How do I configure Apache to proxy Tomcat using AJP?Absolute urls not working with Apache2 AJP proxy Tomcatneed help in redirect from Apache to Tomcat with mod_proxy_ajpTrouble configuring apache server to proxy an SSL connectionApache LIMIT directive does not allow to see localhost project over LANAJP Connector not working? (404 error)Configure SSL in Apache with Tomcat 7 and Spring MVC webappStatic Tomcat Cluster become unresponsive on a JDBC procedure callApache's ProxyPreserveHost before tomcat using AJPWhat should be configured in AJP proxy configuration?Apache upgrade to 2.4, now AH01797: client denied by server configuration
Find the three digit Prime number P from the given unusual relationships
Why most published works in medical imaging try reducing false positives?
Does this strict reading of the rules allow both Extra Attack and the Thirsting Blade warlock invocation to be used together?
A steel cutting sword?
Of strange atmospheres - the survivable but unbreathable
How did NASA Langley end up with the first 737?
Can my floppy disk still work without a shutter spring?
Using credit/debit card details vs swiping a card in a payment (credit card) terminal
How to let other coworkers know that I don't share my coworker's political views?
How to respond to upset student?
Is the Indo-European language family made up?
Why isn't 'chemically-strengthened glass' made with potassium carbonate to begin with?
Python program to take in two strings and print the larger string
Can I summon an otherworldly creature with the Gate spell without knowing its true name?
Did 20% of US soldiers in Vietnam use heroin, 95% of whom quit afterwards?
Who decides how to classify a novel?
Word Transformations
Which European Languages are not Indo-European?
Specific alignment within beginalign environment
Open office space - complaints for noise - how to respond
Sankey diagram: not getting the hang of it
Is Jon Snow the last of his House?
Can a person survive on blood in place of water?
Why would Ryanair allow me to book this journey through a third party, but not through their own website?
How do I configure Apache to proxy Tomcat using AJP?
Absolute urls not working with Apache2 AJP proxy Tomcatneed help in redirect from Apache to Tomcat with mod_proxy_ajpTrouble configuring apache server to proxy an SSL connectionApache LIMIT directive does not allow to see localhost project over LANAJP Connector not working? (404 error)Configure SSL in Apache with Tomcat 7 and Spring MVC webappStatic Tomcat Cluster become unresponsive on a JDBC procedure callApache's ProxyPreserveHost before tomcat using AJPWhat should be configured in AJP proxy configuration?Apache upgrade to 2.4, now AH01797: client denied by server configuration
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.
I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.
In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file,mod_proxy and mod_proxy_ajp are enabled with configuration
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.
In Tomcat's /etc/tomcat/server.xml, I have
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.
The problem
Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives
AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico
indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding
<Directory "/var/lib/tomcat/webapps/ROOT">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.
This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.
What do I not understand?
apache-2.4 fedora mod-proxy mod-proxy-ajp tomcat8
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
add a comment |
I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.
I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.
In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file,mod_proxy and mod_proxy_ajp are enabled with configuration
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.
In Tomcat's /etc/tomcat/server.xml, I have
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.
The problem
Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives
AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico
indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding
<Directory "/var/lib/tomcat/webapps/ROOT">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.
This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.
What do I not understand?
apache-2.4 fedora mod-proxy mod-proxy-ajp tomcat8
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
add a comment |
I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.
I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.
In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file,mod_proxy and mod_proxy_ajp are enabled with configuration
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.
In Tomcat's /etc/tomcat/server.xml, I have
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.
The problem
Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives
AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico
indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding
<Directory "/var/lib/tomcat/webapps/ROOT">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.
This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.
What do I not understand?
apache-2.4 fedora mod-proxy mod-proxy-ajp tomcat8
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.
I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.
In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file,mod_proxy and mod_proxy_ajp are enabled with configuration
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.
In Tomcat's /etc/tomcat/server.xml, I have
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.
The problem
Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives
AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico
indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding
<Directory "/var/lib/tomcat/webapps/ROOT">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.
This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.
What do I not understand?
apache-2.4 fedora mod-proxy mod-proxy-ajp tomcat8
apache-2.4 fedora mod-proxy mod-proxy-ajp tomcat8
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
asked Jun 22 '16 at 19:49
JonahHuronJonahHuron
12
12
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You should modify your connector like these.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp
answered Sep 16 '16 at 16:07
HaidHaid
11
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
add a comment |
The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.
If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like
<Location "/">
Order deny,allow
Deny from all
Allow from localhost
</Location>
If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f785652%2fhow-do-i-configure-apache-to-proxy-tomcat-using-ajp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You should modify your connector like these.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp
answered Sep 16 '16 at 16:07
HaidHaid
11
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
add a comment |
You should modify your connector like these.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp
answered Sep 16 '16 at 16:07
HaidHaid
11
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
add a comment |
You should modify your connector like these.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp
answered Sep 16 '16 at 16:07
HaidHaid
11
You should modify your connector like these.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp
answered Sep 16 '16 at 16:07
HaidHaid
11
answered Sep 16 '16 at 16:07
HaidHaid
11
answered Sep 16 '16 at 16:07
HaidHaid
11
answered Sep 16 '16 at 16:07
HaidHaid
11
11
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
add a comment |
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
Why? Why does the HTTP connector need changing? What is the significance of the AJP connector change?
– OrangeDog
Jul 25 '17 at 12:47
add a comment |
The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.
If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like
<Location "/">
Order deny,allow
Deny from all
Allow from localhost
</Location>
If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
add a comment |
The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.
If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like
<Location "/">
Order deny,allow
Deny from all
Allow from localhost
</Location>
If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
add a comment |
The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.
If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like
<Location "/">
Order deny,allow
Deny from all
Allow from localhost
</Location>
If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
The <Proxy *> is not needed for a reverse proxy configuration such as you have here. This construct is commonly found in guides on the internet, but I'm afraid they are simply wrong.
If you wish to restrict access to the proxied resource use a <Location> block not a <Proxy> one. SO if you had something like
<Location "/">
Order deny,allow
Deny from all
Allow from localhost
</Location>
If would do what you wish. But try it without it first as it is almost certainly that which is causing your 403. The above config will mean that only requests to your web server that start http://localhost will work,
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
answered Oct 8 '16 at 11:47
UnbelieverUnbeliever
1,7511414
1,7511414
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
add a comment |
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
"The above config" is yours or Jonah's? because that's not what yours does.
– OrangeDog
Jul 25 '17 at 12:46
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f785652%2fhow-do-i-configure-apache-to-proxy-tomcat-using-ajp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
