Apache Tomcat server.xml:
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="127.0.0.1" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
Apache Http Server httpd.conf :
cd /path/to/apache/config
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://127.0.0.1:8009/ retry=0
ProxyPassReverse / ajp://127.0.0.1:8009/ retry=0
When i do http://[ip]/[app_name] i have this error:
Forbidden
You don't have permission to access /[app_name] on this server.
Why ?
Your configuration states
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
Guess the meaning of Deny and Allow. Your configuration should work if you are coming from the same server and use localhost as your address. Careful if you use the IP address: Often localhost is no longer mapped to 127.0.0.1, but to ::1, its IPV6 equivalent.
Edit: Remove this block and try if it works then.
Note that Stackoverflow is for programming related questions, this is rather server administration, so it might be better on https://serverfault.com/ - I'm voting to transfer it over to that site. There people might be able to go further - e.g. give hints to not open up a reverse proxy for everybody everywhere on the internet.
Related
I have a tomcat webapp where the client is using TLS1.2 but a technical scan found the server is still using TLS1.0. I want to enable TLS1.2. We are using Java 7 and the connector snippet for the server.xml is as below,
<Connector SSLEnabled="true" acceptCount="100" clientAuth="true" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2024" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/cert/fic_rest.jks" keystorePass="********"
truststoreFile="/cert/fic_rest.jks" server="UnIdentified" compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
/>
<!-- Define an AJP 1.3 Connector on port 2023 -->
<Connector port="2023" protocol="AJP/1.3" redirectPort="2022" />
<Connector acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2020" protocol="org.apache.coyote.http11.Http11NioProtocol" server="UnIdentified"
/>
Would changing "sslProtocol="TLS" to "sslProtocol="TLSv1.2" is all that is enough?
We are using tomcat 7.0.82
The sslProtocol configuration protocol does next to nothing: it only specifies which SSLContext to use, but from the perspective of a server this does not restrict anything. Any version of SSLContext sets the default SSL server protocols to the entire list of supported protocols (cf. source code).
Therefore you need to set sslEnabledProtocols="TLSv1.2" (cf. Tomcat documentation) to restrict the accepted protocol versions to only TLS 1.2. You can then test your configuration using curl.
However, if usage of TLS versions less then 1.2 is a security constraint for the whole system (cf. this question) by adding the following line to $JRE_HOME/lib/security/java.security:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1
Warning: this will influence all TLS connections in Java, even those with old databases.
My tomcat server is configured as this:
<Connector port="8080" protocol="HTTP/1.1"
address="192.168.122.15"
connectionTimeout="20000"
redirectPort="8443" />
When I try to access it via http://localhost:8080/{endpoint}, the operation works
When I use the external URL that's supposedly mapped to it: http://projecta.cave-gaming.com:8080/{endpoint}, it returns a 404 timeout error.
How do I map my tomcat server to the forwarded port so I can access it from an external URL?
Have you bind the server to locahost?
You can configure this using the address attribute like described here
You can do this in the server.xml
<Connector port="8080" protocol="HTTP/1.1" ...
If you omit the address attribute you are listening to all available addresses.
I am working on adding load-balancing and fail-over functionality to our existing Apache tomcat setup with mod_jk. For this, I have setup 2 Tomcat instances. I have made some changes, and will be pasting them. I am not getting any errors in the log of either httpd or tomcat, and I am only seeing a blank page. What am I doing wrong?
Apache webserver config :
workers.properties :
worker.list=loadbalancer
worker.server1.port=8010
worker.server1.host=localhost
worker.server1.lbfactor=1
worker.server1.type=ajp13
worker.server2.port=8011
worker.server2.host=localhost
worker.server2.type=ajp13
worker.server2.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.sticky_session=true
worker.myworker.sticky_session_force=True
apache2.conf / httpd.conf :
Include sites-enabled/
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /etc/apache2/mod_jk.log
JkMount /* loadbalancer
sites-enabled/000-default : Only contains :
JkMountCopy On
First tomcat's server.xml :
<Server port="8005" shutdown="SHUTDOWN">
<Connector port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000"/>
<Connector port="8010" protocol="AJP/1.3" redirectPort="8081" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
</Cluster>
</Engine>
2nd Tomcat's server.xml :
<Server port="8006" shutdown="SHUTDOWN">
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000"/>
<Connector port="8011" protocol="AJP/1.3" redirectPort="8080" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
</Cluster>
</Engine>
Even if I shut down any tomcat, all I see is a blank page. What am I doing wrong? Kindly let me know. Thanks a lot.. :-)
It's not usually worth it to specify any JkMount directives outside of a VirtualHost. You should be specific and map them to each VH.
JkMountCopy should have worked for you. I suspect that some other configuration was interfering with it.
We have a hybris server behind an apache web server that are linked with ajp connectors. This is working perfectly however for some reason after updating to hybris 5.3 (and tomcat 7) the secure ajp connector is not rendering.
In the hybris tomcat config folder we have this in the server.xml:
${tomcat.connectors.ajp.plain}
which renders on ant clean all to this in the platform server.xml
<Connector protocol="AJP/1.3" port="8009" proxyPort="80" redirectPort="443" />
this works for non secure connections however we need to also render the secure connector:
<Connector protocol="AJP/1.3" port="8010" proxyPort="443" scheme="https" secure="true" />
I could just hard code this into the server.xml but that doesn't seem like the best way to do it. and I can't find where ${tomcat.connectors.ajp.plain} is actually rendered. Is there a similar property somewhere that will render the secure connector using the ports defined in the local.properties?
