what to do with address="::1"?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

what to do with address="::1"?

John Larsen
Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.

Where can i understand this change better?
"Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and
add a new attribute secretRequired that defaults to true. When
secretRequired is truethe AJP/1.3 Connector will not start unless the secret
 attribute is configured to a non-null, non-zero length String. (markt)"

Or can i just change this to false? What it its purpose?

Thanks!

John Larsen
Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

Mark Thomas-2
On 14/02/2020 13:45, John Larsen wrote:
> Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.
>
> Where can i understand this change better?
> "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and
> add a new attribute secretRequired that defaults to true. When
> secretRequired is truethe AJP/1.3 Connector will not start unless the secret
>  attribute is configured to a non-null, non-zero length String. (markt)"
>
> Or can i just change this to false? What it its purpose?

The purpose of that attribute is to stop you starting up Tomcat with an
AJP connector that is open to the world without stopping to think first.

AJP assumes all connecting clients are trusted.

You need to make sure that, through the combination of AJP
configuration, network configuratiom, etc. that this is the case.

If you describe your particular use case, we people on this list should
be able to provide you with recommended configuration options.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

John Larsen
I apologize - coffee started to kick in.  The address="::1"  portion is
commented out.

Will adding  secret="false"? in the server.xml bypass this issue?

<Connector protocol="AJP/1.3" port="8080" secret="false"
redirectPort="8443" />

Thanks,

John Larsen

On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:

> On 14/02/2020 13:45, John Larsen wrote:
> > Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.
> >
> > Where can i understand this change better?
> > "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret
> and
> > add a new attribute secretRequired that defaults to true. When
> > secretRequired is truethe AJP/1.3 Connector will not start unless the
> secret
> >  attribute is configured to a non-null, non-zero length String. (markt)"
> >
> > Or can i just change this to false? What it its purpose?
>
> The purpose of that attribute is to stop you starting up Tomcat with an
> AJP connector that is open to the world without stopping to think first.
>
> AJP assumes all connecting clients are trusted.
>
> You need to make sure that, through the combination of AJP
> configuration, network configuratiom, etc. that this is the case.
>
> If you describe your particular use case, we people on this list should
> be able to provide you with recommended configuration options.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

Mark Thomas-2
On 14/02/2020 14:21, John Larsen wrote:
> I apologize - coffee started to kick in.  The address="::1"  portion is
> commented out.
>
> Will adding  secret="false"? in the server.xml bypass this issue?
>
> <Connector protocol="AJP/1.3" port="8080" secret="false"
> redirectPort="8443" />

That will give you an AJP connector that is only listening on the
loopback interface.

Mark


>
> Thanks,
>
> John Larsen
>
> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:
>
>> On 14/02/2020 13:45, John Larsen wrote:
>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.
>>>
>>> Where can i understand this change better?
>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret
>> and
>>> add a new attribute secretRequired that defaults to true. When
>>> secretRequired is truethe AJP/1.3 Connector will not start unless the
>> secret
>>>  attribute is configured to a non-null, non-zero length String. (markt)"
>>>
>>> Or can i just change this to false? What it its purpose?
>>
>> The purpose of that attribute is to stop you starting up Tomcat with an
>> AJP connector that is open to the world without stopping to think first.
>>
>> AJP assumes all connecting clients are trusted.
>>
>> You need to make sure that, through the combination of AJP
>> configuration, network configuratiom, etc. that this is the case.
>>
>> If you describe your particular use case, we people on this list should
>> be able to provide you with recommended configuration options.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

John Larsen
From my testing.

secretRequired="false" is still needed though docs says its deprecated in
favor of just secret.
I also had to change the worker from host=localhost to host=127.0.0.1

Also AJP13 connector protocol block is commented out where it never was
before.

I'd prefer acceptance of localhost by default and then add secret for
remote ajp servers.

