Connecting Lucee to Apache

scodavis · March 12, 2025, 9:56pm

I followed, to the letter, the guide to connecting Apache to Lucee, but it isn’t working. For reference, here is the relevant part of the httpd.conf file, Apache 2.4:

LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers ".cfm .cfc .cfml"
ModCFML_SharedKey "c916e7b3c3799f809d72a7cdd0a4f0cbe422791916d0e931788a188bc1fd8a2c"

<Proxy *>
# When using Apache 2.2, use the following line (without the "# ")
# Allow from 127.0.0.1
# When using Apache 2.4, use this line (without the "# ")
# Require ip 127.0.0.1
</Proxy>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://127.0.0.1:8009/$1$2

And here is the relevant part of the Tomcat configuration file:

	<Valve className="mod_cfml.core"
		loggingEnabled="false"
		maxContexts="200"
		timeBetweenContexts="2000"
		scanClassPaths="false"
                responseCode="307"
		sharedKey="c916e7b3c3799f809d72a7cdd0a4f0cbe422791916d0e931788a188bc1fd8a2c"
		/>

Whenever I try to load a CFM file, I get Tomcat Error 403: “The server understood the request but refuses to authorize it.”

These are fresh installs of both Apache and Lucee. I don’t know what I am doing wrong - can you assist?

carehart · March 13, 2025, 4:05am

Scott, there can often be many different factors at issue, but let’s try what may be the simplest: in the server.xml file within Lucee, find the uncommented connector line for that port=“8009”. Does it have a secret attribute? If so, you’d want to configure apache to match that. You’d add secret=thatvalue (no quotes) to the end of the proxypassmatch (and reload apache). Does that work?

Or you could just add secretRequired=“false” to that same connector line.

This AJP secret mechanism was implemented in tomcat a few years ago (as required by default). But since port 8009 is surely protected by your firewall, I’ve always though it overkill that they (tomcat) require it (or that you must say it’s NOT).

BTW, it’s also entirely UNRELATED to the mod_cfml “shared key”, though similar in intended purpose.

Let us know how it goes. If it’s not this, it could be something else…or perhaps just a slight slip in assessing/correcting for the above.

Zackster · March 13, 2025, 11:20am

What does the Tomcat log say?

Does your connector look like this?

github.com

lucee/lucee-installer/blob/master/lucee/tomcat9/tomcat-lucee-conf/conf/server.xml#L116


      
                  <SSLHostConfig>
                      <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                                   certificateFile="conf/localhost-rsa-cert.pem"
                                   certificateChainFile="conf/localhost-rsa-chain.pem"
                                   type="RSA" />
                  </SSLHostConfig>
              </Connector>
              -->
          
              <!-- Define an AJP 1.3 Connector on port 8009 -->
              <Connector protocol="AJP/1.3"
          	    port="@@tomcatajpport@@"
          	    secret="@@ajpsecretkey@@"
          	    secretRequired="true"
                         redirectPort="8443" />
              
              <!-- An Engine represents the entry point (within Catalina) that processes
                   every request.  The Engine implementation for Tomcat stand alone
                   analyzes the HTTP headers included with the request, and passes them
                   on to the appropriate Host (virtual host).
                   Documentation at /docs/config/engine.html -->

scodavis · March 13, 2025, 3:38pm

@Zackster @carehart Thanks for the replies. Here is what I have right this moment for the uncommented AJP connector area:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector protocol="AJP/1.3"
	    port="8009"
	    secret="ad18918f88a441bf20b4eeece0e48f9f1e725c288420c1318fe3e9d12d7a98c8"
	    secretRequired="false"
               redirectPort="8443" />

I changed the ProxyPassMatch statement in httpd.conf to read this:


ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://127.0.0.1:8009/$1$2secret=ad18918f88a441bf20b4eeece0e48f9f1e725c288420c1318fe3e9d12d7a98c8

I get the same error. I am not finding anything unusual in the logs, but there are quite a few logs in the Tomcat folder and I’m not sure where I should be looking.

