What exactly does the AJP connector on 8009 do?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

What exactly does the AJP connector on 8009 do?

James H. H. Lampert
We've just gotten a complaint about a vulnerability involving AJP (to
something called "Ghostcat") from a customer. The report from the
security consultant recommends updating to a more recent version of
Tomcat, and I note that we've already started rolling out 7.0.108 to
customers.

Looking at server.xml, the only reference to AJP is in relation to port
8009, and that this connector is commented out in 108, but not in 93.

So what exactly *is* this connector, and what purpose does it serve?

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What exactly does the AJP connector on 8009 do?

Christopher Schultz-2
James,

On 4/5/21 14:58, James H. H. Lampert wrote:

> We've just gotten a complaint about a vulnerability involving AJP (to
> something called "Ghostcat") from a customer. The report from the
> security consultant recommends updating to a more recent version of
> Tomcat, and I note that we've already started rolling out 7.0.108 to
> customers.
>
> Looking at server.xml, the only reference to AJP is in relation to port
> 8009, and that this connector is commented out in 108, but not in 93.
>
> So what exactly *is* this connector, and what purpose does it serve?

If you are not running a reverse-proxy in front of Tomcat, then it does
absolutely nothing for you.

If you *are* running a reverse-proxy in front of Tomcat, then it *may*
do something for you, depending upon what software you are using and
what its configuration is.

IMHO, it's time for AJP to go. [1]

(This is another reminder to me to get off my butt and post all the
presentations from ApacheCon @Home to the "Presentations" page.)

-chris

[1] https://www.youtube.com/watch?v=qUjUEvGFstI

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What exactly does the AJP connector on 8009 do?

James H. H. Lampert
On 4/5/21 1:22 PM, Christopher Schultz wrote:
> If you are not running a reverse-proxy in front of Tomcat, then it does
> absolutely nothing for you.
>
> If you *are* running a reverse-proxy in front of Tomcat, then it *may*
> do something for you, depending upon what software you are using and
> what its configuration is.

Thanks.

Hmm. We have *something* on one of our cloud servers, that has Tomcat
sitting behind httpd (on the same box), and we have load balancing
(through a couple of AWS Beanstalks) on our cloud-based product, but I
don't know if the AJP port is involved in any of that.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What exactly does the AJP connector on 8009 do?

André Warnier (tomcat/perl)
On 06.04.2021 00:45, James H. H. Lampert wrote:

> On 4/5/21 1:22 PM, Christopher Schultz wrote:
>> If you are not running a reverse-proxy in front of Tomcat, then it does absolutely
>> nothing for you.
>>
>> If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for
>> you, depending upon what software you are using and what its configuration is.
>
> Thanks.
>
> Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd
> (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our
> cloud-based product, but I don't know if the AJP port is involved in any of that.
>

I don't know about AWS Beanstalks, but for Apache httpd, there are some tell-tale
configuration directives in the Apache httpd configuration files, which - if present -
will tell you if Apache httpd is communicating with the back-end tomcat using the AJP
protocol (and hence tomcat's AJP Connector).
Look for either of :
- ProxyPass instructions mentioning "AJP:"
- SetHandler jakarta-servlet
- JkMount
(case does generally not matter)

(Note that under Linux(es), your Apache httpd config files may be spread in small chunks
all over the place, generally in locations such as "/etc/apache2/*" or "/etc/httpd/*") (*)
  Relevant documentation is available here :
1) http://tomcat.apache.org/connectors-doc/
2) http://tomcat.apache.org/connectors-doc/reference/apache.html
3) http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
4) (more complicated cases) http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule

Also, if Apache httpd uses AJP to communicate with tomcat, then either one of these Apache
httpd add-on modules will be loaded and configured :
- mod_jk
- mod_proxy_ajp
To find out which modules are loaded by Apache httpd, use the following command :
# apache2ctl -M
(Note that the mere fact that a module is loaded, does not necessarily mean that it is
being *used*; but if neither of them is loaded, then you can be pretty sure that Apache
httpd is NOT using AJP)

Shortcut :
- comment-out the AJP Connector in the tomcat configuration
- restart tomcat
- and wait for desperate support calls



(*) This is not a critic : it is very flexible that way; it's just a bit more work to
search for the right files.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What exactly does the AJP connector on 8009 do?

