 403 went away when we set a password on AJP. So in server.xml section we put:

<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" secret="verysecure" secretRequired="true"/>

And in worker_properties of mod_jk:

worker.tomcat-06.secret=verysecure

tomcat 7.0.100 AJP connector with mod_jk on another host

2 Answers2