Apache Tomcat (on Linux) mod_jk Connector 403 Forbidden Error

Forum|Forum|7 months ago
June 18, 2025
4 replies
3797 views

Hi All,

Hoping someone can provide some pointers to solve this.

I was successfully running on CF2023 update 11 but when I went to update 14 Apache Tomcat mod_jk connector stopped working - i've reverted back to update 11 and it still doesn't work - the browser returns 403 Forbidden

I've checked my server.xml, worker.properties, mod_jk_vhost.conf a million times and they seem to be correct. I changed the Port being used by the connector in case that was a problem.

I'm seeing in mod_jk.log:

[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0130 63 68 65 2F 32 2E 34 2E 36 32 20 28 55 6E 69 78 - che/2.4.62.(Unix
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0140 29 20 4F 70 65 6E 53 53 4C 2F 33 2E 33 2E 32 20 - ).OpenSSL/3.3.2.
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0150 6D 6F 64 5F 6A 6B 2F 31 2E 32 2E 34 36 00 0A 00 - mod_jk/1.2.46...
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0160 0F 41 4A 50 5F 52 45 4D 4F 54 45 5F 50 4F 52 54 - .AJP_REMOTE_PORT
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0170 00 00 01 30 00 0A 00 0E 41 4A 50 5F 4C 4F 43 41 - ...0....AJP_LOCA
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0180 4C 5F 41 44 44 52 00 00 00 00 0A 00 10 4A 4B 5F - L_ADDR.......JK_
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0190 4C 42 5F 41 43 54 49 56 41 54 49 4F 4E 00 00 03 - LB_ACTIVATION...
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 01a0 41 43 54 00 FF 00 00 00 00 00 00 00 00 00 00 00 - ACT.............
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_send_request::jk_ajp_common.c (1883): (cfusion) request body to send 0 - request body to resend 0
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1563): received from ajp13 pos=0 len=29 max=65536
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1563): 0000 04 01 F4 00 15 49 6E 74 65 72 6E 61 6C 20 53 65 - .....Internal.Se
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1563): 0010 72 76 65 72 20 45 72 72 6F 72 00 00 00 00 00 00 - rver.Error......
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_unmarshal_response::jk_ajp_common.c (818): (cfusion) status = 500
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_unmarshal_response::jk_ajp_common.c (825): Number of headers is = 0
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1563): received from ajp13 pos=0 len=2 max=65536
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1563): 0000 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [warn] ajp_process_callback::jk_ajp_common.c (2263): (cfusion) AJP13 protocol: Reuse is set to false
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_reset_endpoint::jk_ajp_common.c (930): (cfusion) resetting endpoint with socket 19 (socket shutdown)
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_abort_endpoint::jk_ajp_common.c (900): (cfusion) aborting endpoint with socket 19
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] jk_shutdown_socket::jk_connect.c (931): About to shutdown socket 19 [127.0.0.1:20726 -> 127.0.0.1:8009]
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] jk_is_input_event::jk_connect.c (1410): error event during poll on socket 19 [errno=107] (event=16)
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] jk_shutdown_socket::jk_connect.c (1015): Shutdown socket 19 [127.0.0.1:20726 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec.
[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_done::jk_ajp_common.c (3710): recycling connection pool for worker cfusion and socket

server.xml contains:

workers.properties contains:

heartbeat_interval=30
heartbeat_limit=90

#Start of workers.properties associated with 'cfusion'
worker.list=cfusion

worker.cfusion.type=ajp13
worker.cfusion.host=localhost
worker.cfusion.port=8009
worker.cfusion.heartbeat_servlet_path=/__cf_connector_heartbeat__
worker.cfusion.connection_pool_timeout=60
worker.cfusion.monitoringsecret=f68691fb-903c-4c39-9166-ddd7fa726cae
worker.cfusion.secret=27837689-fc18-446c-848a-ae113acf00c8
#End of workers.properties associated with 'cfusion'

I'm going crazy trying to solve this - dug through all suggestions I can find online. I hope someone can help. Thanks!

pete_freitag

Participating Frequently

Did you check the apache error log file?

The error you posted doesn't necessarily point me here, but one thing that can sometimes be an issue is file system permissions. Take a look at things like the JkShmFile. If you are on RedHat or a variant with SELinux then you need to make sure files / ports have the appropriate selinux context (eg chcon).

L

lynn___Author

Known Participant

Hi, Pete. Thanks so much for your suggestions. I too had the thought that maybe it's a permission issue. The JkShmFile wasn't set. I updated it to JkShmFile "/appl/ColdFusion2023/config/wsconfig/1/jk_shm" in the mod_jk.conf file (and restarted apache) but that didn't fix the 403 - it did write the file.

I've check SElinux status - which shouldn't be blocking
[root@www-cfl-01 conf]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

I've also made sure iptables is off
[root@www-cfl-01 conf]# service iptables status
Redirecting to /bin/systemctl status iptables.service
○ iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
Active: inactive (dead)

as well as firewalld
[root@www-cfl-01 conf]# systemctl status firewalld
○ firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

I also checked the port
[root@www-cfl-01 conf]# netstat -anp | grep 8009
tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN 2128355/java
tcp 0 0 127.0.0.1:58270 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:10028 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:58246 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:31088 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:31100 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:31074 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:58260 127.0.0.1:8009 TIME_WAIT -
tcp 0 0 127.0.0.1:18892 127.0.0.1:8009 TIME_WAIT -

i'm learning as I go - i'm sure there's something i'm missing...

Charlie Arehart

Adobe Expert

Lynn, can you try this to see if it fixes your problem: add this line as another attribute on that AJP connector line in server.xml:

allowedRequestAttributesPattern=".*"

Make a copy of that file, then edit it and save the file and restart cf (not apache). Test your failing page. Does it help?

If so, I can't explain why the update itself would upset this: neither newly requiring it nor removing it if it had been there before. But let us know if it helps either way.

/Charlie (troubleshooter, carehart. org)

L

lynn___Author

Known Participant

Thanks, Charlie. Yes, I've already tried that (I feel like i've tried everything!!!). This is what I have currently:

Charlie Arehart

Adobe Expert

Agh, I see now you DID indicate that in your original server.xml. So sorry. It's just one of the many unexpected causes of 403 errors for some folks, especially with some Apache configs, that is easily missed. Glad you'd tried it.

/Charlie (troubleshooter, carehart. org)

BKBK

Adobe Expert

Have you solved the problem? If so, what is the solution?

If not, here is a suggestion: change the workers.properties as follows, and restart ColdFusion after after you do:

Replace worker.cfusion.host=localhost with worker.cfusion.host=127.0.0.1.
Add these 2 properties:
worker.cfusion.connection_pool_size=500
worker.cfusion.max_reuse_connections=500

L

lynn___Author

Known Participant

Thank, BKBK.

I updated my workers.properties file as follows but still getting the 403 with similar mod_jk.log output

heartbeat_interval=30
heartbeat_limit=90

#Start of workers.properties associated with 'cfusion'
worker.list=cfusion

worker.cfusion.type=ajp13
worker.cfusion.host=127.0.0.1
worker.cfusion.port=8009
worker.cfusion.heartbeat_servlet_path=/__cf_connector_heartbeat__
worker.cfusion.connection_pool_timeout=60
worker.cfusion.monitoringsecret=f68691fb-903c-4c39-9166-ddd7fa726cae
worker.cfusion.secret=27837689-fc18-446c-848a-ae113acf00c8
worker.cfusion.connection_pool_size=500
worker.cfusion.max_reuse_connections=500
#End of workers.properties associated with 'cfusion'