tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Spurious "Internal Server Errors" accessing "jkmanager" after upgrading Apache, "mod_jk" and OpenSSL
Date Thu, 29 Dec 2016 11:36:22 GMT
On 29.12.2016 10:46, Martin Knoblauch wrote:
> Hi,
>
>   "mod_jk" is now clearly off the hook. Upping the httpd log level from
> "warn" to "info" (I was assuming an event leading to a 500 response would
> be at least "warn" :-( reveals:
>
> [Thu Dec 29 10:37:37.300421 2016] [authnz_ldap:info] [pid 20325:tid
> 139641195009792] [client xxx.xxx.xxx.xxx:49959] AH01695: auth_ldap
> authenticate: user yyyyyyy authentication failed; URI /jkmanager
> [ldap_search_ext_s() for user failed][Administrative limit exceeded]
>
> @Christopher: thanks for the LDAP hint !!!
>

Perhaps also if you did not already know this : httpd 2.4 allows for setting the LogLevel

on a per-module base, see here :
https://httpd.apache.org/docs/2.4/logs.html -> Per-module logging


> Cheers
> Martin
>
>
>
> On Thu, Dec 29, 2016 at 10:02 AM, André Warnier (tomcat) <aw@ice-sa.com>
> wrote:
>
>> On 29.12.2016 09:47, Martin Knoblauch wrote:
>>
>>> Hi Christopher,
>>>
>>>    that is an interesting pointer. We are of course securing the
>>> "jkmanager"
>>> app. And guess what we are using: LDAP. The funky thing is that it is
>>> working most of the time. It fails just after some time. Refreshing the
>>> URL
>>> cures it again - for some time. What did you do to fix your problem?
>>>
>>>    As I mentioned elsewhere, setting "JkLogLevel debug" just filled the log
>>> without anything suspicious showing up. I can see "jkmanager" fire/work
>>> every 10 seconds (autorefresh), returning a 200 status. And then it
>>> nothing
>>> until I refresh the URL.So it seems the problem is  elsewhere, before
>>> "mod_jk" come into play.
>>>
>>
>> So setting JkLogLevel higher was far from useless : at least it tells you
>> where the problem isn't.
>>
>> "How often have I said to you that when you have eliminated the
>> impossible, whatever remains, however improbable, must be the truth?"
>>
>> Sherlock Holmes - The Sign of the Four
>>
>>
>>
>>
>>>    I will now try to investigate towards "mod_ldap" and maybe towards the
>>> OpenSSL stuff (we use LDAP over SSL). Fortunately rolling back versions is
>>> simple.
>>>
>>> As for being current, as far as I know we are up2date:
>>>
>>> ==> Server Version: Apache/2.4.23 (Unix) OpenSSL/1.0.2j mod_jk/1.2.42
>>>
>>> Thanks
>>> Martin
>>>
>>>
>>> On Wed, Dec 28, 2016 at 9:43 PM, Christopher Schultz <
>>> chris@christopherschultz.net> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Martin,
>>>>
>>>> On 12/28/16 10:38 AM, Martin Knoblauch wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> today we updated our Devel/Integration environments from
>>>>>
>>>>> HTTPD 2.4.18/mod_jk 1.2.41/OpenSSL-1.0.2h
>>>>>
>>>>> to
>>>>>
>>>>> HTTPD 2.4.23/mod_jk 1.2.42/OpenSSL-1.0.2j
>>>>>
>>>>>
>>>>> Since then we observe on both systems spurious "500" messages when
>>>>> accessing the "jkmanager" page. Unfortunately there isn't much info
>>>>> besides that. Only "access_log" shows
>>>>>
>>>>> access_log:xxx.xxx.xxx.xxx - xxxxxxxx [28/Dec/2016:16:29:18 +0100]
>>>>> "GET /jkmanager HTTP/1.1" 500 536
>>>>>
>>>>> Any ideas how to get more insight
>>>>>
>>>>
>>>> I had a problem a while back where I would get 500 responses and
>>>> *nothing* else back. It took a lot of tinkering-around to figure out
>>>> the problem: my LDAP server wasn't acceptable for some reason and
>>>> mod_auth_ldap was choking.
>>>>
>>>> I spent all my time trying to figure out what was wrong with mod_jk
>>>> and it was the authentication layer way before mod_jk was being consulte
>>>> d.
>>>>
>>>> If you require authorization for jkmanager (and you should!) make sure
>>>> that's working as expected before banging your head against mod_jk.
>>>>
>>>> Also, make sure you are using the latest mod_jk that you can: the
>>>> distribution is separate from httpd.
>>>>
>>>> - -chris
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Comment: GPGTools - http://gpgtools.org
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iQIcBAEBCAAGBQJYZCPtAAoJEBzwKT+lPKRY82gP/1eG7zYY0dfxBKs8WTl80Wdp
>>>> o3qNaUeDROOdwER8VMmyVb7bmiPkmlj9FGGdKJqhjOSGeaHOLC6cEGce5JZSAzgl
>>>> q+/dOJ4xPaFqbmWUPfvQD7+pJZdFgcVqDowuSx2XWFUy/4L8CAjGii1jSHq3aEWu
>>>> umXiFT37igb0ApfpqYm1BNLtIuNvhoOdtpNxMWKULVF+kOjDPNK4+VE2Zj/2KCdk
>>>> Msm6jmSPvEKKbr+FaawdNyJl2D5qRMDrLwtzy+eGOFzatz6wQYQ6bc+i8JUqLjFo
>>>> 9+id+SLMlCSZxrZo3iTJBna/kUy1TZmqhLu1IpkqqRmapqdlMQpouCDfkpbO6g6B
>>>> Ot0/hffM9r8Ggp+OMd1GNBIzLwZAn3jRumZ/HxUmds5O2U/tJw0C4ajggXBwtZ5D
>>>> fz1ZEPkdkCcyP+3hB8G76BglfhcOfqti4jPmoVj+jqJ3QAQA7FdFcKVrS5erJB3z
>>>> YA3BSasWaOkO6Eg0UhZmwYvjy7YpptaF4NjRlftTiIgSd1gnoZOE1CMpItajjPYx
>>>> LajaudBoXy/wdvXHjydZXOZgzFS4a3UCReZvCwD/upegJsU2UbAoFswX8vq8lW3I
>>>> hu3WwazKja975ANKNQtLzDmKS0W4Hto4+oO94CmvGpY9s6oOkycu93Dnesgx73kS
>>>> TGIwfW3anqIyev1SG5w5
>>>> =v9/q
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message