[英]New CORS policy and AJP Connector issues after upgrading Apache/Tomcat to latest versions
Here's what we're running:这是我们正在运行的:
We've got Apache and Tomcat all running on the same Windows server.我们有 Apache 和 Tomcat 都在同一个 Windows 服务器上运行。 It's the frontend & backend.
这是前端和后端。 I'm trying to get all of our stuff upgraded to the latest versions for security.
为了安全起见,我正在尝试将我们所有的东西都升级到最新版本。 Of course, I've broken everything.
当然,我已经破坏了一切。
After reviewing the Tomcat/Java logs, I found that the two of our AJP connectors would not start.在查看 Tomcat/Java 日志后,我发现我们的两个 AJP 连接器无法启动。 I was required to add the following attributes to those connectors for them to fire up:
我被要求为这些连接器添加以下属性以使它们启动:
<Connector
...
...
address="0.0.0.0"
secretRequired="false"
/>
That seemed to resolve most of our issues;这似乎解决了我们的大部分问题; however, now I'm experiencing problems with CORS for one of my web apps.
但是,现在我的 web 应用程序之一遇到了 CORS 问题。 Our other developers report no issues.
我们的其他开发人员没有报告任何问题。
Access to XMLHttpRequest at 'https://SERVER/endpoint' from origin 'https://SERVER.DOMAIN.LOCAL' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Now that I'm typing this, I notice that the 1st indicator is just the server's name, and the 2nd indicator is the server's FQDN.现在我正在输入这个,我注意到第一个指示符只是服务器的名称,第二个指示符是服务器的 FQDN。 I wonder if that's the problem?
我想知道这是不是问题?
Why am I having all these issues after upgrading Tomcat/Apache?为什么我在升级 Tomcat/Apache 后会遇到所有这些问题?
If my AJP Connectors and Workers are all on the same box, do I need to set a secret?如果我的 AJP 连接器和工作器都在同一个盒子上,我需要设置一个秘密吗?
Why am I now having an issue with CORS when I did not before?为什么我现在对 CORS 有问题,而我以前没有? How do I setup the CORS Filter so that it knows that communication between Apache <--> Tomcat (from this server TO THIS server) is safe??!?
如何设置 CORS 过滤器,以便它知道 Apache <--> Tomcat(从该服务器到该服务器)之间的通信是安全的??
Is this setting below safe?下面这个设置安全吗? We've never had this setting enabled prior to the upgrade.
在升级之前,我们从未启用此设置。
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now that I'm typing this, I notice that the 1st indicator is just the server's name, and the 2nd indicator is the server's FQDN.
现在我正在输入这个,我注意到第一个指示符只是服务器的名称,第二个指示符是服务器的 FQDN。 I wonder if that's the problem?
我想知道这是不是问题?
That was the problem.这就是问题所在。 The page was at
http://server.domain.local
, but my app was making an AJAX call to http://server
.该页面位于
http://server.domain.local
,但我的应用程序正在对http://server
进行 AJAX 调用。 Both should be the same, ie: BOTH as the FQDN server.domain.local
, or BOTH as just the hostname server
.两者应该相同,即:两者都作为 FQDN
server.domain.local
或两者都作为主机名server
。 There was not an issue with the Tomcat upgrade at all, and I was not required to create a CORS filter. Tomcat 升级完全没有问题,我不需要创建 CORS 过滤器。
Why am I having all these issues after upgrading Tomcat/Apache?
为什么我在升级 Tomcat/Apache 后会遇到所有这些问题?
In the last week, I have attempted to upgrade beyond 9.0.8
to versions 9.0.44
and 10.0.4
.在上周,我尝试将
9.0.8
升级到9.0.44
和10.0.4
版本。 In every attempt, I've discovered a 'breaking change'.在每一次尝试中,我都发现了一个“重大变化”。 I am growing weary.
我越来越厌倦了。
Best I can tell, the requiredSecret
started around version 9.0.31
:我能说的最好的,
requiredSecret
开始于版本9.0.31
:
A second 'breaking change' is related to the migration from 9.0.x
to 10.0.x
.第二个“重大变化”与从
9.0.x
到10.0.x
的迁移有关。 Here's what Tomcat says:这是 Tomcat 所说的:
If my AJP Connectors and Workers are all on the same box, do I need to set a secret?
如果我的 AJP 连接器和工作器都在同一个盒子上,我需要设置一个秘密吗?
My boss told me to set it, so I did.我的老板让我设置它,所以我做了。 I used the following set of instructions, which where fantastic: https://community.microstrategy.com/s/article/Setting-up-the-AJP-port-on-Tomcat-and-Apache-Servers?language=en_US
我使用了以下一组指令,其中非常棒: https://community.microstrategy.com/s/article/Setting-up-the-AJP-port-on-Tomcat-and-Apache-Servers?language=en_US
Why am I now having an issue with CORS when I did not before?
为什么我现在对 CORS 有问题,而我以前没有? How do I setup the CORS Filter so that it knows that communication between Apache <--> Tomcat (from this server TO THIS server) is safe??!?
如何设置 CORS 过滤器,以便它知道 Apache <--> Tomcat(从该服务器到该服务器)之间的通信是安全的??
Is this setting below safe?
下面这个设置安全吗? We've never had this setting enabled prior to the upgrade.
在升级之前,我们从未启用此设置。
A CORS filter was ultimately unnecessary; CORS 过滤器最终是不必要的; however, if you were to implement one, this article describes how to create a more secure CORS filter:
但是,如果您要实现一个,本文将介绍如何创建更安全的 CORS 过滤器:
https://newsroom.bedefended.com/implement-secure-cors-tomcathttps://newsroom.bedefended.com/implement-secure-cors-tomcat
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.