We Keep Coding

Apache can't reach Tomcat: AH00957, AH00959 & AH00896

I have Tomcat 7.0.105 installed with ords.war deployed in it.
In my browser, I use the URL http://rtp, where rtp is the name of my server as defined in /etc/hosts. This uses port 80 and reaches Apache on the server. There I have a conf file in my /etc/httpd/conf.d folder with these contents:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName rtp
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/ords
ProxyPassReverse / ajp://localhost:8009/ords
</VirtualHost>
But the browser says "Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
And /etc/httpd/logs/error_log shows this:
[Tue Aug 18 13:13:55.799950 2020] [proxy:error] [pid 8508] (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed
[Tue Aug 18 13:13:55.800133 2020] [proxy:error] [pid 8508] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 60s
[Tue Aug 18 13:13:55.800220 2020] [proxy_ajp:error] [pid 8508] [client 1.2.3.4:50900] AH00896: failed to make connection to backend: localhost
The Tomcat7 server.xml file is left default like this:
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
What could be the reason for "AJP: attempt to connect to localhost failed". All suggestions are welcome.

[Tue Aug 18 13:13:55.799950 2020] [proxy:error] [pid 8508] (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed
You are using localhost in ProxyPass. Is your Apache and tomcat on same server?
Check AJP port running or not using netstat -tunlp | grep 127.0.0.1:8009 command. Also please change ProxyPass configuration.
From:
ProxyPass / ajp://localhost:8009/ords
ProxyPassReverse / ajp://localhost:8009/ords
To:
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

Update address value to accept connections from hosts.
Remove 1 from address="::1" in AJP connection section.
Below works:
address="::"

How to verify wildfly web server is using added keystore file for https connection?

I have created a self-signed certificate(public_certificate.crt), private key file(private_key.pem). and these are stored in keystore file keystore.jks.
I have configured the same keystore.jks file in the standalone.xml file of widlfly 10 in two section as:
Section 1:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" />
</ssl>
</server-identities>
</security-realm>
Section 2:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
I have restarted the server, now when i am accessing the wildfly url(https://localhost:8443) it is coming as "Not Secure" in the browser url section of chrome.
I am having two question related to it:
With or Without configuring the standalone.xml file with our keystore, chrome is mentioning "Not Secure" in browser URL section. it might be because i am using self-signed certificate. but my question is, how will i know that my self-signed certificate is being used by Wildfly.
Is there any way to avoid "Not Secure" warning and it should be coming as "Lock" symbol in the browser for self-signed certificate.

Wildfly many domains with many ssl certificate

I've got test server and I would like to run many applications on that instance, but there's a problem with SSL certificates. If I'm using single certificate, everything is ok, but if when I add another, there is a problem.
This is my ssl realm configuration :
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="cert_one.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
<keystore path="cert_two.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
</ssl>
</server-identities>
</security-realm>
And this is my undertow server configuration:
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="defaultHttps" socket-binding="https" security-realm="ssl-realm" max-post-size="31457280"/>
<host name="one_app" alias="firstapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
<host name="two_app" alias="secondapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
As you can see I have two different certificate keystores, one for firstapp.com and another for secondapp.com.
But only certificate for secondapp.com is working. If I delete one of those keystores everything is OK. How to configure two or more certificates for different domains in Wildfly configuration?

gzip Cannot enable in Wildfly 8?

I want to enable gzip compression in wildfly server. I used the following tutorial. Tutorial
This is the gzip enabling code I included in the standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:1.0">
<buffer-caches>
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10"/>
</buffer-caches>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
**<filter-ref name="gzipFilter" predicate="path-suffix['.css'] or path-suffix['.js']" />**
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>
<gzip name="gzipFilter"/>
</filters>
</subsystem>
But When I used this code in the Ubuntu 14.04.1 LTS, It works perfectly. But when I installed the application in CentOS Linux release 7.0.1406. It doesn't work. I used the same settings. But I could not figure out the problem so far. I'm very grateful someone can provide your valuable idea.

I recommend you to test upgrade to wildfly 8.2
I has the new undertow 1.1.0 interated which has solved a couple of issues around filters.
I assume your issue is also this:
UNDERTOW-331

Cannot get SSL to work on Azure instance

I've been tearing my hear out trying to figure out why SSL works in one of my Azure projects but not in another.
When I navigate to my site, say https://foo.com, I can't even connect to the site. Browsers can't connect at all and curl says "couldn't connect to host". However, if I go to my cloudapp.net URL (e.g. https://foo.cloudapp.net), it can connect but browsers will complain and say my cert is for *.foo.com. Note: I am able to connect to http://foo.com without any trouble.
Here's my code with certain values obfuscated.
ServiceDefinition.csdef:
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
<WebRole name="www" vmsize="Small">
<Sites>
<Site name="Web">
<VirtualApplication name="r" physicalDirectory="../Foo/Bar" />
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
<Binding name="Endpoint2" endpointName="Endpoint2" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
<InputEndpoint name="Endpoint2" protocol="https" port="443" certificate="STAR.foo.com" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
</Imports>
<Certificates>
<Certificate name="STAR.foo.com" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
</ServiceDefinition>
my cert is uploaded, the thumbprint matches (in this example it's also "1234567890")
ServiceConfiguration.csfg:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="myApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="1" osVersion="*">
<Role name="www">
<Instances count="2" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="STAR.foo.com" thumbprint="1234567890" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>
Azure Console:
I have verified that:
My cert is uploaded
It's SHA1
It's thumbprint matches what I've specified in ServiceConfiguration.cscfg (in this example it's "1234567890")
The certs for the Certificate Authorities are also present (for me it's "PositiveSSL CA" and "AddTrust External CA root")
For the Azure instance, it confirms there are 2 endpoints (port 80 and port 443)
Why would I not be able to connect at all via https://foo.com, but my https://foo.cloudapp.net will load (although triggering a browser warning)? This seem to indicate my configuration is correct but something else is off... ideas?

I think you may be looking in the wrong place for your problem!
How have you mapped foo.com to your site's address?
Note that Azure instances are given dynamic IP addresses - what address your site may be on NOW may not be what its on tomorrow. The recommendation for Azure is to add a "www" CNAME DNS entry in your domain records that points at "foo.cloudapp.net".
This way, when someone browses to www.foo.com, the DNS server will (invisibly) say "hey, actually, that site is as foo.cloudapp.net. The browser will then ask for the IP address of foo.cloudapp.net. This domain is managed by Microsoft who will return the current IP address for your site.
If you want foo.com to still get you to www.foo.com, you'll have to setup DNS redirection so that whenever someone types foo.com into their browser, they're redirected to www.foo.com. This will then cuase the browser to resolve foo.cloudapp.net and then the HTTP request will be sent to your site. Some domain hosters charge for this (typically a nominal fee), some offer it as a free service.
HTH.