0

I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.

I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.

In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file, mod_proxy and mod_proxy_ajp are enabled with configuration

ProxyRequests Off
<Proxy *>
    Order deny,allow
    Deny from all
    Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.

In Tomcat's /etc/tomcat/server.xml, I have

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.

The problem

Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives

AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico

indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding

<Directory "/var/lib/tomcat/webapps/ROOT">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.

This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.

What do I not understand?

JonahHuron
  • 101
  • 1
  • 2

2 Answers2

0

You should modify your connector like these.

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>

<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />

you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp

Haid
  • 1
  • 1
  • 1
    Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change? – OrangeDog Jul 25 '17 at 12:47
0

The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.

If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like

<Location "/">
  Order deny,allow
  Deny from all
  Allow from localhost
</Location>

If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,

Unbeliever
  • 2,336
  • 1
  • 10
  • 19