Copy link to clipboard
Copied
I just got a new macbook, and was able to install apache via homebrew and serve webpages.
I installed ColdFusion 2023 in Developer mode, connected CF to apache using the wsconnector.
It is not serving ColdFusion pages. I get the following error:
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
I confirmed that both apache and CF are running and I can access CF via the Admistrator without issue.
I've looked in to the log files, and don't see any errors.
Thank you
We may be able to sort this out.
First, did you look only in the cfusion/logs? That would've understandable. But check out instead the mod_jk.log,.which is created by that connector. It may be in the numbered folder under ColdFusion's config/wsconfig folder, or it maycbe in an apache folder. (Or use the Unix find or the Mac Finder to locate it.) In either case, it may show a 503 error being tracked, when apache tries to connect to cf.
And that may also show the ip address being used, and it
...Copy link to clipboard
Copied
We may be able to sort this out.
First, did you look only in the cfusion/logs? That would've understandable. But check out instead the mod_jk.log,.which is created by that connector. It may be in the numbered folder under ColdFusion's config/wsconfig folder, or it maycbe in an apache folder. (Or use the Unix find or the Mac Finder to locate it.) In either case, it may show a 503 error being tracked, when apache tries to connect to cf.
And that may also show the ip address being used, and it may be ::1 or 127.0.0.1, or still something else. Whatever it is, look then in the cf cfusion/runtime/conf folder and make a copy of the server.xml file, and edit the original one. Find the "connector" line for "AJP" (there will be another for "http", and still others that are commented out). On the AJP connector line, does it have an address attribute? Does it match what the log showed apache was using? If not, change it (or add it, lowercased). Then save the file, restart cf, and test your request again.
The problem may well be something else, but let's start there (and you may want to revert to the copied server.xml if that change did not help).
Let us know how it goes.
Copy link to clipboard
Copied
Wow! Charlie Arehart! Thank you so much for your reply.
I looked in there, and found a ton of these errors....
[Thu Jul 25 23:50:15 2024] [570:6138998784] [info] jk_open_socket::jk_connect.c (816): connect to 127.0.0.1:8022 failed (errno=61)
[Thu Jul 25 23:50:15 2024] [570:6138998784] [info] ajp_connect_to_endpoint::jk_ajp_common.c (1158): (cfusion) Failed opening socket to (127.0.0.1:8022) (errno=61)
[Thu Jul 25 23:50:15 2024] [570:6138998784] [error] ajp_send_request::jk_ajp_common.c (1829): (cfusion) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=61)
[Thu Jul 25 23:50:15 2024] [570:6138998784] [info] ajp_service::jk_ajp_common.c (3000): (cfusion) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
[Thu Jul 25 23:50:15 2024] [570:6138998784] [error] ajp_service::jk_ajp_common.c (3021): (cfusion) connecting to tomcat failed (rc=-3, errors=202, client_errors=0).
Copy link to clipboard
Copied
Hi Charlie-
This fixed it:
@Charlie Arehart wrote:
..look then in the cf cfusion/runtime/conf folder and make a copy of the server.xml file, and edit the original one. Find the "connector" line for "AJP" (there will be another for "http", and still others that are commented out). On the AJP connector line, does it have an address attribute? Does it match what the log showed apache was using? If not, change it (or add it, lowercased). Then save the file, restart cf, and test your request again.
It was set to ::1 and I changed it to 127.0.0.1 and its working.
Thank you so so much!!
Copy link to clipboard
Copied
Wonderful to hear, Phillip. Thanks for the confirmation and for marking the answer. I have a few more related thoughts given your confirmation of things.
1) There's one more little thing you could do to help future readers who may find this: can you indicate where the folder was that held that mod_jk.log? As I'd noted, it can vary, and that depends on the OS and Apache implementation. Your clarification of this will help especially those on MacOS.
In that same spirit, I see I had a couple of typos in my note, some of which were in the text of mine you copied. I've corrected both (I have moderator privilege here), and you'll see I also used the quote feature to better make your pull quote of mine stand out. (While that feature pulls in the entire reply, one can then edit it to leave only the portion meant to be quoted. Sharing that if it may help you or others going forward).
As always, just trying to help.
2) And FWIW, this challenge you hit actually arose as an issue starting in March 2020. It was Tomcat whose behavior changed, with respect to a vulnerability labeled "ghostcat", and since cf is built atop it by default, Adobe documented it in the technotes for updates to CF at the time, and I elaborated on and pointed to them then with a blog post of my own at the time. I share that now that we've confirmed that was the issue for you. It was a rather complicated mess, thus a long post (and update technote). And all subsequent updates to and versions of cf will continue to be affected, which is why you're hitting it even on a new install. Not everyone does. There are different variables affecting the ip address used to get the request from the web server to the Tomcat AJP connector.
3) Indeed, since your using apache I'll give you an heads up of one more related matter you may hit: if you suddenly get 403 (authorization) failures for reasons that again seem to "make no sense", there's one more change to that server.xml you may need to make, and it's also about that same ghostcat issue. And it's documented in both the technotes and my post. You'd add to that same AJP connector line:
allowedRequestAttributesPattern=".*"
(And note that these attributes in server.xml are case-sensitive/camel-cased, with the first letter lowercase as in the "address" none above.)
Should you just go ahead and add it? That's debatable. Tomcat was trying to protect us in blocking all but certain allowed "headers" coming into it from the web server. It's just that apache sends some they didn't expect. I've never heard that they corrected for that, so I'd wait and see if you need this. But again I wanted you to have heads-up.
4) So, phew: yes, it's all a LOT to take and take in. I've elaborated here because others will surely experience what you did, and they may find this post. Sadly, the "answer" is not always a simple one. An occasional summary like this can be helpful.
Good luck, otherwise, with the new MacBook. Oh, and please don't forget my request in point 1.🙂
Copy link to clipboard
Copied
Hey Charlie-
Thank you for cleaning up my "mess"
The mod_jk.log was in the numberd ws folder: /Applications/ColdFusion2023/config/wsconfig/1/mod_jk.log
I did have issues with authorization errors, specifically with my .htaccess file. I followed your suggestion (since this is just dev machine) and it is now working. The file was: /Applications/ColdFusion2023/cfusion/runtime/conf/server.xml
The AJP connector string now looks like this on my machine:
<Connector protocol="AJP/1.3" port="8022" redirectPort="8455" secret="[REDACTED]" maxThreads="500" connectionTimeout="60000" tomcatAuthentication="false" address="127.0.0.1" allowedRequestAttributesPattern=".*"/>
Let me know if there is anything else.
Thank you again!
Copy link to clipboard
Copied
Sweet, and glad to help. Just a couple clarifications:
Until again.
Copy link to clipboard
Copied
Thank you again Charlie!
I apologize that the tone of the "mess" wasn't as intended. Fortunatly I haven't had to post much in here over the years so I'm still learning. Thank you again for everything.
Copy link to clipboard
Copied
No worries. 🙂