So I reinstalled Lucee on the server and its not using Java 11. I was able to get 19.12.0.0000 installed for Oracle and the database connection is good. However, our application keeps giving either a 403 “the server understood the request but refused to authorize it”, or a 503 “service unavailable” error. Our Apache is running as well as Lucee, which starts Tomcat.
Our server.xml has the “secret” and “secretRequired” configured:
Which leads to the 403 error. And if we take that out, we get the 503. So what has changed in the Tomcat installation (9.0.65) that we could be missing?
Did you just install Lucee with the installer on top of apache (that was already running with Lucee)?
How is your Apache connected with Tomcat? Looks like your secret isn’t being passed from Apache to Tomcat correctly. That is causing the 403 error when having secret and secretrequired set in your server.xml. What Apache version are you using?
For the 503 error… What does the apache error log say about it? Did you check it?
I made sure that the secret matched in Apache and in server.xml, and the services do start, but I still get the 403 error “The server understood the request but refuses to authorize it”. And the logs are NO help! They don’t show anything being wrong that I could see, which makes troubleshooting next to impossible.
Also, I did reinstall Lucee on top of Apache. I have a forward.conf file under /etc/httpd/conf.d that uses ProxyPass to proxy requests to the Tomcat backend:
<Directory “/WebProjects”>
AllowOverride All
Options +Indexes
Require all granted
DirectoryIndex index.cfm
<Proxy *>
Allow from 127.0.0.1
ProxyPreserveHost On
ProxyPass /CSD ajp://localhost:8009/CSD
ProxyPassReverse /CSD ajp://localhost:8009/CSD
Like I said earlier, The “secret” value in /etc/httpd/conf/httpd.conf and /opt/lucee/tomcat/conf/server.xml match, but nothing is reflected in the logs that there is anything wrong. And the Google Chrome Developer console just shows the 403 error and no other details.
That is still saying that your AJP secret isn’t being passed. I’m still missing how you are connecting your AJP in Apache2 to Tomcat. How and where are you adding the secret to your apache configuration? There is a known issue with passing secrets for AJP with Apache: According to Apaches docs you would need Apache2 from 2.4.42 and later (see mod_proxy_ajp.html documentation). But I even don’t know if you are connecting AJP through proxy_ajp or reverse proxy. If so, and according to your Apache2 Version, you may need to connect AJP with a rewrite rule then. But if everything is on one server, you may also just turn secretrequired to false in Tomcat.
I just tried setting “secretRequired” to”false” in server.xml, and restarted Apache and Lucee, and I still get the 403 error, and nothing useful in the logs. Is there an example on passing this secret between Apache and Lucee?
OK, I commented out ModCFML_SharedKey in /etc/httpd/conf/httpd.cong (so its commented out on both ends), restarted Apache and Lucee, and it appears to be working now. I think I’m good for now. I appreciate all of the help and suggestions.
If everything is running and its ok for you, then everything is fine.
Just to be clear and also for the ones who are going to read this post with similar issues: the modcfml_sharedKey has nothing to do with the AJP secretkey. The modcfml_secretkey is for the modcfml valve (see Mod_cfml Docs), not for the AJP connector (see Apache2 AJP docs . I’ve posted a link in a previous post above alread, but it looks like it has been overseen.
But if everything is running, then all is ok. If you have any further issues, we’ll be glad to help.
Harry, following on Andreas’ comment (and before we close this out), it could help you and all following along to have you confirm a) you have the mod_cfml valve defined in Tomcat/Lucee, and if so, b) does the above ModCFML_SharedKey value from the apache conf line match the sharedKey in the Tomcat conf file for the valve?
It can indeed be confusing to keep in mind all the different “secrets” which may come into play for different purposes. Even the AJP config in tomcat has two different secret settings, one being requiredSecret from before and then secret being implemented after the ghostcat changes in early 2020 (not to mention that it then offered a new boolean secretRequired!)
Even the AJP config in tomcat has two different secret settings, one being