Skip to main content
jims63894568
jims63894568
Participating Frequently
March 20, 2020
Answered

Coldfusion 2016 Issue with .htaccess after upgrade to level 14

  • March 20, 2020
  • 3 replies
  • 4065 views

I am running on linux using Apache httpd-2.4.41, with the latest JDK and Coldfusion 2016.  Everything worked great through update 13.  However, after applying update 14 and after doing the wsconfig -upgrade, I now have an issue where when a user attempts to connect to a page or directory that does not exist, it displays a 403 error.  In addition, I noticed that my .htaccess rules seem to now be completely ignored.

When I roll back to version 13, everything works normal again.

 

Has anyone else experienced or am I the only lucky one that is dealing with this.  

    This topic has been closed for replies.
    Correct answer Charlie Arehart

    I can share an update on this: the problem Jim was experienging (as are others) is indeed down to the use of htaccess (and maybe also true for rewrites via mod_rewrite). The rewrite is adding a new header, in the request sent from Apache to CF--and thus the updated connector (in CF) fails the request for it not having one of the allowed (dozen) headers that are listed in the Tomcat docs (http://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html).

     

    And THAT is why Jim (and others) would conclude they have to use that regex value of ".*"  (for "anything"). I am working on determining if there's a way to add ONLY the extra header that is needed, rather than allowing "any" (which was indeed what the Tomcat fix was trying to prevent).

     

    BTW, for anyone who wants to see WHAT header IS being sent in on requests that ARE sent to CF via a rewrite, you can see it, either of two ways. (Let me note that you can of course only see it when the request IS working, such as when you use that .* pattern, or if you roll back the update.)

     

    One way is with the CFML function gethttprequestdata (or more specifically, coldfusion gethttprequestdata().headers). Another way is with FusionReactor, and its ability to see the "details" of a request, one of which is a "headers" tab. As I was working with one client, we found the header to be XSite-name.

     

    And yes, we tried adding that as THE pattern. We did have to escape the "-" within the name, so "Xsite\-name". And that "worked" (in that now the "rewritten" site would run). And BTW, sites that were NOT being "rewritten" were working regardless. 

     

    What's not clear from the Tomcat docs is whether in doing that, we are ADDING to or OVER-RIDING/overwriting the default values listed on the Tomcat doc page. Again, I plan to do some more research and testing on things. (I find virtually none by anyone else on the web.)

    3 replies

    M
    Mike Collins_CF
    Inspiring
    June 10, 2020

    I have worked other Apache related 403 error issues and I found using the servers IP and not localhost can also be the answer. 

    1. Edit ../#/workers.properties and change worker.cfusion.host from localhost to the server’s IP address
    2. Edit .../<instancename>/runtime/conf/server.xml and add address=”<ip address>” to the AJP connector line

    Doing the above allowed the the connector and Tomcat\CF to communicate again.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    June 10, 2020

    Yep, mcollins (Mike?). And I will note that I discuss that and still other possibilities (for errors after applying the March 2020 CF updates) in the blog post I linked to in my first reply above. Just adding that for still more consideration for amyone interested. There was a lot that happened in those updates, affecting settings in both those files. And that's what my blog post tries to relate, for those interested to know more.

    /Charlie (troubleshooter, carehart. org)
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity ExpertCorrect answer
    Community Expert
    March 27, 2020

    I can share an update on this: the problem Jim was experienging (as are others) is indeed down to the use of htaccess (and maybe also true for rewrites via mod_rewrite). The rewrite is adding a new header, in the request sent from Apache to CF--and thus the updated connector (in CF) fails the request for it not having one of the allowed (dozen) headers that are listed in the Tomcat docs (http://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html).

     

    And THAT is why Jim (and others) would conclude they have to use that regex value of ".*"  (for "anything"). I am working on determining if there's a way to add ONLY the extra header that is needed, rather than allowing "any" (which was indeed what the Tomcat fix was trying to prevent).

     

    BTW, for anyone who wants to see WHAT header IS being sent in on requests that ARE sent to CF via a rewrite, you can see it, either of two ways. (Let me note that you can of course only see it when the request IS working, such as when you use that .* pattern, or if you roll back the update.)

     

    One way is with the CFML function gethttprequestdata (or more specifically, coldfusion gethttprequestdata().headers). Another way is with FusionReactor, and its ability to see the "details" of a request, one of which is a "headers" tab. As I was working with one client, we found the header to be XSite-name.

     

    And yes, we tried adding that as THE pattern. We did have to escape the "-" within the name, so "Xsite\-name". And that "worked" (in that now the "rewritten" site would run). And BTW, sites that were NOT being "rewritten" were working regardless. 

