2

This works with Tomcat 8.5.50. However, with Tomcat 8.5.51, Apache cannot connect via AJP with the following error:

[Tue Mar 10 20:15:31.378937 2020] [proxy:error] [pid 42:tid 139841308157696] (111)Connection refused: AH00957: AJP: attempt to connect to 172.28.0.5:8009 (tomcatserver) failed
[Tue Mar 10 20:15:31.379336 2020] [proxy_ajp:error] [pid 42:tid 139841308157696] [client 192.168.0.1:58054] AH00896: failed to make connection to backend: tomcatserver

The Apache is on version 2.4.38:

Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42

The AJP connector in the server.xml has secretRequired="false". Everything is set up via Docker Compose.

imriss
  • 1,815
  • 4
  • 31
  • 46

3 Answers3

2

The configuration for secretRequired isn't the only thing that changed:

From https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x

  • In 8.5.51 onwards, the default listen address of the AJP Connector was changed to the loopback address rather than all addresses.
  • In 8.5.51 onwards, the requiredSecret attribute of the AJP Connector was deprecated and replaced by the secret attribute.
  • In 8.5.51 onwards, the secretRequired attribute was added to the AJP Connector. If set to true, the default, the AJP Connector will not start unless a secret has been specified.
  • In 8.5.51 onwards, the allowedRequestAttributesPattern attribute was added to the AJP Connector. Requests with unrecognised attributes will now be blocked with a 403.

Reference: AJP connector.

On top of that, the stock server.xml even has the AJPConnector commented, so it won't be active without being explicitly enabled.

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
  • Thanks. is there a sample of AJP connector with working `address` and `allowedRequestAttributesPattern` settings for Docker deployments? – imriss Mar 11 '20 at 13:38
0

Try adding allowedRequestAttributesPattern=".*" to the connector def.

T. Cervenka
  • 301
  • 1
  • 2
  • 11
0

Proceeding from where Olaf left off, follow these steps:

(1) You may omit the address attribute.

(2) Change the secretRequired attribute to secretRequired="true", or equivalently, leave it out. (The default value is True).

(3) Add a secret attribute to the workers.properties file and to the server.xml file. You may choose whatever secret you want, on condition that the values in both files match exactly.

(4) For the time being, add to the AJP connector the attribute allowedRequestAttributesPattern=".*", as T Cervenka suggests.

You should then end up with something like,

workers.properties

worker.list=worker1

worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009

worker.worker1.secret=F45A93BF-3AA7-4CB4-E49A-DB34573E4A25

server.xml

<Connector port="8009" protocol="AJP/1.3" maxThreads="500" secret="F45A93BF-3AA7-4CB4-E49A-DB34573E4A25" allowedRequestAttributesPattern=".*" />

The value of allowedRequestAttributesPattern must be a regular expression. It represents the request attributes passed from the reverse proxy to the AJP connector. See the Tomcat docs for details. https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html.

The regex value for allowedRequestAttributesPattern must be an exact match for the request attributes passed in the AJP protocol. Its default value (where you don't mention the attribute) is null: this is known to break requests. If in doubt, use the regex wildcard, ".*", as above.

user14699123
  • 53
  • 7