Why is Apache not proxying to Tomcat?

Question

Apache 2.4 and Tomcat 9 are installed on the same Ubuntu 20.04 server. I'm trying to set up Apache as a reverse proxy to Tomcat. This configuration is already working perfectly on an Apache 2.4/Tomcat 7/Ubuntu 16.04 system, but I'm having trouble transferring it to the new server.

mod_proxy and mod_proxy_ajp are enabled on Apache. The Proxy/ReverseProxy directives are contained in a site config file mysite.conf, and they're identical to the directives on the older, functioning system.

By itself, Apache works. If I substitute the default site config for mysite.conf, I successfully get the Ubuntu Apache2 default page.

In Tomcat's server.xml file, I've uncommented the AJP connector and edited it slightly:

    <Connector protocol="AJP/1.3"
               port="8009"
               redirectPort="8443"
               enableLookups="false"
               URIEncoding="UTF-8" />

This is also identical to the config on the older, functioning system.

By itself, Tomcat works. If I access the server specifying port 8080, I get the webapp that it's serving. The error is somewhere in the Apache/Tomcat connection.

When I attempt to connect via Apache (i.e., with mysite.conf enabled), the connection results in a 503 "Service Unavailable" error from Apache. These lines appear in the /var/log/apache2/error.log file:

[Fri Mar 26 13:33:12.507582 2021] [proxy_ajp:error] [pid 349130] (70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't receive header
[Fri Mar 26 13:33:12.507633 2021] [proxy_ajp:error] [pid 349130] [client 10.11.12.13:53812] AH00992: ajp_read_header: ajp_ilink_receive failed
[Fri Mar 26 13:33:12.507643 2021] [proxy_ajp:error] [pid 349130] (70007)The timeout specified has expired: [client 10.11.12.13:53812] AH00878: read response failed from 127.0.0.1:8009 (localhost)

I searched for these errors, but the only suggestions I could find (setting ProxyTimeout 600 in Apache's mysite.conf, for example) did not have any effect on the problem.

Am I missing something? How can I troubleshoot this further?

score 2 · Answer 1 · answered Mar 26 '21 at 19:02

Two things:

The redirectPort="8443" attribute for the AJP Connector in Tomcat's server.xml is for SSL connections. Since I'm still working on the basic connection, I haven't enabled SSL yet, so this should be redirectPort="8080"
Between the two versions of Tomcat that I'm using, the attribute secretRequired for the AJP Connector was changed from a default of false to a default of true. Since I wasn't sending a password with the proxy connection, it failed. Discovered this when I finally remembered to check the Tomcat logs, too (/var/log/tomcat9/catalina.{date}.log on Ubuntu).

The following AJP config works and allows me to load the webapp reverse-proxied through Apache:

    <Connector protocol="AJP/1.3"
               port="8009"
               redirectPort="8080"
               enableLookups="false"
               URIEncoding="UTF-8"
               secretRequired="false" />

`redirectPort` should only point to an SSL port. Until then you can disable the redirect using `redirectPort="0"`. — Piotr P. Karwasz, Mar 27 '21 at 20:50

Why is Apache not proxying to Tomcat?

1 Answers1