Mailing List Archive

[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

Rainer Jung <rainer.jung@kippdata.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---

--- Comment #19 from Rainer Jung <rainer.jung@kippdata.de> ---
It would be useful to backport this eature to 2.4.x.
The newest Tomcat releases hardened the AJP connector by demanding a "secret"
by default, so they are no longer compatibel with mod_proxy_ajp out-of-the-box.
One has to explicitly set secretRequired="false" on the TC AJP connector to be
able to use it with mod_proxy_ajp (and thereby increase attack surface).

r1738878 plus small struct layout adjustments for compatibility should do it.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

zac spitzer <zac.spitzer@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |zac.spitzer@gmail.com

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

Rainer Jung <rainer.jung@kippdata.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED

--- Comment #20 from Rainer Jung <rainer.jung@kippdata.de> ---
Backported today to 2.4.x as r1874456, will be part of 2.4.42.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

--- Comment #21 from Konstantin Kolinko <knst.kolinko@gmail.com> ---
(In reply to Rainer Jung from comment #20)
> Backported today to 2.4.x as r1874456, will be part of 2.4.42.

Thank you!

The secret is also documented (not yet backported to 2.4.x) in
https://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_proxy_ajp.xml?view=markup


Caveat: mod_proxy_ajp.xml refers to old attribute names
<code>request.secret</code> or <code>requiredSecret</code> of Tomcat,
which are now just "secret". I updated a similar reference in mod_jk
documentation in the following commit:
https://github.com/apache/tomcat-connectors/commit/83dc3e486509cf63b0c478b46d75b4b886088652

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org