John Larsen

On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <[hidden email]> wrote:

> On 14/02/2020 14:21, John Larsen wrote:
> > I apologize - coffee started to kick in.  The address="::1"  portion is
> > commented out.
> >
> > Will adding  secret="false"? in the server.xml bypass this issue?
> >
> > <Connector protocol="AJP/1.3" port="8080" secret="false"
> > redirectPort="8443" />
>
> That will give you an AJP connector that is only listening on the
> loopback interface.
>
> Mark
>
>
> >
> > Thanks,
> >
> > John Larsen
> >
> > On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:
> >
> >> On 14/02/2020 13:45, John Larsen wrote:
> >>> Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.
> >>>
> >>> Where can i understand this change better?
> >>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret
> >> and
> >>> add a new attribute secretRequired that defaults to true. When
> >>> secretRequired is truethe AJP/1.3 Connector will not start unless the
> >> secret
> >>>  attribute is configured to a non-null, non-zero length String.
> (markt)"
> >>>
> >>> Or can i just change this to false? What it its purpose?
> >>
> >> The purpose of that attribute is to stop you starting up Tomcat with an
> >> AJP connector that is open to the world without stopping to think first.
> >>
> >> AJP assumes all connecting clients are trusted.
> >>
> >> You need to make sure that, through the combination of AJP
> >> configuration, network configuratiom, etc. that this is the case.
> >>
> >> If you describe your particular use case, we people on this list should
> >> be able to provide you with recommended configuration options.
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

Mark Thomas-2
On 14/02/2020 15:56, John Larsen wrote:
> From my testing.
>
> secretRequired="false" is still needed though docs says its deprecated in
> favor of just secret.

Not correct.

You are confusing requiredSecret (which has been deprecated in favour of
secret) with secretRequired.

> I also had to change the worker from host=localhost to host=127.0.0.1

That suggests that localhost resolves to something other than 127.0.0.1

> Also AJP13 connector protocol block is commented out where it never was
> before.
>
> I'd prefer acceptance of localhost by default and then add secret for
> remote ajp servers.

While that might be secure enough by default for your use case it isn't
secure enough by default for those users when not all users with the
ability to log on to the host are considered trusted.

Mark


>
> John Larsen
>
> On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <[hidden email]> wrote:
>
>> On 14/02/2020 14:21, John Larsen wrote:
>>> I apologize - coffee started to kick in.  The address="::1"  portion is
>>> commented out.
>>>
>>> Will adding  secret="false"? in the server.xml bypass this issue?
>>>
>>> <Connector protocol="AJP/1.3" port="8080" secret="false"
>>> redirectPort="8443" />
>>
>> That will give you an AJP connector that is only listening on the
>> loopback interface.
>>
>> Mark
>>
>>
>>>
>>> Thanks,
>>>
>>> John Larsen
>>>
>>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:
>>>
>>>> On 14/02/2020 13:45, John Larsen wrote:
>>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my automation.
>>>>>
>>>>> Where can i understand this change better?
>>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret
>>>> and
>>>>> add a new attribute secretRequired that defaults to true. When
>>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the
>>>> secret
>>>>>  attribute is configured to a non-null, non-zero length String.
>> (markt)"
>>>>>
>>>>> Or can i just change this to false? What it its purpose?
>>>>
>>>> The purpose of that attribute is to stop you starting up Tomcat with an
>>>> AJP connector that is open to the world without stopping to think first.
>>>>
>>>> AJP assumes all connecting clients are trusted.
>>>>
>>>> You need to make sure that, through the combination of AJP
>>>> configuration, network configuratiom, etc. that this is the case.
>>>>
>>>> If you describe your particular use case, we people on this list should
>>>> be able to provide you with recommended configuration options.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

John Larsen
Thanks for the info. Will this change be backported to 8.5 and 7?

John Larsen



On Fri, Feb 14, 2020 at 9:03 AM Mark Thomas <[hidden email]> wrote:

