I’m working on resurrecting an app I was working on prior. The old install was Tomcat 8 and Lucee 5. Before I dug into anything, I figured I should at least get Tomcat and Lucee updated to the latest versions.
OS is CentOS 7
I managed to get Tomcat 10.1.18 installed and running. I had Java 8 installed, but I couldn’t get Tomcat to startup. I checked the following link, and it looks like Tomcat 10.1.x builds require Java 11 instead of Java 8.
No problem, I got Java 11 installed, and I got the default Tomcat build listening on port 8080. I updated tomcat/conf/server.xml to point to my webapps directly/IP/hostname, etc. website won’t respond, even though port 80 is still listening.
I couldn’t find much via google or these forums on Tomcat 10. The only thread I found mentions (August 2023) Lucee not supporting Tomcat 10 out of the box.
Am I getting ahead of myself trying to run Tomcat 10? I have no problem reverting back to Tomcat 9 if that’s the latest stable support version. I’m not looking to hack around, I’d like to get this app back online so I can get back to building something. I figured I’d post here and check before I throw in the towel on Tomcat 10 and revert back to 9.
Am I getting ahead of myself trying to run Tomcat 10?
That answer seems to be “yes”, from my read of the dozen or so threads here on tomcat 10. Here they are in recency order.. By all indications, there seem to remain challenges for the Lucee team getting it to support being run on Tomcat 10.
BTW this seems so still with Lucee 6, both from the above and as I couldn’t find mention of “tomcat 10” in a Google search of the main lucee.org site. (Indeed, you don’t mention having tried it yet. And it’s unclear from your first paragraph if that’s part of getting “Lucee updated” you were exploring. Sounds from your last paragraph that you’ll want something more stable/compatible for now.)
If anyone knows differently on the above, please do correct me. I only offered it since there’s no reply to Jason for several hours.
Yes, to confirm, I never got around to trying Lucee 6 on Tomcat 10 because I wanted to see if my Lucee 5 install (that runs fine on Tomcat 8) would spin up. It was late for me, so I decided to throw in the towel for the evening and wait for a reply on whether or not I should even be deploying on Tomcat 10 or not.
I’ll revert back to trying Tomcat 9 and go from there. Yes, you are correct. I’m just looking for something stable so I’m going to use whatever provides the most stability.
Gavin, since you say it’s intermittent (only on those certain requests,), you may be hitting a limitation introduced in Tomcat’s addressing the ghostcat vuln a few years ago. Try adding this to the address line for the AJP connector in your server.xml:
allowedRequestAttributesPattern=“.*”
It may be that your cfhttp calls are adding headers that Tomcat is rejecting.
There’s more that could be said, though the Tomcat docs on the matter are paltry. I did a blog post with more back then (including how to add ONLY a needed header to that property, as well as more detail on the matter), but most are satisfied with this hammer approach. Let us know if it solves things for you. (You’ll need to restart Tomcat /Lucee.)
Finally, since you’re on tomcat 9, I’d think this should be moved to its own thread. It may be in your interest to split it out, if my suggestion is not the answer for you.
Sorry for the late reply;
I have just managed to get back to this…
I am, not sure if it matters or not - but I THINK - we originally used a now outdated / unsupported installation / configuration method.
(I read in another thread about someone lamenting the fact that there was once a process that was available for installing Lucee / tomcat8 onto ubuntu with a set of shell scripts.
Our “production” servers do indeed have scripts that copy XML files / scheduler files / Lucee Jars / NGINX configs / etc.
So I assume our Prod boxes were set up by this process or at least something similar)
I mention this - because perhaps it relates to…)
We do not have a AJPConnector element in our Tomcat config.
Can I just “steal” it from the Lucee Installer’s github repo and add it to our current XML?
From the reading I have done it seems you can use HTTP or AJP - so I assume we’re using HTTP at the moment
Oh, no. Don’t add that ajp connector based on my suggestion from Jan: if you haven’t needed one yet (which means you don’t use apache as your web server), then it’s not needed now. I’d shared the suggestion about its one attribute because it was the kind of thing that had in the past led to intermittent errors (based on different requests, as you’d indicated was happening). In any case, I realize now that what I referred to is really about 503 errors, rather than the 403s you’re reporting, so the suggestion is all the more moot.
Moving on, so it seems you are instead using the tomcat web server (with a url pointing to the same port for the lucee admin) , or forwarding to it from something like nginx, right? I ask because whichever it is, its logs might give more info on the 403, which would be some sort of permission or auth issue. You say (said in Jan) that it was intermittent: do you mean the same url works then doesn’t? Or is it different urls that fail? And is the request calling a cfm or cfc, in Lucee? Do its logs show nothing?
Finally, you say you make the request via cfhttp. Is there any aspect of the url that is variable: the file, path, query string, method, domain name/ip, or protocol? If so, it would seem wise to be 100% confident that the url is identical between when it works and doesn’t. You may find it tracked in Lucee logs, web server logs, etc.