I also want to note that the result is the same whether secretRequired is set to True or False.

Zackster · March 13, 2025, 3:56pm

I’d suggest stop tomcat, stop apache, delete all the logs and restart and simply fire off one request, then see what you find in the various log files

Your ProxyPassMatch looks wrong, do you have a space before secret?

https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassmatch

scodavis · March 13, 2025, 4:06pm

If I have a space before secret= in the ProxyPassMatch statement, the Apache service fails to start. I just did what you said and here is the text of whatever logs showed anything unusual:

Apache access.log

10.10.4.75 - - [13/Mar/2025:09:01:55 -0700] "GET /index.cfm HTTP/1.1" 500 -

In Tomcat Catalina log

13-Mar-2025 09:01:55.684 SEVERE [ajp-nio-127.0.0.1-8009-exec-1] org.apache.coyote.ajp.AjpProcessor.service Error processing request
	java.lang.NullPointerException: Cannot invoke "String.lastIndexOf(int)" because "relativePath" is null
		at org.apache.catalina.connector.Response.toAbsolute(Response.java:1436)
		at org.apache.catalina.connector.Response.encodeRedirectURL(Response.java:1009)
		at mod_cfml.core.doRedirect(core.java:551)
		at mod_cfml.core.invoke(core.java:536)
		at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663)
		at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
		at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
		at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:431)
		at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
		at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
		at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
		at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
		at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
		at java.base/java.lang.Thread.run(Unknown Source)

In Tomcat Localhost Access Log

10.10.4.75 - - [13/Mar/2025:09:01:55 -0700] "GET /index.cfm HTTP/1.1" 403 -
10.10.4.75 - - [13/Mar/2025:09:01:55 -0700] "GET /index.cfm HTTP/1.1" 500 -

In Tomcat Lucee stderr log

13-Mar-2025 09:01:55.646 WARNING [ajp-nio-127.0.0.1-8009-exec-1] org.apache.catalina.startup.HostConfig.deployDescriptor A docBase [C:\Lucee\tomcat\webapps\ROOT] inside the host appBase has been specified, and will be ignored
13-Mar-2025 09:01:55.684 INFO [ajp-nio-127.0.0.1-8009-exec-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of deployment descriptor [C:\Lucee\tomcat\conf\Catalina\css-utilities-centralusd-k12-ca-us-server-confl0\ROOT.xml] has finished in [38] ms
13-Mar-2025 09:01:55.684 SEVERE [ajp-nio-127.0.0.1-8009-exec-1] org.apache.coyote.ajp.AjpProcessor.service Error processing request
	java.lang.NullPointerException: Cannot invoke "String.lastIndexOf(int)" because "relativePath" is null
		at org.apache.catalina.connector.Response.toAbsolute(Response.java:1436)
		at org.apache.catalina.connector.Response.encodeRedirectURL(Response.java:1009)
		at mod_cfml.core.doRedirect(core.java:551)
		at mod_cfml.core.invoke(core.java:536)
		at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663)
		at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
		at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
		at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:431)
		at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
		at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
		at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
		at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
		at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
		at java.base/java.lang.Thread.run(Unknown Source)

I hope this helps.

Zackster · March 13, 2025, 5:47pm

Just been trying this out locally in windows sandbox

Firstly I needed to create a mod_cfml.so for VC17 Apache 24 x64

Apache

I dropped that into my apache24/modules directory

I added this to my httpd.conf

<Proxy *>
	Require ip 127.0.0.1
	Require ip ::1
</Proxy>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:8009/$1$2 secret=95e69bd646a3b6893a34b6896edb350a745eadd8a5191c52e74b65aaf

LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers ".cfm .cfc .cfml"
ModCFML_SharedKey "8b2711cd368a68ce5bf738313983924a58a38464a975a2ccc55a360ca2c4fecc"
# Optional, all for logging and debugging:
# LogHeaders true
# LogHandlers true
# LogAliases true
# VDirHeader false

