This works with Tomcat 8.5.50
. However, with Tomcat 8.5.51
, Apache cannot connect via AJP with the following error:
[Tue Mar 10 20:15:31.378937 2020] [proxy:error] [pid 42:tid 139841308157696] (111)Connection refused: AH00957: AJP: attempt to connect to 172.28.0.5:8009 (tomcatserver) failed
[Tue Mar 10 20:15:31.379336 2020] [proxy_ajp:error] [pid 42:tid 139841308157696] [client 192.168.0.1:58054] AH00896: failed to make connection to backend: tomcatserver
The Apache is on version 2.4.38
:
Server version: Apache/2.4.38 (Debian)
Server built: 2019-10-15T19:53:42
The AJP connector in the server.xml
has secretRequired="false"
. Everything is set up via Docker Compose.
3
Answers
The configuration for
secretRequired
isn’t the only thing that changed:From https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x
On top of that, the stock server.xml even has the AJPConnector commented, so it won’t be active without being explicitly enabled.
Try adding
allowedRequestAttributesPattern=".*"
to the connector def.Proceeding from where Olaf left off, follow these steps:
(1) You may omit the
address
attribute.(2) Change the secretRequired attribute to
secretRequired="true"
, or equivalently, leave it out. (The default value is True).(3) Add a
secret
attribute to theworkers.properties
file and to the server.xml file. You may choose whatever secret you want, on condition that the values in both files match exactly.(4) For the time being, add to the AJP connector the attribute
allowedRequestAttributesPattern=".*"
, as T Cervenka suggests.You should then end up with something like,
workers.properties
server.xml
<Connector port="8009" protocol="AJP/1.3" maxThreads="500" secret="F45A93BF-3AA7-4CB4-E49A-DB34573E4A25" allowedRequestAttributesPattern=".*" />
The value of
allowedRequestAttributesPattern
must be a regular expression. It represents the request attributes passed from the reverse proxy to the AJP connector. See the Tomcat docs for details. https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html.The regex value for
allowedRequestAttributesPattern
must be an exact match for the request attributes passed in the AJP protocol. Its default value (where you don’t mention the attribute) is null: this is known to break requests. If in doubt, use the regex wildcard, ".*", as above.