0

I'm setting up a new server running CentOS 7 with Apache 2.4/Shibboleth 3.1/Tomcat 7 and using proxy_ajp to connect apache to tomcat.

I'm getting 403 from the site running on it. I've searched for solution on the internet, and tried them all without success. I am not a Unix Admin, more on operation side. I've asked Unix Admin, developers and no one were able to help. That's why I turn to the experts here for help.

The configuration running on the old server CentOS 6, Apache 2.2/Shibboleth 3.1/Tomcat 6 works.

Not sure what went wrong.

httpd.conf

<Location /xxxxxx>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user
  ProxyPass ajp://localhost:8009/xxxxxx
  ProxyPassReverse ajp://localhost:8009/xxxxxx
  ShibRequestSetting applicationId webmf
  ShibRequestSetting REMOTE_ADDR X-Forwarded-For
  ShibUseHeaders On
</Location>

Tomcat server.xml

<Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>

<Connector port="8009" enableLookups="false" URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="8443" />
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
solotenk
  • 1
  • 1
  • Check your logs. – Michael Hampton Mar 13 '21 at 22:44
  • Thanks @MichaelHampton for fixing my post's format! I've checked the logs, Tomcat's localhost_access_log 172.19.37.50 - - [13/Mar/2021:17:21:25 -0800] "GET /xxxxxx/ HTTP/1.1" 403 - Logs under httpd ssl_request_log [13/Mar/2021:17:21:24 -0800] 172.19.37.50 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /xxxxxxx/ HTTP/1.1" 777 [13/Mar/2021:17:21:25 -0800] 172.19.37.50 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /xxxxxx/Shibboleth.sso/SAML2/POST HTTP/1.1" 227 [13/Mar/2021:17:21:25 -0800] 172.19.37.50 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /xxxxxx/ HTTP/1.1" - – solotenk Mar 14 '21 at 01:25
  • I noticed the under /var/log/httpd folder the ssl_error_log generates entries at every second. Wonder what it is, would that be the cause? `[ssl:info] [pid 104648] [client 172.23.36.250:60064] AH01964: Connection to child 3 established (server xxxxxxxxxxxx.com:443) [ssl:debug] [pid 104648] ssl_engine_io.c(1202): (70014)End of file found: [client 172.23.36.250:60064] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [ssl:info] [pid 104648] [client AH01998: Connection closed to child 3 with abortive shutdown (server xxxxxxxxxxxx:443)` – solotenk Mar 14 '21 at 01:36
  • I don't expect that is relevant (but it might be some other problem). You want to look at Apache's error_log and Tomcat's catalina.out (or wherever you redirected it). – Michael Hampton Mar 14 '21 at 02:01
  • I've set the logging level of tomcat to ALL, only have these in catalina log:- `org.apache.coyote.AbstractProtocol$AbstractConnectionHandler process FINE: Socket: [org.apache.tomcat.util.net.SocketWrapper@6621168c:Socket[addr=/127.0.0.1,port=42058,localport=8009]], Status in: [OPEN_READ], State out: [CLOSED] org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor run FINER: Closing socket:org.apache.tomcat.util.net.SocketWrapper@6621168c:Socket[addr=/127.0.0.1,port=42058,localport=8009] org.apache.tomcat.util.threads.LimitLatch countDown` – solotenk Mar 14 '21 at 21:50
  • Issue has been resolved, it turns out that it's the AJP that's broken. Switched to HTTP for communication between Apache and Tomcat fixed the issue. – solotenk Mar 16 '21 at 19:25

0 Answers0