https://bugzilla.redhat.com/show_bug.cgi?id=1806398
--- Comment #71 from Ted (Jong Seok) Won <jwon(a)redhat.com> ---
Mitigation:
The issue can be mitigated as follows:
For JWS(Tomcat),
If your site is not actively using the AJP Connector, simply comment it out
from the <TOMCAT_HOME>/conf/server.xml file as
~~~
<!-- <Connector port = "8009" protocol = "AJP / 1.3"
redirectPort = "8443"
/> -->
~~~
If AJP connector is required and cannot be commented/deactivated, then we
recommend to set a secret password for the AJP conduit - Only requests from
workers with the same secret keyword will be accepted. At the Tomcat side, edit
conf/server.xml:
~~~
<Connector port = "8009"
protocol = "AJP / 1.3"
redirectPort = "8443"
address = "YOUR_TOMCAT_IP_ADDRESS"
requiredSecret = "YOUR_AJP_SECRET" />
~~~
For JBoss EAP 6.4 (JBossWeb 7.x),
The AJP connector is enabled by default only in standalone-full-ha.xml,
standalone-ha.xml and ha and full-ha profiles in domain.xml. AJP connector can
be secured as follows:
If you do not use AJP, you can disable the AJP port configuration in your
standalone-*.xml and/or domain.xml file by setting enabled="false" as shown
below or comment out the whole <connector name="AJP" .../> clause:
~~~
<connector name="AJP" protocol="AJP/1.3"
scheme="http" socket-binding="ajp"
enabled="false"/>
~~~
If AJP connector is a requirement and cannot be commented or deactivated,
then, it is recommended to add credential to AJP connector by configuring the
following system property.
~~~
<system-properties>
<property name="org.apache.coyote.ajp.DEFAULT_REQUIRED_SECRET"
value="YOUR_AJP_SECRET"/>
</system-properties>
~~~
Note that YOUR_AJP_SECRET must be changed to a value that is highly secure and
cannot be easily guessed.
For Apache httpd (httpd in JBCS or RHEL),
When the above setting is configured, the same secret value on the front-end
proxy (mod_proxy or mod_jk) will be required to be configured.
* mod_proxy (mod_proxy_ajp / mod_proxy_balancer using ajp)
The secret property support was added since JBCS httpd 2.4.37 or since RHEL
7 httpd-2.4.6-67.el7.x86_641.[1]
For mod_proxy_ajp, the secret property can be added to ProxyPass
setting.
For mod_proxy_balancer, the secret property can be added to each
BalancerMember setting.
For example, add secret=YOUR_AJP_SECRET in your configuration (e.g.
<HTTPD_HOME>/conf/httpd.conf or <HTTPD_HOME>/conf.d/proxy_ajp.conf) like the
following:
- mod_proxy_ajp:
~~~
ProxyPass /example/ ajp://localhost:8009/example/ secret=YOUR_AJP_SECRET
~~~
- mod_proxy_balancer:
~~~
<Proxy balancer://mycluster>
BalancerMember ajp://node1:8009 route=node1 secret=YOUR_AJP_SECRET
BalancerMember ajp://node2:8009 route=node2 secret=YOUR_AJP_SECRET
</Proxy>
ProxyPass /example/ balancer://mycluster/example/
stickysession=JSESSIONID|jsessionid
~~~
* mod_jk
mod_jk - secret can be specified to a worker or a load balancer in
workers.properties. If you set a secret on a load balancer, all its members
will inherit this secret. This secret property support was added in mod_jk
1.2.12 onwards.
For example, add the following in your workers.properties:
~~~
worker.<WORKER_NAME>.secret=YOUR_AJP_SECRET
~~~
Ensure that WORKER_NAME must be replaced with the appropriate name.
* mod_cluster
mod_cluster does not support secret property.[2] When secret is configured
on the AJP connector in Tomcat/JBoss side, you can not connect AJP without a
correct secret value. So, you need to use http or https for mod_cluster.
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1397241
[2]
https://docs.modcluster.io/#migration-from-modjk
--
You are receiving this mail because:
You are on the CC list for the bug.