How to pass secret in rewriterule to AJP protocol

ajpapache-2.4Apache2rewritetomcat8

I have a Apache server running 2.4.6, Tomcat 8.5.33 running lucee.

We have rewrite rules that proxy to AJP on port 8009.

ProxyPassReverse / ajp://localhost:8009/ timeout=3600
RewriteEngine On

# Rewrite sitemap
RewriteRule ^/sitemap\.txt$ ajp://localhost:8009/sitemap/index.cfm?format=txt [P]
RewriteRule ^/sitemap\.xml$ ajp://localhost:8009/sitemap/index.cfm [P]

I need to implement the secret and am able to setup in server.xml without issue, but having a hard time finding out how I pass the secret via the rewrite rule???

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" maxThreads="400" requiredSecret="PasswordGoesHere!" />

Anyone have an idea on how I can pass the secret???

Thanks
Grant

Best Answer

The answer is unfortunately: You can't, unless you upgrade to some later Apache2 version that supports the secret flag in mod_proxy_ajp, and even then I don't quite understand how to pass the flag using a RewriteRule.

I have some machines with Debian 9, Apache2 2.4.25-3+deb9u9 and Tomcat8 8.5.54-0+deb9u. There was a defect filed in the debian bugs list (see https://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg561495.html), but this was closed as working as intended - they are not going to backport the patch to 2.4.25, so with your 2.4.6 you are definitely out of luck with getting this combination to work with a secret set.

The only solution to the problem would be to set secretRequired="false" in the connector configuration of your Tomcat's server.xml.

Related Solutions

AJP Checksum Error

Your network card has told the TCP stack that it can handle the TCP checksum calculation in hardware. This means the fields in the TCP header that are passed down the stack lack a checksum, as the card said it will add them before it puts them on the wire.

Unfortunately this means that anything snooping on the packet on the way out of the machine will see a packet without a correct checksum because the two bytes that make up the checksum retain the previous value of whatever data was written to that area of memory previously.

Tomcat – Stale Network connections to Tomcat AJP port

By default, mod_jk keeps all ajp13 connections open indefinitely but it does not send keepalives across the tcp session to the tomcat server. If that connection is idle, it will remain open. Firewalls however do not like idle sessions and after a period of inactivity, will sever that connection. This is why the initial connection to the application might hang. ajp13 will hand the connection off to a tcp connection that is currently open but the firewall has killed that connection.

Try add in workers.properties, this parameters for each worker:

worker.ajp13.socket_keepalive=True
worker.ajp13.connection_pool_timeout=300

In server.xml on the tomcat ajp13 connector section, add the connectionTimeout parameter:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
connectionTimeout="300000" />

I hope this help.

Best Answer

Related Solutions

AJP Checksum Error

Tomcat – Stale Network connections to Tomcat AJP port

Related Topic