The Require ip ::1 is new, was in the directions (mod_cfml - Installation - Apache on Windows) which are alas a bit dated now

PS: as you mentioned you followed directions, it’ always good to cite the url

Tomcat

in my tomcat/conf/server.xml file, turns out the installer generated ajp secret was too long, so I had to trim it to shorter than 64 characters

<!--- this is the secret for AJP / ProxyPassMatch --->
<Connector protocol="AJP/1.3"
	    port="8009"
	    secret="95e69bd646a3b6893a34b6896edb350a745eadd8a5191c52e74b65aaf"
	    secretRequired="true"
            redirectPort="8443" />

<!-- this is the secret for ModCFML_SharedKey --->
<Valve className="mod_cfml.core"
		loggingEnabled="false"
		maxContexts="200"
		timeBetweenContexts="2000"
		scanClassPaths="false"
                responseCode="307"
		sharedKey="8b2711cd368a68ce5bf738313983924a58a38464a975a2ccc55a360ca2c4fecc"
		/>

Accessing localhost has the old redirect problem, but zac.localhost worked fine

scodavis · March 13, 2025, 6:53pm

@Zackster Well, I downloaded your new mod_cfml file, and I changed my two configuration files to match what you had - I even used the same secret keys in case something else weird would happen.

With everything identical, I get two different errors depending on whether I am accessing the URL from the server or from my main workstation.
On Server: (127.0.0.1/index.cfm) I get the same error, “The server understood the request but refuses to authorize it.”
On Workstation: (serverip/index.cfm) I just get a “Forbidden - You don’t have permission to access this resource.”

As a test, I added my workstation’s IP address as a third “Require ip” statement under the Proxy tag, and now I get the same message as I do on the server: “The server understood the request but refuses to authorize it.”

The error in the logs remains the same:

13-Mar-2025 11:50:53.068 SEVERE [ajp-nio-127.0.0.1-8009-exec-10] org.apache.coyote.ajp.AjpProcessor.service Error processing request
	java.lang.NullPointerException: Cannot invoke "String.lastIndexOf(int)" because "relativePath" is null
		at org.apache.catalina.connector.Response.toAbsolute(Response.java:1436)
		at org.apache.catalina.connector.Response.encodeRedirectURL(Response.java:1009)
		at mod_cfml.core.doRedirect(core.java:551)
		at mod_cfml.core.invoke(core.java:536)
		at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663)
		at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
		at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
		at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:431)
		at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
		at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
		at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
		at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
		at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
		at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
		at java.base/java.lang.Thread.run(Unknown Source)

Zackster · March 13, 2025, 7:08pm

can you describe your stack, lucee version, tomcat, apache version, os? should of been my first question!

as the error is coming from valve, loggingEnabled="true" will provide more clues

<Valve className="mod_cfml.core"
		loggingEnabled="true"
		maxContexts="200"

if you are on tomcat 10+, you’ll need the jakarta version, i.e. v2 of mod_cfml-valve.jar

Just replace the one in tomcat/lib with the attached one on this ticket

https://luceeserver.atlassian.net/browse/LDEV-5182

scodavis · March 14, 2025, 3:21pm

Well, things are definitely better now. I don’t know what actually got it working, but when I changed loggingEnabled to True it started working, and when I changed it back to False it kept working.

The only issue now is there seems to be a significant delay. It takes about 1 to 1.5 seconds to load every single page after a click.

Zackster · March 14, 2025, 3:24pm

that’s the lovely ipv6 problem

add a second connector listening on address=“::1”, in addition to 127.0.0.1

or maybe try localhost instead?

scodavis · March 14, 2025, 3:40pm

@Zackster Adding the second connector with ::1 worked perfectly. Looks like everything is finally working. I won’t pretend to fully understand everything I did, but I’m glad I can finally use Apache with Lucee! I really, really appreciate all the help you gave. Thank you so much!

Zackster · March 14, 2025, 3:42pm

Glad we could sort all that out! Enjoy

if you haven’t already, please consider supporting my here work on Lucee