Reputation: 1981
(111)Connection refused - Apache Reverse Proxy and Tomcat 8.5.51 - Docker Compose
This works with Tomcat 8.5.50. However, with Tomcat 8.5.51, Apache cannot connect via AJP with the following error:
[Tue Mar 10 20:15:31.378937 2020] [proxy:error] [pid 42:tid 139841308157696] (111)Connection refused: AH00957: AJP: attempt to connect to 172.28.0.5:8009 (tomcatserver) failed
[Tue Mar 10 20:15:31.379336 2020] [proxy_ajp:error] [pid 42:tid 139841308157696] [client 192.168.0.1:58054] AH00896: failed to make connection to backend: tomcatserver
The Apache is on version 2.4.38:
Server version: Apache/2.4.38 (Debian)
Server built: 2019-10-15T19:53:42
The AJP connector in the server.xml has secretRequired="false". Everything is set up via Docker Compose.
Upvotes: 2
Views: 7579
Answers (3)
Reputation: 83
Proceeding from where Olaf left off, follow these steps:
(1) You may omit the address attribute.
(2) Change the secretRequired attribute to secretRequired="true", or equivalently, leave it out. (The default value is True).
(3) Add a secret attribute to the workers.properties file and to the server.xml file. You may choose whatever secret you want, on condition that the values in both files match exactly.
(4) For the time being, add to the AJP connector the attribute allowedRequestAttributesPattern=".*", as T Cervenka suggests.
You should then end up with something like,
workers.properties
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.secret=F45A93BF-3AA7-4CB4-E49A-DB34573E4A25
server.xml
<Connector port="8009" protocol="AJP/1.3" maxThreads="500" secret="F45A93BF-3AA7-4CB4-E49A-DB34573E4A25" allowedRequestAttributesPattern=".*" />
The value of allowedRequestAttributesPattern must be a regular expression. It represents the request attributes passed from the reverse proxy to the AJP connector. See the Tomcat docs for details. https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html.
The regex value for allowedRequestAttributesPattern must be an exact match for the request attributes passed in the AJP protocol. Its default value (where you don't mention the attribute) is null: this is known to break requests. If in doubt, use the regex wildcard, ".*", as above.
Upvotes: 0
Reputation: 321
Try adding allowedRequestAttributesPattern=".*" to the connector def.
Upvotes: 1
Reputation: 48067
The configuration for secretRequired isn't the only thing that changed:
From https://tomcat.apache.org/migration-85.html#Upgrading_8.5.x
- In 8.5.51 onwards, the default listen address of the AJP Connector was changed to the loopback address rather than all addresses.
- In 8.5.51 onwards, the requiredSecret attribute of the AJP Connector was deprecated and replaced by the secret attribute.
- In 8.5.51 onwards, the secretRequired attribute was added to the AJP Connector. If set to true, the default, the AJP Connector will not start unless a secret has been specified.
- In 8.5.51 onwards, the allowedRequestAttributesPattern attribute was added to the AJP Connector. Requests with unrecognised attributes will now be blocked with a 403.
Reference: AJP connector.
On top of that, the stock server.xml even has the AJPConnector commented, so it won't be active without being explicitly enabled.
Upvotes: 2
Related Questions
- Connection Refused from Request Inside Docker Compose
- Unable to reach the host from a Tomcat Docker Container using docker-compose
- Docker tomcat behind apache httpd port 8009 not connecting
- "ajp_ilink_receive failed" when trying to connect a non-Docker Apache to a Docker Tomcat through AJP
- Connection error in apps when enabling https on example.com:8080 (Docker) with Apache
- Docker Reverse Proxy
- cannot communicate between docker container - connection refused
- Connection Refused : While Running the Docker Compose
- Add new Tomcat containers behind Apache with Docker
- Error with an Apache in front of Tomcat using AJP connector and mod_proxy