Summary and analysis of AJP agreement

The tomcat server connects to the client through the Connector Connector component, the connector component is responsible for receiving the customer's request, and the results of the Tomcat server's response are sent to the customer. By default, Tomcat configures two types of connectors in Server.xml:
　　
<!--Define a non-ssl Coyote http/1.1
Connector on port 8080--
<connector port= "8080"
Maxthreads= "150"
Minsparethreads= "25"
maxsparethreads= "75"
Enablelookups= "false"
Redirectport= "8443"
acceptcount= "100"
debug= "0"
connectiontimeout= "20000"
Disableuploadtimeout= "true"/>
　　
<!--Define a COYOTE/JK2 AJP 1.3
Connector on port 8009--
<connector port= "8009"
Enablelookups= "false"
Redirectport= "8443" debug= "0"
Protocol= "ajp/1.3"/>
　　
The first connector listens on port 8080 and is responsible for establishing an HTTP connection. This is what you use when you access a web app for a tomcat server through a browser.

Http://blog.sina.com.cn/s/blog_6870d1e00100mv64.html

The general Tomcat default SSL port number is 8443, but for the SSL standard port number is 443, so when access to the Web page, the direct use of HTTPS without the need to enter the port number can be accessed, such as https://ip/
To modify the port number, you need to modify the Tomcat Server.xml file:
1.NON-SSL http/1.1 Connector Definition of the place, generally as follows:
<connector port= "maxhttpheadersize=" 8192 "
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" redirectport= "443" acceptcount= "100"
connectiontimeout= "20000" disableuploadtimeout= "true"/>
Change the Redirectport port number to: 443
2.SSL http/1.1 Connector defined place, the modified port number is: 443, as follows:
<connector
port= "443" maxhttpheadersize= "8192"
Maxthreads= "minsparethreads=" 25 "
maxsparethreads= "75"
Enablelookups= "false"
Disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https"
Secure= "true"
Clientauth= "false" sslprotocol= "TLS"
Keystorefile= "Conf/tomcat.keystore"
keystorepass= "123456"/>
3.AJP 1.3 Connector defined place, modify Redirectport to 443, as follows:
<connector port= "8009"
Enablelookups= "false" redirectport= "443" protocol= "ajp/1.3"/>

You can restart Tomcat. To this step can form the access mode https://ip/

4. Mandatory HTTPS access

Add the following paragraph to the </welcome-file-list> in Tomcat\conf\web.xml:

<login-config>
<!--Authorization setting for SSL--and
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client Cert users-only area</realm-name>
</login-config>
<security-constraint>
<!--Authorization setting for SSL--and
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Note: (If the machine port used by the other party is occupied)

Need to switch ports to convert data: iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-port 8080

AJP (Apache Jserv Protocol) is a directional packet protocol. For performance reasons, use binary format to transfer readability text. The Web server is connected through a TCP connection and a servlet container.

(The format is not good, this article has been placed in the annex)

The AJP protocol is a directional packet (packet-oriented) protocol that uses binary forms instead of textual form to improve performance. Web server generally maintains multiple TCP connecions for Web container, that is, TCP connection pooling, and multiple request/respons loops reuse the same connection. However, when connection is assigned (Assigned) to a request, other requests must not use the connection until the request is complete.

The TCP Connection has two states:

(1). Idle No request is being used for this connection. (2). Assigned the current connection is processing a request. Data type: The AJP protocol includes four data types: Byte, Boolean, Integer, and String. BYTE: one byte

Boolean: one byte, 1 = true, 0 = False.

Integer: Two bytes, unsigned integer, high byte in front. String: variable string with a maximum length of 2^16. The length of the string is two bytes (integer) before the string, and 1 indicates null. The string is followed by Terminator "\", and the string length does not include this terminator. AJP package structure, Diagram 1:

package direction	1	2		4 ... (n+3)
server->container	0x12		data length (n)		data (payload)
container->server	a		data length (n)		data (payload) /td>

As you can see in Figure 1, the Tomcat packet from Apache has a 0x1234 header, and the package from Tomcat to Apache has an AB (ASCII) header, followed by two bytes representing the length of the data (excluding the first four bytes). The maximum length of the recognized AJP package can be close to 2^ 16, but the current version supports a maximum packet length of 2^13, which is 8 K. Look at the data section (payload), in addition to the Server->container request body package, the other packet's data part of the first byte of its message type (code), such as the following table (description is the original text, translated into Chinese I think it is more difficult to understand, English is better than Chinese):

Direction	Code	Package Type	Describe
Server->container	2	Forward Request	Begin the request-processing cycle with the following data.
	7	Shutdown	The Web server asks the container to shut itself down
	8	Ping	The Web server asks the container to take control (secure login phase).
	10	Cping	The Web server asks the container to respond quickly with a cpong
	None	Data	Size (2 bytes) and corresponding body data.
Container->server	3	Send Body Chunk	Send a chunk of the body from the servlet container to the Web server
	4	Send Headers	Send The response headers from the servlet container to the Web server
	5	End Response	Marks the end of the response
	6	Get Body Chunk	Get further data from the request if it hasn ' t all been transferred yet
	9	Cpong Reply	The reply to a cping request

Forward Request packet Data section (payload) Structure:

Ajp13_forward_request: = Prefix_code (byte) 0x02 = Jk_ajp13_forward_request Method (Byte) protocol      (string) Req_uri (String) remote_addr (String) remote_host (string) server_name (string) server_port (integer) Is_ssl (Boolean) num_headers (integer) Request_headers * (Req_header_name req_header_value) Attributes * (Attribut_name attribute_value) Request_terminator (Byte) oxff

--------------------------------------------------------------------------------------------------------------- ------------------

Req_header_name: = Sc_req_header_name | (string) [See below for what this is parsed]

--------------------------------------------------------------------------------------------------------------- ------------------

Sc_req_header_name: = 0xa0xx (integer) Req_header_value: = (String)

--------------------------------------------------------------------------------------------------------------- ------------------

Attribute_name: = Sc_a_name | (Sc_a_req_attribute string) Attribute_value: = (String)

(1) Prefix_code All forward request packages are 0x02.

