Introduce IPv4 and IPv6-specific AJP adapters

In order to facilitate IPv4-only and IPv6-onyly stacks, begin binding separately to IPv4 and IPv6. If a Connector fails to bind, Tomcat will continue running, but won't listen on that address. This allows both 127.0.0.1 and ::1 to function on new Dogtag installs. Note that the limitation here comes not from Tomcat but from JDK: it only allows binding to a single (IPv4 or IPv6) stack with a given address. Resolves: rh-bz#1780082 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
dogtagpki · Nov 17, 2020 · 1906afb · 1906afb
1 parent 4c705de
commit 1906afb
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 5 deletions.
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
@@ -4,7 +4,8 @@ INSTALL_TIME_SLOT=[INSTALL_TIME]
 MASTER_CRL_ENABLE_SLOT=[MASTER_CRL_ENABLE]
 PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT]
 PKI_AGENT_SECURE_PORT_SLOT=[PKI_AGENT_SECURE_PORT]
-PKI_AJP_HOST_SLOT=[PKI_AJP_HOST]
+PKI_AJP_HOST_IPv4_SLOT=[PKI_AJP_HOST_IPv4]
+PKI_AJP_HOST_IPv6_SLOT=[PKI_AJP_HOST_IPv6]
 PKI_AJP_PORT_SLOT=[PKI_AJP_PORT]
 PKI_AJP_SECRET_SLOT=[PKI_AJP_SECRET]
 PKI_AJP_REDIRECT_PORT_SLOT=[PKI_AJP_REDIRECT_PORT]

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
@@ -256,7 +256,12 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry
 # another host, manually edit server.xml to specify a shared secret or
 # tunnel it over a secure network. Refer to the Tomcat documentation for more
 # information about secure Tomcat configuration.
-pki_ajp_host=localhost
+pki_ajp_host_ipv4=localhost4
+pki_ajp_host_ipv6=localhost6
+
+# Note: pki_ajp_host is deprecated in favor of pki_ajp_host_ipv4.
+pki_ajp_host=%(pki_ajp_host_ipv4)s
+
 pki_ajp_port=8009
 pki_ajp_secret=%(pki_random_ajp_secret)s
 pki_server_pkcs12_path=

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
@@ -715,8 +715,14 @@ def compose_pki_master_dictionary(self):
                 self.mdict['pki_https_port']
             self.mdict['PKI_AJP_PORT_SLOT'] = \
                 self.mdict['pki_ajp_port']
-            self.mdict['PKI_AJP_HOST_SLOT'] = \
+            self.mdict['PKI_AJP_HOST_IPv4_SLOT'] = \
                 self.mdict['pki_ajp_host']
+            if (self.mdict['pki_ajp_host'] == 'localhost4' and
+                    self.mdict['pki_ajp_host_ipv4'] != 'localhost4'):
+                self.mdict['PKI_AJP_HOST_IPv4_SLOT'] = \
+                    self.mdict['pki_ajp_host_ipv4']
+            self.mdict['PKI_AJP_HOST_IPv6_SLOT'] = \
+                self.mdict['pki_ajp_host_ipv6']
             self.mdict['PKI_AJP_SECRET_SLOT'] = \
                 self.mdict['pki_ajp_secret']
             self.mdict['PKI_AJP_REDIRECT_PORT_SLOT'] = \

diff --git a/base/server/tomcat-8.5/conf/server.xml b/base/server/tomcat-8.5/conf/server.xml
@@ -189,7 +189,12 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     <Connector port="[PKI_AJP_PORT]"
                protocol="AJP/1.3"
                redirectPort="[PKI_AJP_REDIRECT_PORT]"
-               address="[PKI_AJP_HOST]"
+               address="[PKI_AJP_HOST_IPv4]"
+               requiredSecret="[PKI_AJP_SECRET]" />
+    <Connector port="[PKI_AJP_PORT]"
+               protocol="AJP/1.3"
+               redirectPort="[PKI_AJP_REDIRECT_PORT]"
+               address="[PKI_AJP_HOST_IPv6]"
                requiredSecret="[PKI_AJP_SECRET]" />
 [PKI_CLOSE_AJP_PORT_COMMENT]
 

diff --git a/docs/manuals/man5/pki_default.cfg.5.md b/docs/manuals/man5/pki_default.cfg.5.md
@@ -81,7 +81,13 @@ Secure and unsecure ports.  Defaults to standard Tomcat ports 8443 and 8080, res
 Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009 and 8005, respectively.
 
 **pki_ajp_host**  
-Host on which to listen for AJP requests.  Defaults to localhost to listen to local traffic only.
+Host on which to listen for AJP requests.  Defaults to localhost4 to listen to local traffic only on IPv4 stack. **NOTE** Deprecated in favor of **pki_ajp_host_ipv4**.
+
+**pki_ajp_host_ipv4**
+Host on which to listen for AJP requests.  Defaults to localhost4 to listen to local traffic only on IPv4 stack.
+
+**pki_ajp_host_ipv6**
+Host on which to listen for AJP requests.  Defaults to localhost6 to listen to local traffic only on IPv6 stack.
 
 **pki_proxy_http_port**, **pki_proxy_https_port**, **pki_enable_proxy**  
 Ports for an Apache proxy server.