ntkach at gmail
Aug 8, 2013, 5:11 PM
Post #3 of 3
(20 views)
Permalink
|
On Thu, Aug 8, 2013 at 5:12 PM, Rainer Jung <rainer.jung [at] kippdata> wrote:
> On 08.08.2013 17:32, Nick Tkach wrote:
> > Not quite sure if this needs to wind up in this group or the tomcat list
> > since it kind of involves both. I'm fairly sure it involves an Apache
> > misconfig, so thought I'd start here.
> >
> > We've got an Apache facing the Internet with some Java app servers (both
> > jboss and tomcat), pretty standard thing. It's got the jk status worker
> > locked down to only the internal IP addresses as usual. That much seems
> > to work fine. The weirdness is that if you do a "blank" POST to the
> > root context in the Apache it returns the jk status page *regardless of
> > where you are*.
> >
> > So for instance, let's say my external site is http://baseco.com. If
> > I've got the status worker mounted as /status, then
> > http://baseco.com/status is correctly *not* reachable from the outside
> > (403 denied) and correctly *is* reachable from the inside.
> >
> > However if I do a POST of blank lines:
> >
> > POST / HTTP/1.0
> > Host:baseco.com <http://baseco.com>
> >
> >
> > (there are two carriage returns here)
> >
> > It acts as though you made a call to http://baseco.com/status (in the
> > contents-not the url).
> >
> > Not sure what all parts of the config to include, but this is the
> > general outline
> >
> > ------------------------------
> > DirectoryIndex index.html index.html.var
> >
> > <Directory />
> > Options FollowSymLinks
> > AllowOverride None
> > <Limit GET POST HEAD>
> > Order allow,deny
> > Allow from all
> > </Limit>
> > <LimitExcept GET POST HEAD>
> > Order deny,allow
> > Deny from all
> > </LimitExcept>
> > </Directory>
> >
> > JkMount /status mystatus
> > <Location /status>
> > JkMount mystatus
> > Order allow,deny
> > Allow from all
> > Deny from xx.yy.zz aa.bb.cc <http://aa.bb.cc> (subnets for
> > external-facing firewalls)
> > </Location>
> > <VirtualHost externalip:external port>
> >
> > </VirtualHost>
> > --------------------------------------
> >
> > Then the really strange (to me) follow-up is that it seems to be related
> > to not having anything for an index page in the DocumentRoot directory
> > (even though we're blocking access to /). As soon as you put an
> > index.html file out there in the DocumentRoot (even with just a blank
> > line in it) the problem goes away.
> >
> > I'm trying to figure out how a request for / can "become" a call to
> > /status. Any ideas? I'm guessing it's something subtle about the
> > config and not an actual bug.
>
>
> The shown config obviously is not complete. You should also tell us
> about the versions of Apache and mod_jk used.
>
> I would clean up by removing "JkMount mystatus" from inside the
> Location. The JkMount above the Location is sufficient.
>
> The problem does not happen if you request "GET /"?
>
> Then I would switch JkLogLevel to "debug" on an idle system, reproduce
> the problem and post the log here. Clean the log from any info that you
> don't want to expose publicly.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>
You are absolutely right. I'm embarrassed I didn't think to include
versions! :) I will do that soon as I get back to work.
Yes, oddly enough it does *not* happen on a GET, PUT, DELETE, OPTIONS, or
HEAD.
|