> On 14/02/2020 15:56, John Larsen wrote:
> > From my testing.
> >
> > secretRequired="false" is still needed though docs says its deprecated in
> > favor of just secret.
>
> Not correct.
>
> You are confusing requiredSecret (which has been deprecated in favour of
> secret) with secretRequired.
>
> > I also had to change the worker from host=localhost to host=127.0.0.1
>
> That suggests that localhost resolves to something other than 127.0.0.1
>
> > Also AJP13 connector protocol block is commented out where it never was
> > before.
> >
> > I'd prefer acceptance of localhost by default and then add secret for
> > remote ajp servers.
>
> While that might be secure enough by default for your use case it isn't
> secure enough by default for those users when not all users with the
> ability to log on to the host are considered trusted.
>
> Mark
>
>
> >
> > John Larsen
> >
> > On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <[hidden email]> wrote:
> >
> >> On 14/02/2020 14:21, John Larsen wrote:
> >>> I apologize - coffee started to kick in.  The address="::1"  portion is
> >>> commented out.
> >>>
> >>> Will adding  secret="false"? in the server.xml bypass this issue?
> >>>
> >>> <Connector protocol="AJP/1.3" port="8080" secret="false"
> >>> redirectPort="8443" />
> >>
> >> That will give you an AJP connector that is only listening on the
> >> loopback interface.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> Thanks,
> >>>
> >>> John Larsen
> >>>
> >>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:
> >>>
> >>>> On 14/02/2020 13:45, John Larsen wrote:
> >>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my
> automation.
> >>>>>
> >>>>> Where can i understand this change better?
> >>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to
> secret
> >>>> and
> >>>>> add a new attribute secretRequired that defaults to true. When
> >>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the
> >>>> secret
> >>>>>  attribute is configured to a non-null, non-zero length String.
> >> (markt)"
> >>>>>
> >>>>> Or can i just change this to false? What it its purpose?
> >>>>
> >>>> The purpose of that attribute is to stop you starting up Tomcat with
> an
> >>>> AJP connector that is open to the world without stopping to think
> first.
> >>>>
> >>>> AJP assumes all connecting clients are trusted.
> >>>>
> >>>> You need to make sure that, through the combination of AJP
> >>>> configuration, network configuratiom, etc. that this is the case.
> >>>>
> >>>> If you describe your particular use case, we people on this list
> should
> >>>> be able to provide you with recommended configuration options.
> >>>>
> >>>> Mark
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: [hidden email]
> >>>> For additional commands, e-mail: [hidden email]
> >>>>
> >>>>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: what to do with address="::1"?

Mark Thomas-2
On 14/02/2020 16:04, John Larsen wrote:
> Thanks for the info. Will this change be backported to 8.5 and 7?

It already has been.

Mark


>
> John Larsen
>
>
>
> On Fri, Feb 14, 2020 at 9:03 AM Mark Thomas <[hidden email]> wrote:
>
>> On 14/02/2020 15:56, John Larsen wrote:
>>> From my testing.
>>>
>>> secretRequired="false" is still needed though docs says its deprecated in
>>> favor of just secret.
>>
>> Not correct.
>>
>> You are confusing requiredSecret (which has been deprecated in favour of
>> secret) with secretRequired.
>>
>>> I also had to change the worker from host=localhost to host=127.0.0.1
>>
>> That suggests that localhost resolves to something other than 127.0.0.1
>>
>>> Also AJP13 connector protocol block is commented out where it never was
>>> before.
>>>
>>> I'd prefer acceptance of localhost by default and then add secret for
>>> remote ajp servers.
>>
>> While that might be secure enough by default for your use case it isn't
>> secure enough by default for those users when not all users with the
>> ability to log on to the host are considered trusted.
>>
>> Mark
>>
>>
>>>
>>> John Larsen
>>>
>>> On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <[hidden email]> wrote:
>>>
>>>> On 14/02/2020 14:21, John Larsen wrote:
>>>>> I apologize - coffee started to kick in.  The address="::1"  portion is
>>>>> commented out.
>>>>>
>>>>> Will adding  secret="false"? in the server.xml bypass this issue?
>>>>>
>>>>> <Connector protocol="AJP/1.3" port="8080" secret="false"
>>>>> redirectPort="8443" />
>>>>
>>>> That will give you an AJP connector that is only listening on the
>>>> loopback interface.
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> John Larsen
>>>>>
>>>>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <[hidden email]> wrote:
>>>>>
>>>>>> On 14/02/2020 13:45, John Larsen wrote:
>>>>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my
>> automation.
>>>>>>>
>>>>>>> Where can i understand this change better?
>>>>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to
>> secret
>>>>>> and
>>>>>>> add a new attribute secretRequired that defaults to true. When
>>>>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the
>>>>>> secret
>>>>>>>  attribute is configured to a non-null, non-zero length String.
>>>> (markt)"
>>>>>>>
>>>>>>> Or can i just change this to false? What it its purpose?
>>>>>>
>>>>>> The purpose of that attribute is to stop you starting up Tomcat with
>> an
>>>>>> AJP connector that is open to the world without stopping to think
>> first.
>>>>>>
>>>>>> AJP assumes all connecting clients are trusted.
>>>>>>
>>>>>> You need to make sure that, through the combination of AJP
>>>>>> configuration, network configuratiom, etc. that this is the case.
>>>>>>
>>>>>> If you describe your particular use case, we people on this list
>> should
>>>>>> be able to provide you with recommended configuration options.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: [hidden email]
>>>>>> For additional commands, e-mail: [hidden email]
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]