On 08.08.2013 17:32, Nick Tkach wrote:> Host:baseco.com <http://baseco.com>
> Not quite sure if this needs to wind up in this group or the tomcat list
> since it kind of involves both. I'm fairly sure it involves an Apache
> misconfig, so thought I'd start here.
>
> We've got an Apache facing the Internet with some Java app servers (both
> jboss and tomcat), pretty standard thing. It's got the jk status worker
> locked down to only the internal IP addresses as usual. That much seems
> to work fine. The weirdness is that if you do a "blank" POST to the
> root context in the Apache it returns the jk status page *regardless of
> where you are*.
>
> So for instance, let's say my external site is http://baseco.com. If
> I've got the status worker mounted as /status, then
> http://baseco.com/status is correctly *not* reachable from the outside
> (403 denied) and correctly *is* reachable from the inside.
>
> However if I do a POST of blank lines:
>
> POST / HTTP/1.0
>> Deny from xx.yy.zz aa.bb.cc <http://aa.bb.cc> (subnets for
>
> (there are two carriage returns here)
>
> It acts as though you made a call to http://baseco.com/status (in the
> contents-not the url).
>
> Not sure what all parts of the config to include, but this is the
> general outline
>
> ------------------------------
> DirectoryIndex index.html index.html.var
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> <Limit GET POST HEAD>
> Order allow,deny
> Allow from all
> </Limit>
> <LimitExcept GET POST HEAD>
> Order deny,allow
> Deny from all
> </LimitExcept>
> </Directory>
>
> JkMount /status mystatus
> <Location /status>
> JkMount mystatus
> Order allow,deny
> Allow from all
> external-facing firewalls)The shown config obviously is not complete. You should also tell us
> </Location>
> <VirtualHost externalip:external port>
>
> </VirtualHost>
> --------------------------------------
>
> Then the really strange (to me) follow-up is that it seems to be related
> to not having anything for an index page in the DocumentRoot directory
> (even though we're blocking access to /). As soon as you put an
> index.html file out there in the DocumentRoot (even with just a blank
> line in it) the problem goes away.
>
> I'm trying to figure out how a request for / can "become" a call to
> /status. Any ideas? I'm guessing it's something subtle about the
> config and not an actual bug.
about the versions of Apache and mod_jk used.
I would clean up by removing "JkMount mystatus" from inside the
Location. The JkMount above the Location is sufficient.
The problem does not happen if you request "GET /"?
Then I would switch JkLogLevel to "debug" on an idle system, reproduce
the problem and post the log here. Clean the log from any info that you
don't want to expose publicly.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|