Konstantin Kolinko
In reply to this post by James H. H. Lampert
пн, 5 апр. 2021 г. в 21:59, James H. H. Lampert <[hidden email]>:

>
> We've just gotten a complaint about a vulnerability involving AJP (to
> something called "Ghostcat") from a customer. The report from the
> security consultant recommends updating to a more recent version of
> Tomcat, and I note that we've already started rolling out 7.0.108 to
> customers.
>
> Looking at server.xml, the only reference to AJP is in relation to port
> 8009, and that this connector is commented out in 108, but not in 93.
>
> So what exactly *is* this connector, and what purpose does it serve?

A well-configured instance of Apache Tomcat should serve requests
either over "http:"/"https:" or over "ajp:", but not both. The clients
for http: protocol are web browsers. The clients for AJP protocol are
web servers (proxies).

See also
https://tomcat.apache.org/connectors-doc/
https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
https://en.wikipedia.org/wiki/Apache_JServ_Protocol

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What exactly does the AJP connector on 8009 do?

Christopher Schultz-2
In reply to this post by André Warnier (tomcat/perl)
André,

On 4/6/21 05:53, André Warnier (tomcat/perl) wrote:

> On 06.04.2021 00:45, James H. H. Lampert wrote:
>> On 4/5/21 1:22 PM, Christopher Schultz wrote:
>>> If you are not running a reverse-proxy in front of Tomcat, then it
>>> does absolutely nothing for you.
>>>
>>> If you *are* running a reverse-proxy in front of Tomcat, then it
>>> *may* do something for you, depending upon what software you are
>>> using and what its configuration is.
>>
>> Thanks.
>>
>> Hmm. We have *something* on one of our cloud servers, that has Tomcat
>> sitting behind httpd (on the same box), and we have load balancing
>> (through a couple of AWS Beanstalks) on our cloud-based product, but I
>> don't know if the AJP port is involved in any of that.
>>
>
> I don't know about AWS Beanstalks

They almost certainly do not support AJP.

> but for Apache httpd, there are some
> tell-tale configuration directives in the Apache httpd configuration
> files, which - if present - will tell you if Apache httpd is
> communicating with the back-end tomcat using the AJP protocol (and hence
> tomcat's AJP Connector).
> Look for either of :
> - ProxyPass instructions mentioning "AJP:"
> - SetHandler jakarta-servlet
> - JkMount
> (case does generally not matter)

+1

> Shortcut :
> - comment-out the AJP Connector in the tomcat configuration
> - restart tomcat
> - and wait for desperate support calls

:)

> (*) This is not a critic : it is very flexible that way; it's just a bit
> more work to search for the right files.

You can also run httpd and have it dump the list of all included files:

$ apachectl -t -D DUMP_INCLUDES

It seems silly that "apachectl" doesn't have a
"--dump-effective-configuration" option which just dumps out EVERYTHING,
as httpd would see the complete configuration.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[OT] Re: What exactly does the AJP connector on 8009 do?

Olaf Kock
In reply to this post by André Warnier (tomcat/perl)

On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:
>
> Shortcut :
> - comment-out the AJP Connector in the tomcat configuration
> - restart tomcat
> - and wait for desperate support calls
>
That reminds me of the common wisdom in System Administration:

*Everybody* has a dedicated testing system. Always!

*Some* are lucky that they have a completely separate production system.


(lost the source)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Re: What exactly does the AJP connector on 8009 do?

Christopher Schultz-2
Olaf,

On 4/6/21 12:11, Olaf Kock wrote:

>
> On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:
>>
>> Shortcut :
>> - comment-out the AJP Connector in the tomcat configuration
>> - restart tomcat
>> - and wait for desperate support calls
>>
> That reminds me of the common wisdom in System Administration:
>
> *Everybody* has a dedicated testing system. Always!
>
> *Some* are lucky that they have a completely separate production system.

That's ... amazing.

http://www.quickmeme.com/meme/2gs6

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Re: What exactly does the AJP connector on 8009 do?

James H. H. Lampert
In reply to this post by Olaf Kock
On 4/6/21 9:11 AM, Olaf Kock wrote:
> *Everybody* has a dedicated testing system. Always!
>
> *Some* are lucky that they have a completely separate production system.

We expect disk drives to fail. So we plan for it, using some form of
RAID (full mirroring in my case).

And so the power supply fails instead.

Also:

The likelihood of a power supply failure is inversely proportional to
its maintenance accessibility.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]