(2) Method: A byte, the encoding of the method, which corresponds to the following (only part of the list): TD valign= "Top" width= "142" >TRACE&NBSP;&NBSP;&NBSP;&NBSP;

Command Name td>	code	post	4
OPTIONS 	1	put	5
GET     	2	DELETE   	6
HEAD    	3	7

(Reference: http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)

(3) protocol, Req_uri, REMOTE_ADDR, Remote_host, server_name, Server_port, IS_SSL: Each request package has these fields, the format is the length + string value +\0 terminator.

(4) Num_headers: Number of request headers, two bytes. (5) Request_headers: The request header name is differentiated into two categories, a class of request headers are converted to the 0XA0XX format (shown in the following table), and the other request headers are still encoded with the original string.

Request Header	Code value	Code Name
Accept	0xa001	Sc_req_accept
Accept-charset	0xa002	Sc_req_accept_charset
Accept-encoding	0xa003	Sc_req_accept_encoding
Accept-language	0xa004	Sc_req_accept_language
Authorization	0xa005	Sc_req_authorization
Connection	0xa006	Sc_req_connection
Content-type	0xa007	Sc_req_content_type
Content-length	0xa008	Sc_req_content_length
Cookies	0xa009	Sc_req_cookie
Cookie2	0xa00a	Sc_req_cookie2
Host	0xa00b	Sc_req_host 0xa00c
pragma	0xa00c	Sc_req_pragma
Referer	0xa00d	Sc_req_referer
User-agent	0xa00e	Sc_req_user_agent

(6) Java code reads the first two bytes of integer type, if the high byte is "0xA0", then the second byte is the index on the list. If the high-order byte is not "0xA0", then the two bytes are the length of the subsequent request header name.     (7) Attributes: Rarely, look directly at the Tomcat documentation. (8) Request_terminator: One byte 0xFF, request terminator. Response Package Data section (payload) Structure:

Ajp13_send_headers: = Prefix_code 4 Http_status_code (integer) http_status_msg (String) num_headers (integer ) Response_headers * (Res_header_name header_value) Res_header_name: = Sc_res_header_name |   (string) [See below for what this is parsed] Sc_res_header_name: = 0xA0 (Byte) Header_value: = (string) Ajp13_send_body_chunk: = Prefix_code 3 chunk_length (integer) Chunk * (Byte) Ajp13_end_response: = Prefix_code 5 Reuse (Boolean) Ajp13_get_body_chunk: = Prefix_code 6 Requeste D_length (integer)

1. Response_headers: Like the request header, a class of response headers are converted to the 0XA0XX format (shown in the following table), and the other response header names are encoded with the original string.

Request Header	Code value	Code Name
Content-type	0xa001	Sc_resp_content_type
Content-language	0xa002	Sc_resp_content_language
Content-length	0xa003	Sc_resp_content_length
Date	0xa004	Sc_resp_date
Last-modified	0xa005	Sc_resp_last_modified
Location	0xa006	Sc_resp_location
Set-cookie	0xa007	Sc_resp_set_cookie
Set-cookie2	0xa008	Sc_resp_set_cookie2
Servlet-engine	0xa009	Sc_resp_servlet_engine
Status	0xa00a	Sc_resp_status
Www-authenticate	0xa00b	Sc_resp_www_authenticate

2. Reuse: If 1, the connection can be reused by the quilt, otherwise the connection should be closed. Let's take a look at a simple AJP request in the process of catching a request package: Http://localhost/test/testCluster.jsp Request:

1, 2 bytes is mentioned above Server->container header, 3, 4 bytes represents the packet length (0x01b0=432), that is, the length from the 5th byte to the last byte (FF). The 5th Byte (02) represents the "Forward Request" package. A 6th byte (02) represents a GET request. 7th, 8 bytes (0x0008) represents the length of the protocol string, the second 8 bytes is the protocol string (http/1.1), and the 9th byte is the protocol "\" of the Terminator string. 18-41 bytes represents the Req_uri string (0x15+2+1=24). 42-53 bytes represent the REMOTE_ADDR string (0x09+2+1=12) 54-55 two bytes (0xffff=-1) represent a null string, that is, Remote_host does not exist. 56-67 two bytes for server_name string (0x09+2+1=12) 68-69 two bytes (0x0050=80) for server_port70 bytes (0x00) for Is_ssl to false71-72 two bytes (0x0009) Represents the first 9 red ellipses in the request with 9 request headers. The 10th Red Ellipse (0x06) represents the route of the attributes. After the 11th red ellipse, it represents Ajp_remote_port and Jk_lb_ Activation two request properties. The last byte, 0xFF, indicates the end of the request.

Response Header packet:

Similar to the head, no longer described in detail. Where the 5th byte of 0x04 represents the "Send Headers" response. And there is no Terminator byte 0xFF.

Response Body Packet:

Response End Response: The last Byte (01) that represents the current connection is still available. Finish

http://guojuanjun.blog.51cto.com/277646/688559/

Summary and analysis of AJP agreement