The access to my server should be limited to some Remote hosts, and I want to allow Uptimerobot to monitor my server.
Currently uptimerobot gets always a 403 Forbidden.
I added Server.xml looks like this:
<Server .........>
<Service name="Catalina">
<Engine>
<Value className="org.apache.catalina.valves.RemoteHostValve" allow=".*\.uptimerobot\.com" />
</Engine>
</Service>
To match all hosts in this list UptimeRobot Whitelist
But after restarting server nothing changed, still 403.
I also tried to use a domain-name without wildcards like this:
allow="engine19\.uptimerobot\.com"
allow="engine19.uptimerobot.com"
But still 403,
I tried to enable hostnamelookups with adding
enableLookups="true"
to the <Connector
tag, but again no effect.
But in my logs I see that the access is resolved to "engine19.uptimerobot.com" wich matches my RemoteHost-Pattern.
Any Ideas, why it is still forbidden ?
EDIT:
Access via IP with
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="63\.143\.42\.244"/>
is working. But I dont want to add the whole list of ips there.
Is it possible that RemoteAddrValve and RemoteHostValve are disturbing eachother ?
I have tried this and this worked for me
set useIPVHosts to true in connector (Inside server.xml).
I am using HTTP connector and it looks as follow
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
enableLookups="true"
useIPVHosts="true" />
Details of attributes can be found here
Check tomcat/logs/local_access_log... to see what host name used for 403.
I found that our company DNS reports some names in all uppercase and others in all lowercase. Use (?i) to have regex be case insensitive:
allow="(?i)engine19\.uptimerobot\.com"
If you have both RemoteHostValve and RemoteAddValve, both must allow an incoming host. If either does not allow then 403 will be returned.
Related
User when access BOBJ tomcat URL the AD SSO works without any issues, when the user tries to access the Apache load balancer, then we get the Request entity too large error message.
This is happening for few of the users and few of them can login without any issues.
Setup: configured Apache Load Balancer - to connect to two tomcat server via Workers.properties.
BOBJ AD SSO is configured on Tomcat server
Error :Request Entity Too Large
The requested resource
/BOE/portal/1712062105/BIPCoreWeb/VintelaServlet
does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.
Configuration on
Apache
Httpd:
LimitRequestLine 65536
LimitRequestBody 0
LimitRequestFieldSize 65536
LimitRequestFields 10000
ProxyIOBufferSize 65536
worker: worker.ajp13.max_packet_size=65536
Tomcat:
Request someone to help in troubleshooting the error.
Possible solution!
Apache tomcat:
1. modify /opt/ tomcat/config/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxPostSize="209715200"
disableUploadTimeout="true"
maxHttpHeaderSize="1006384" />
2. modify /tomcat/webapps/manager/WEBINFO/web.xml
<multipart-config>
<!-- 50MB max -->
<max-file-size>104857600</max-file-size>
<max-request-size>209715200</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>
Nginx:
1. modify /etc/nginx/nginx.conf
2. add this " client_max_body_size 200M; "
http{
client_max_body_size 200M;
}
* Restart tomcat server
sudo systemctl restart tomcat
* Restart nginx server
sudo systemctl restart nginx
Similar issue for me, but the fix was slightly different:
worker.ajp13.max_packet_size=65536
This was actually in: path/apache2/conf/extra/workers.properties (probably just a typo in earlier answer)
The issue here is with the Apache parameter under Worker.properties file
We initial have set this to -> worker.ajp13.max_packet_size="65536"
However the syntax should be this :
worker..max_packet_size="65536”
Your site is basically the tomcat site which we refereed as worker1 and worker2.
Once we changed that value to below
worker: worker1.max_packet_size="65536"
This issue got fixed.
Hope this helps for users who have configure Apache as load balancer to two or more tomcat web application clusters.
I'm not 100% certain this will resolve your issue, but it seems to be related. In Tomcat's server.xml, add the following to Connector: maxHttpHeaderSize="65536". The whole line should look something like:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
maxHttpHeaderSize="65536" />
I am using Apache Tomcat 8 and also have .cert file and the .key file. But I am unable to understand how to turn on the HTTPS mode. I want the APR implementation which uses OpenSSL by default. I tried to change the server.xml file in conf folder according to the documentation but after that Tomcat failed to start and I have delete it and use new unzipped files to start. How can I turn on SSL?
If the APR is already installed and configured on your Tomcat, you could have something like this in your server.xml:
Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
Take a look at this tutorial tutorial, it was quite helpful for me.
Also this one could be interesting.
I am working on a Spring-MVC application and using Tomcat to deploy
it. I looked up on net how to create a custom maintenance site when
tomcat is down. It involves using Apache2 in the front and relaying
requests to and fro tomcat, and the maintenance site can be put on
Apache2. Seemed like a lot of hassle just for a webpage when tomcat
is down.
For this reasons, I created a small project and deployed it in
another instance of tomcat as ROOT.war.
I would just like to know if there is any way, I can bring the
maintainance tomcat instance online when production is down.
Here is my server.xml of production for viewing :
<Connector port="80" protocol="HTTP/1.1" compression="force" compressionMinSize="1024"
connectionTimeout="20000"
redirectPort="443" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" compression="force"
compressionMinSize="1024" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="my-keystore.jks" keystorePass="password" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Connector port="8010" protocol="AJP/1.3" redirectPort="443" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
Any help would be nice. Thanks a lot.
A good option used in high availability of application but not sure you would need that.
ran 2 tomcat in 2 separate ports always. one is production server and another maintainence server.
install haproxy so all request goes from here to the production server port.
when haproxy verifies that the port is down or the server not responding go to maintainence port tomcat instance.
in this way, the maintainence activity can be done without any issues. and due to some issues the prod server goes down it automatically call maintainence tomcat instance.
I have have a domain name (for example myapp.com) that I am using it to redirect to a web application (for exmple "myapp"), which is deployed on my tomcat server (for example in "myserver.es/myapp"). I added this fragment to the server.xml file of the tomcat to configure the redirection:
<Host name="myapp.com" appBase="webapps/myapp"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/" docBase="."/>
<Alias>www.myapp.com</Alias>
</Host>
Apparently it is working good, if I write "mydomain.com" in the browser the app is shown correctly.
The problem: when I generate a new WAR file of that app and I upload it to the Tomcat server (after stopping and undeploying the previous version), the changes related with Java code are not shown. I have to restart my tomcat server to access to the last version of the app from "myapp.com".
In contrast, if I access to "mydomain.com/myapp", I can see the last version of the app, showing the changes made in the last WAR.
So, I think that the problem is related with the redirection. It is anything wrong with the previous XML code?
The other "Host" configured in the server.xml is this one:
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
You might be having issues with Parallel Deployement
You could set undeployOldVersions="true" inside your host to see if that works.
Finally, I've discovered the solution! I needed to set privileged="true" inside the Context tag.
I would like to change the url for accessing Alfresco share from http://localhost:8080/share
to https://sitename.companyname.com/share.
I would prefer to make this changes using Alfresco tomcat server and not involve a proxy.
I did the following changes to change the port number:
alfresco-global.properties
alfresco.context=alfresco
alfresco.host=sitename.companyname.com
alfresco.port=8443
alfresco.protocol=https
share.context=share
share.host=sitename.companyname.com
share.port=8443
share.protocol=https
share-config-custom.xml
Change the endpoint url to
http://localhost:8443/alfresco/
Can anyone advise as what changes are needed for the https setting?
Thanks.
Steps for using SSL with alfresco
Settings in server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Settings in alfresco-global.property
alfresco.context=alfresco
alfresco.host=sitename.companyname.com
alfresco.port=8443 alfresco.protocol=https
share.context=share
share.host=sitename.companyname.com
share.port=8443
share.protocol=https
Settings in share-config-custom.xml
Modify endpoint url accordingly ex. https://<domain>:8443/alfresco/