httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryszard Lach <...@debian.org>
Subject [users@httpd] Permission to connect to AJP socket
Date Mon, 21 Aug 2006 05:55:43 GMT
Hi.

I have problem with configuration of mod_proxy_ajp, or, rather, I'm
pretty sure my config is good but there is a problem with kernel
persmissions or even mod_proxy_jk?

Here are the details:

OS: Fedora Core 5
Apache: httpd-2.2.0-5.1.2 (Fedora 5 package)
Config:

<Proxy *>	# I don't know if it does mather, leave it just in case
 Order Deny,Allow
 Allow from all
</Proxy>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyPass /manager/ ajp://localhost:8109/manager/

Problem: httpd cannot connect to 8109 port. Tomcat is listening on that
port (checked with 'telnet localhost 8109' running as 'apache' user).

error_log:

[debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL //localhost:8109/manager/html
[debug] proxy_util.c(1373): [client 192.168.1.14] proxy: ajp: found worker ajp://localhost:8109/manager/
for ajp:/ /localhost:8109/manager/html
[debug] mod_proxy.c(736): Running scheme ajp handler (attempt 0)
[debug] mod_proxy_ajp.c(474): proxy: AJP: serving URL ajp://localhost:8109/manager/html
[debug] proxy_util.c(1754): proxy: AJP: has acquired connection for (localhost)
[debug] proxy_util.c(1811): proxy: connecting ajp://localhost:8109/manager/html to localhost:8109
[debug] proxy_util.c(1911): proxy: connected /manager/html to localhost:8109
[debug] proxy_util.c(2005): proxy: AJP: fam 2 socket created to connect to localhost
[error] (13)Permission denied: proxy: AJP: attempt to connect to 127.0.0.1:8109 (localhost)
failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[error] proxy: AJP: failed to make connection to backend: localhost
[debug] proxy_util.c(1769): proxy: AJP: has released connection for (localhost)

And strace of httpd's process:

32429 socket(PF_NETLINK, SOCK_RAW, 0)   = 17
32429 bind(17, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
32429 getsockname(17, {sa_family=AF_NETLINK, pid=32429, groups=00000000}, [12]) = 0
32429 time(NULL)                        = 1155920517
32429 sendto(17, "\24\0\0\0\26\0\1\3\205\362\345D\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK,
pid=0, groups=00000000}, 12) = 20 32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0,
groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\205\362\345D\255~\0\0\2\10\200 \376\1\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0\205\362\345D\255~\0\0\n\200\20
0\376\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
32429 recvmsg(17, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\205\362\345D\255~\0\0\0\0\0\0
\1\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
32429 close(17)                         = 0
32429 gettimeofday({1155920517, 693251}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 147) = 147
32429 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
32429 fcntl64(17, F_GETFL)              = 0x2 (flags O_RDWR)
32429 fcntl64(17, F_SETFL, O_RDWR|O_NONBLOCK) = 0
32429 gettimeofday({1155920517, 693522}, NULL) = 0
32429 write(10, "[Fri Aug 18 19:01:57 2006] [debu"..., 112) = 112
32429 connect(17, {sa_family=AF_INET, sin_port=htons(8109), sin_addr=inet_addr("127.0.0.1")},
16) = -1 EACCES (Permission denied)
32429 close(17)                         = 0

As far as I can see it is not a problem of apache configuration - if it
would be so, httpd process would not try to connect to 127.0.0.1:8109. I
suppose it is a problem with SOCK_RAW option during creation of socket
which could be prohibited for non-root user by the kernel, but since
apache is by default configured to NOT to run as root - it would mean
there is a serious bug in mod_proxy (honestly - I doubt it).

What's going on, then?

T.I.A.

Richard.

-- 
"First they ignore you. Then they laugh at you. Then they
fight you. Then you win." - Mohandas Gandhi.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message