I'm afraid you have to declare it manually in your server.xml template in the configuration directory.
In actual fact, I prefer to do this for both AJP connectors as the templated one injected by the variable you mention is not very well configured and I have seen significant performance issues as a result. For example the number of threads is not specified and it is not associated with an executor. This means that when under large load, the number of active threads can grow to a silly number and cause the whole thing to fall over.
In fact, below is a snippet of the config/tomcat/conf/server.xml I use, which I have developed over 7 years of working exclusively on Hybris. Not only does it have sensible configurations, it also uses the more performant non-blocking IO protocols.
Hope this helps.
<Executor name="hybrisExecutor"
namePrefix="hybrisHTTP"
maxThreads="${tomcat.maxthreads}"
minSpareThreads="${tomcat.minsparethreads}"
maxIdleTime="${tomcat.maxidletime}"/>
<Connector port="${tomcat.http.port}"
maxHttpHeaderSize="8192"
maxThreads="${tomcat.maxthreads}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="20000"
URIEncoding="UTF-8"
disableUploadTimeout="true" />
<Connector port="${tomcat.ssl.port}"
maxHttpHeaderSize="8192"
maxThreads="${tomcat.maxthreads}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="${catalina.home}/lib/keystore"
keystorePass="123456" />
<!--
We explicitly declare the AJP connectors as we want to separate HTTP and SSL traffic and the default connector setting Hybris provides is not good enough.
-->
<Connector protocol="org.apache.coyote.ajp.AjpNioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="120000"
maxThreads="${tomcat.maxthreads}"
port="${tomcat.ajp.port}"
proxyPort="${proxy.http.port}"
redirectPort="${proxy.ssl.port}"
URIEncoding="UTF-8"
useIPVHosts="${tomcat.ajp.useipv}" />
<Connector protocol="org.apache.coyote.ajp.AjpNioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="120000"
maxThreads="${tomcat.maxthreads}"
port="${tomcat.ajp.secureport}"
proxyPort="${proxy.ssl.port}"
redirectPort="${proxy.http.port}"
scheme="https"
secure="true"
URIEncoding="UTF-8"
useIPVHosts="${tomcat.ajp.useipv}" />
The variables are just properties you declare in local.properties. They are substituted at build time by the ant deploy task when it builds the actual server.xml in the platform tomcat directory.
I think you should try with:
<Connector
protocol="AJP/1.3"
port="8010"
connectionTimeout="20000"
scheme="https"
SSLEnabled="true"
secure="true"
maxThreads="200"
proxyPort="443"/>
I am totally new to JBOSS 4.0.4 app server and Solaris 10.
I have developed my webservice WAR file with Eclipse and need to deploy it on my remote jboss web server (version 4.0.4) hosted on Solaris (version 10) and need to assign port 8088 to it.
I mean my clients need to access my web service with: http://test.com:8088/myWebService?wsdl
How can I achieve this?
What configurations should I do in order to make it possible?
One of my friend told me that JBOSS version 4.0.4 hosts every http request with just one port number, i.e all JSPs and webservices would have same port number which is defined in /export/home/app/jboss/server/default/deploy/jbossweb-tomcat55.sar/server.xml
on my development server the server.xml looks like following:
<Server>
<Service name="jboss.web"
className="org.jboss.web.tomcat.tc5.StandardService">
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector port="8090" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- Add this option to the connector to avoid problems with
.NET clients that don't implement HTTP/1.1 correctly
restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
-->
<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}"
emptySessionPath="true" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3"/>
<Engine name="jboss.web" defaultHost="localhost">
<Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
</Host>
</Engine>
Is it right?
thanks
I find the answer i guess: Actually jboss 4.0.4 is using tomcat as it's webserver and it contains server.xml which is configurable to be listen to different ports as described in this article:
http://www.mulesoft.com/tcat/tomcat-connectors
Actually I should have defined different connector and engine element in server.xml and it is done.
As I said, I modified my server.xml as following:
<Server>
<!-- Use a custom version of StandardService that allows the
connectors to be started independent of the normal lifecycle
start to allow web apps to be deployed before starting the
connectors.
-->
<Service name="jboss.web"
className="org.jboss.web.tomcat.tc5.StandardService">
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector port="8090" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- Add this option to the connector to avoid problems with
.NET clients that don't implement HTTP/1.1 correctly
restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
-->
<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}"
emptySessionPath="true" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3"/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->
<Engine name="jboss.web" defaultHost="localhost">
<Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
<Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false">
</Host>
</Engine>
</Service>
<Service name="jboss.webservice"
className="org.jboss.web.tomcat.tc5.StandardService">
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector port="8099" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<Engine name="jboss.webservice" defaultHost="localhost">
<Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
<Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false">
<Context path="/"></Context>
</Host>
</Engine>
</Service>
</Server>
As you can see, I have added a new Service tag and named it "jboss.webservice". I think the rest of the xml code is declarative and no other explanation is needed to understand.
Anyway dont forget to kill jboss process in SOLARIS and Run it again.
I tried these commands and after jboss was up again i was able to telnet to that port. :)
#ps -ef | grep 0.0.0
//here I get the process id of jboss, assume i get 1234
#kill -9 1234
//here I kill it
#cd /export/home/app/jboss/bin
//here i go to my jboss bin directory to run it
#nohup ./run.sh &
//here jboss is run
//now telnet
# telnet myIpadd 8099
that's it.
hope it helps.