HTTP Status 403 – Forbidden - The server understood the request but refuses to authorize it

I am trying to use Apache as proxy server to send request to Lucee-tomcat but I am getting the error

HTTP Status 403 – Forbidden - The server understood the request but refuses to authorize it.
I have proxy server configured and when I make http request it works perfectly

ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/

but as soon as I change the request to be ajp it does not work and gives me 403 error.

Tomcat server.xml file

<Connector protocol=“AJP/1.3”

    port="8009"
    secret="mySecret"
    secretRequired="true"
           redirectPort="8443" />

httpd.conf file in Apache

< VirtualHost *:80>

ServerName localhost
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
 Require all granted
</Proxy>

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

access.log of Apache
“GET / HTTP/1.1” 403 618

OS: 10
Java Version: 19
Tomcat Version: 9.0.85
Lucee Version: 5.4.4.38
Apache Web Server: 2.4.58

There can be many possible causes for such a 403, but to start the ball rolling with a first guess, what if you add this to the AJP connector line in server.xml:

allowedRequestAttributesPattern=".*"

Note that is case-sensitive.

If this doesn’t work, another option is to add these:

secretRequired="false"
address="::1"

Let us know if any works. And if not, share with us any related log lines from when you test things, especially from any modjk log. There are many ways one can have configured their connectors between apache and lucee/tomcat, which is why my wording is vague on what specific log and folder to seek.

But let’s see if any of the above does the trick.

As you have defined a ajp secret in the server.xml, you have to pass that secret in the apache ajp connection.

ProxyPass / ajp://localhost:8009/ secret=mySecret maybe should work.

See mod_proxy_ajp - Apache HTTP Server Version 2.4

Your issue is very likely to be related to the AJP secret, just as @David_Raschper noted. Please note that Apache2 server supports secret for AJP from 2.4.42 and later.

The following docs describes how to setup secret with AJP in this docs from Step 17. Its a documentation for windows and xamp, but you can take a peek at the Apache configs, because they should be very alike and valid for your Apache also.

When I try to put the secret from the ajp connector as mentioned by @David_Raschper it gives me this error in event viewer

and does not let me to start apache service giving error

Windows could not start the Apache2.4 on Local Computer. For more information, review System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 1.

I tried both options but it did not work. I am not sure which logs to access but the lucee-tomcat access logs only shows 403 error

I can tell that you’re replying to me, but to be clear I offered 3 things. So which “both” did you do?

Thank you @carehart .I tried

Option 1

allowedRequestAttributesPattern=".*"

Option 2

secretRequired="false"
address="::1"

Please let me know third option that I missed.

No third option, then. But as I said in my first reply, there are still more possibilities to consider.

First, those were indeed the “3” I meant. You simply regarded them as two options. OK. And we will trust that you did enter those 3 (all at once) on the right (ajp) connector line, and restarted Tomcat, and yet still got the 403. In that case, let’s move on to other possibilities.

Second, I wonder if this might be related to a similar problem presented a couple of years ago, here, where someone had similar 403’s that were not being resolved by the above, and though it was a surprise to some, they found they had a ModCFML_SharedKey in their apache conf, and they commented it out (and restarted Apache), and that stopped the problem.

I pressed at the end with some follow-up, but there was never a response. Let us know if you can at least confirm you don’t have one…and not just in your httd.conf (or whatever is your main Apache conf), but consider also that may be being included either explicitly (by named file) or implicitly (all in a named include folder).

Third, if you remain stuck, you may want to at least consider the info in the docs page on setting up Lucee and Apache, particularly its section, “Manually Connecting with mod_proxy_ajp”. While you may not care to use EXACTLY the apache conf lines offered, you could at least see if what’s offered works, and then winnow it down to what you do not want but find you may still need.

Looking forward to the conclusion here.

Thank you for detailed approach to solve the problem. Previously, I tried the options one by one but now I tried it all three at one time. It does works.

Also, I tried looking for ModCFML_SharedKey in Apache conf but there is not any. There is one in server.xml file for lucee-tomcat but I am not sure if that was conflicting with secret key for AJP in lucee-tomcat.

I am still trying if I can make it work with the secret=“true” for better security and looking into the documentation link provided as last option in the approach.

It seems that the AJP secret is the issue as noted by @andreas @David_Raschper . I am wondering if we can change secret in AJP to 64 set of characters generated randomly?

Simran, first, glad that it’s now clear some two (or more) of those is the solution. Sorry, when I said in my first reply to try one and then the others, I did mean to imply (but did not say) to try all 3 at once. It would be helpful to find if any 2 worked. I realize that would require trying 6 combinations (3 factorial).

Before dealing with your question about the secret, let’s see if it may just be the address and allowedRequestAttributesPattern options that you needed. If you try just those, does it work?

If not, as for the secret, yes, it can be any value you want (simple or complex). It’s simply a passphrase to eb set on each side of the communications: tomcat and apache (or iis). I proposed set it to secretRequired=“no” just to see if the lack of one on your apache side might help get things working. If you want to set one on the proxpass line (as was later proposed by David), then set secretRequired to “yes” and let us know how it goes.

Then if you wanted, you could try taking out either of the others. I will say that since your tomcat access log showed the 403 (as you reported today), my bet is that it’s NOT about the address line (but keeping it could help with speed, as has been discussed in other threads here, setting it to whatever localhost to on your server). In that case, my bet it was indeed the allowedRequestAttributesPattern arg, which has bit many people since the tomcat “ghostcat bug” started this whole mess a couple of years ago.

Let us know what you end up with, but again glad you’re at least working again.

You can change the secret in the server.xml. Just make sure the secret is the same in the server.xml and the apache vhost.

I´m not sure why you get the apache secret length error, since im not using windows…
As carehart said, maybe first try without secret, to make sure that the ajp connection generally work.

I tried all possible combinations @carehart @David_Raschper and realized that it works even if I just make the secretRequired =“false” and don’t add allowedRequestAttributesPattern and address.

Its seems the ajp connection works fine without secret. Problem arises when I set secretRequired=“true”

Update: I was able to make it work with secretRequired=“true”. Previously, when configured

ProxyPass / ajp://localhost:8009/ secret=mySecret

it gave me error that ProxyPass length should be < 64 characters. So I reduced the length (newSecret) in this line.
I also configured lucee/AJP/installer.settings and lucee/tomcat/server.xml and changed the secret to newSecret.

Huge thanks to all who contributed! Couldn’t have done it without you.