1

This has been driving me crazy for a few days now. Either I'm doing something completely wrong, really silly, or a combination thereof.

I am on Ubuntu 11.10. I ran the following commands:

sudo apt-get install nginx
sudo apt-get install tomcat7 tomcat7-admin

The following is my tomcat-users.xml file:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="admin" />
  <role rolename="manager" />
  <user username="admin" password="secret" roles="admin,manager" />
</tomcat-users>

I set up the following nginx configuration:

server {
  listen 80;
  server_name tomcat.example.com;

  location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Authorization "Basic YWRtaW46c2VjcmV0";
  }
}

Where YWRtaW46c2VjcmV0 is admin:secret encoded in Base64.

Accessing http://tomcat.example.com works fine; however, whenever I try to access http://tomcat.example.com/manager/html I get a 403 page from Tomcat. I have tried restarting both nginx and tomcat to no avail.

The following appears in my Nginx access log whenever I try to get into the Tomcat manager:

xxx.xxx.xxx.xxx - admin [29/Dec/2011:06:20:22 -0500] "GET /manager/html HTTP/1.1" 403 431 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"

The following appears in my Tomcat access log whenever I try to get into the Tomcat manager:

127.0.0.1 - admin [29/Dec/2011:06:20:22 -0500] "GET /manager/html HTTP/1.0" 403 1108

I plan to further secure this by setting up SSL on Nginx along with HTTP basic authentication, but I need to get the basics working first. Does anybody know what is going on here?

knpwrs
  • 357
  • 1
  • 5
  • 14
  • Does it 403 when you hit the tomcat listener directly on 8080, skipping the proxy? – Shane Madden Dec 29 '11 at 16:50
  • Yes, I just opened up 8080 in the firewall and tried to access it directly by entering the username and password (admin, secret) into the prompt. Same result, 403. – knpwrs Dec 30 '11 at 09:07
  • Huh.. seems like the user config isn't working. Any other logging in Tomcat when it fails? – Shane Madden Dec 30 '11 at 16:45
  • Nothing that I can see. The only relevant information appears in the access logs. Where else should I look? – knpwrs Dec 30 '11 at 17:18
  • Sounds like it's time to try turning up some logging - add `org.apache.catalina.realm.level = ALL` and `org.apache.catalina.authenticator.level = ALL` to your `logging.properties` file and restart Tomcat? – Shane Madden Dec 30 '11 at 17:23
  • 1
    I've figured out what's wrong and got it working thanks to your logging suggestion. I'll post an answer. – knpwrs Dec 30 '11 at 17:55

1 Answers1

1

Completely contradictory to this screenshot from the very same installation of Tomcat, a role of simply manager will not suffice. I needed a role of manager-gui. I'm going to submit the faulty "It works!" page as a bug as this was an extremely frustrating process.

There are also other manager roles that this default "It works!" page should elaborate about, like manager-script.

knpwrs
  • 357
  • 1
  • 5
  • 14