3

Because of the bug CVE-2020-1938 we want to use the latest Tomcat 7.0.100. See also CVE-2020-1938 We also use an Apache server in version 2.4, which connects to the Tomcat via AJP.

The latest Tomcat version requires various new settings for secure communication, which we have made. Unfortunately we always get the HTTP error 403 and don't know why.

In the Apache workers.properties we have the following settings:

worker.list=okkommwm57f
ps=\
worker.okkommwm57f.type=ajp13
worker.okkommwm57f.host=192.168.181.240
worker.okkommwm57f.secret=123456
worker.okkommwm57f.port=8309
worker.okkommwm57f.socket_keepalive=1
worker.okkommwm57f.connect_timeout=10000  
worker.okkommwm57f.prepost_timeout=10000
worker.okkommwm57f.socket_timeout=10
worker.okkommwm57f.connection_pool_timeout=600

The AJP connector configuration looks like this:

<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" />

When I test the site, I keep getting the HTTP error 403. I have tried different versions, but to no avail. Have already set "secretRequired" to "false". Does not work too.

Maybe someone has an idea and can help me to solve the problem. Thank you.

egmontr
  • 33
  • 1
  • 5
  • You should check both Apache and Tomcat's logs. `mod_proxy_ajp` [didn't support the `secret` value](https://serverfault.com/a/1004617/530633) until Apache 2.5, so you should set `secretRequired` to `false` and remove the `secret`. – Piotr P. Karwasz Mar 05 '20 at 18:03

2 Answers2

6

I had the same issue.

I had to add allowedRequestAttributesPattern=".*" to the connector

So in your case 

<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" allowedRequestAttributesPattern=".*" />

This is a new attribute which has been added with Tomcat 7.0.100.

Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt)

Although I haven't figured out what attribute we are sending. But if the setting works for you with a wildcard, you are probably sending attributes as part of your AJP request which are not recognized.

RobT
  • 76
  • 1
  • That was is. I had to set the attribute **allowedRequestAttributesPattern** to my SSL parameters devided by |. Thanks. – egmontr Mar 24 '20 at 08:14
  • This solves the issue in [Tomcat 8.5.51-53](http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Introduction) as well. – Parker Mar 29 '20 at 12:55
  • Is `allowedRequestAttributesPattern=".*"` related to Tomcat's CORS Filter in any way? After setting up a secret, now I'm having issues with CORS. All of my Apache and Tomcat services are all on the same box. – NamedArray Mar 16 '21 at 19:46
2

I had the same issue. The trick was to set a password. So the following solved the issue for us:

server.xml:

<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" secret="verysecure" secretRequired="true"/>

worker.properties:

worker.tomcat-06.secret=verysecure
Thomas
  • 41
  • 4
  • I had already a password and it didn't work. Only after I removed special chars like "€" from the password, it started working. So check your password for special chars if it doesn't work. – user3992979 May 26 '21 at 17:34