https://bugs.gentoo.org/710656 brought a new Tomcat versions which either requires secretRequired="false" in server.xml to be defined or properly setup. However when properly setting a secret you run into a problem when using Apache as AJP proxy, the current available apache versions is lacking secret support as it is only available in trunk. Please consider backporting https://github.com/apache/httpd/commit/d8b6d798c177dfdb90cef1a29395afcc043f3c86 like other distributions do, like e.g. Fedora with https://src.fedoraproject.org/rpms/httpd/blob/master/f/httpd-2.4.34-r1738878.patch. Ubuntu has the same problem, tracked in https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340. Reproducible: Always Steps to Reproduce: 1. Upgrade to a Tomcat version which fixed the ghostcat security issue 2. Try to configure Tomcat and Apache Proxy in a secure manner 3. Watch apache complain about the non existing parameter ProxyPass / ajp://localhost:8009/ secret=123 upon start with: AH00526: Syntax error on line xx of /etc/apache2/vhosts.d/virtualhost.domain.conf: ProxyPass unknown Worker parameter See e.g. https://access.redhat.com/solutions/4851251 for a more detailed example.
Feature is present in 2.4.43 which was added to Gentoo in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ed28ac0f8c8f74bdbd0ba1fb2b541f99b42b67f