skip to Main Content

This works with Tomcat 8.5.50. However, with Tomcat 8.5.51, Apache cannot connect via AJP with the following error:

[Tue Mar 10 20:15:31.378937 2020] [proxy:error] [pid 42:tid 139841308157696] (111)Connection refused: AH00957: AJP: attempt to connect to 172.28.0.5:8009 (tomcatserver) failed
[Tue Mar 10 20:15:31.379336 2020] [proxy_ajp:error] [pid 42:tid 139841308157696] [client 192.168.0.1:58054] AH00896: failed to make connection to backend: tomcatserver

The Apache is on version 2.4.38:

Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42

The AJP connector in the server.xml has secretRequired="false". Everything is set up via Docker Compose.

3

Answers


  1. The configuration for secretRequired isn’t the only thing that changed:

    From https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x

    • In 8.5.51 onwards, the default listen address of the AJP Connector was changed to the loopback address rather than all addresses.
    • In 8.5.51 onwards, the requiredSecret attribute of the AJP Connector was deprecated and replaced by the secret attribute.
    • In 8.5.51 onwards, the secretRequired attribute was added to the AJP Connector. If set to true, the default, the AJP Connector will not
      start unless a secret has been specified.
    • In 8.5.51 onwards, the allowedRequestAttributesPattern attribute was added to the AJP Connector. Requests with unrecognised attributes
      will now be blocked with a 403.

    Reference: AJP connector.

    On top of that, the stock server.xml even has the AJPConnector commented, so it won’t be active without being explicitly enabled.

    Login or Signup to reply.
  2. Try adding allowedRequestAttributesPattern=".*" to the connector def.

    Login or Signup to reply.
  3. Proceeding from where Olaf left off, follow these steps:

    (1) You may omit the address attribute.

    (2) Change the secretRequired attribute to secretRequired="true", or equivalently, leave it out. (The default value is True).

    (3) Add a secret attribute to the workers.properties file and to the server.xml file. You may choose whatever secret you want, on condition that the values in both files match exactly.

    (4) For the time being, add to the AJP connector the attribute allowedRequestAttributesPattern=".*", as T Cervenka suggests.

    You should then end up with something like,

    workers.properties

    worker.list=worker1
    
    worker.worker1.type=ajp13
    worker.worker1.host=localhost
    worker.worker1.port=8009
    
    worker.worker1.secret=F45A93BF-3AA7-4CB4-E49A-DB34573E4A25
    

    server.xml

    <Connector port="8009" protocol="AJP/1.3" maxThreads="500" secret="F45A93BF-3AA7-4CB4-E49A-DB34573E4A25" allowedRequestAttributesPattern=".*" />

    The value of allowedRequestAttributesPattern must be a regular expression. It represents the request attributes passed from the reverse proxy to the AJP connector. See the Tomcat docs for details. https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html.

    The regex value for allowedRequestAttributesPattern must be an exact match for the request attributes passed in the AJP protocol. Its default value (where you don’t mention the attribute) is null: this is known to break requests. If in doubt, use the regex wildcard, ".*", as above.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search