     

    What's not clear from the Tomcat docs is whether in doing that, we are ADDING to or OVER-RIDING/overwriting the default values listed on the Tomcat doc page. Again, I plan to do some more research and testing on things. (I find virtually none by anyone else on the web.)

    /Charlie (troubleshooter, carehart. org)
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    March 21, 2020

    Jim, you say that this only about requests for page that DON'T exist? And directories that don't?

     

    So requests to pages or folders that DO exist work fine? That seems odd, but would suggest something happening with any 404 handler, set in either your web server or cf (in the admin or your code).

     

    If this was about ANY requests to the site, I'd have suspected the need to update the connector. And there may still be an issue.

     

    I know you said you did that, but perhaps it's that the wsconfig upgrade did not update the actual files that apache is using. Follow the config from httpd.conf, to any included conf that references cf config, and then ultimately its pointer to the workers.properties file. Make sure THAT file has a line (like the several others there) that now names a secret. That's what the new update implements.

     

    More in a post I did here:

     

    https://www.carehart.org/blog/client/index.cfm/2020/3/20/how_and_why_sites_may_break_after_Mar_2020_CF_updates

    /Charlie (troubleshooter, carehart. org)
    jims63894568
    jims63894568Author
    Participating Frequently
    March 21, 2020

    Thanks for the reply.

    So, this one really has got me stumped.  I have confirmed that the connector was rebuilt.  Here is the log:

     

    03/20 15:30:57 debug Using Apache binary /usr/local/apache2/bin/httpd
    03/20 15:30:57 info Server version: Apache/2.4.41 (Unix)
    03/20 15:30:57 debug Exec'ing chmod +x /opt/coldfusion2016/config/wsconfig/1/mod_jk.so
    03/20 15:30:57 debug Set permission to execute on /opt/coldfusion2016/config/wsconfig/1/mod_jk.so
    03/20 15:30:57 debug Created file /opt/coldfusion2016/config/wsconfig/1/mod_jk.so

     

    I have checked the workers.properties and worker.cfusion.secret has been set.

    My config file does show that it is pointing at the correct locations for the connector.

    To give more information, here is what I have:

     

    When I connect to the website and land on a page that exists, everything works like it should.  (Originally, when I first upgraded to 14, I got the 403 error for everything and that is when I first upgraded the connector)

     

    If I attempt to go to a webpage that does not exist BUT I have the extension .cfm, then I get the coldfusion error page with the File Not Found Message and the stack trace.  (If I enable the coldfusion configuration to redirect missing pages, then this will redirect to the redirect page) 

     

    However, if I attempt to connect to a webpage that does not exist and does not have the .cfm extension then I get this:

    HTTP Status 403 – Forbidden

    Type Status Report

    Description The server understood the request but refuses to authorize it.

    Apache Tomcat/8.5.42

     

    I also get that same message if I attemp to go to a directory that does not exist.

    What is strange is that if I put in a .htaccess file and attempt to put rules to redicrect for missing pages, it is as though the .htaccess file does not even exist and is completely ignored.  (We had been using .htaccess before the latest update without issue)

     

    From what I can surmise from all of this, it appears that when a user connects to the website, no matter what page is called for, everything seems to be passed to the connector and is either processed by coldfusion.  If the page is there, all is good.  If not, tomcat and not apache, seems to take the lead and just puke.

     

    One other thing that I noticed in the /opt/coldfusion2016/config/wsconfig/1/mod_jk.log log file is that when I attempt to connect to a webpage that does not exists, I get this in the log:

    [Sat Mar 21 08:04:03 2020] [30757:2942241648] [warn] ajp_process_callback::jk_ajp_common.c (2218): (cfusion) AJP13 protocol: Reuse is set to false

     

    I have no clue what that means or if it is relavant.  

     

    Any additional ideas that you might have would be greatly appreciated.

     

    Thanks!

     

     

     

     

     

     

     

     

    jims63894568
    jims63894568Author
    Participating Frequently
    March 21, 2020

    One additional note.  In my last response I mentioned that when I watched the log file /opt/coldfusion2016/config/wsconfig/1/mod_jk.log if I went to a page that did not exist I would see this message:

    [Sat Mar 21 08:04:03 2020] [30757:2942241648] [warn] ajp_process_callback::jk_ajp_common.c (2218): (cfusion) AJP13 protocol: Reuse is set to false

     

    However, when the update is not applied and I roll back to version 13, then when I go to a page that does not exist, there is no log message at all.   I still don't know exactly what this means but it seems like there is something relevant happening here.  I feel like the connector is somehow gettng involved when it shouldnt.  But again, this is not my area of expertise at all. 🙂

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices