Mailing List Archive

mod_proxy_ajp backport for "secret" attribute to 2.4.x
Just a heads up: the support for the "secret" atribute in mod_proxy_ajp
has not been backported:

https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

Tomcat hardened its AJP connector in the latest patch releases and by
default now requires the proxy to send such a "secret". This can be
turned off but is not recommended.

I think we should backport r1738878 plus small struct layout adjustments
for compatibility in 2.4.x.

I could not yet test it, but the diff seems to apply well apart from
struct layout, which we need to trivially adjust anyays (move new
members to end of struct).

If anyone would be able to test and propose before I get to it, that
would be great.

Regards,

Rainer
Re: mod_proxy_ajp backport for "secret" attribute to 2.4.x [ In reply to ]
On Sun, Feb 23, 2020 at 11:00 AM Rainer Jung <rainer.jung@kippdata.de> wrote:
>
> Just a heads up: the support for the "secret" atribute in mod_proxy_ajp
> has not been backported:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
>
> Tomcat hardened its AJP connector in the latest patch releases and by
> default now requires the proxy to send such a "secret". This can be
> turned off but is not recommended.
>
> I think we should backport r1738878 plus small struct layout adjustments
> for compatibility in 2.4.x.
>
> I could not yet test it, but the diff seems to apply well apart from
> struct layout, which we need to trivially adjust anyays (move new
> members to end of struct).
>
> If anyone would be able to test and propose before I get to it, that
> would be great.

My svn merge did not seem to have any struct issues, just one weird
conflict in mod_proxy parsing the properties.

I tested against the new tomcat w/ a secret specified in server.xml
and it seemed to work OOTB with secret=xxx

I will propose as a showstopper for 2.4.