You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Edward Quick <ed...@hotmail.com> on 2006/04/28 10:09:23 UTC

Restricting access to Tomcat

Hi,

I have an Apache mod_jk Tomcat server set up on the same host, and want to 
restrict access to the Tomcat so that only the Apache on the localhost can 
connect to port 8009.

I tried using org.apache.catalina.valves.RemoteAddrValve, with 
allow="127.0.0.1", but the issue is that Tomcat picks up the IP address of 
the client, and not the Apache which is passing traffic onto it.

Is there a way round this?

Thanks,

Ed.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Restricting access to Tomcat

Posted by Tim Lucia <ti...@yahoo.com>.

This is a networking exercise. 

-----Original Message-----
From: Chris Lear [mailto:chris.lear@laculine.com] 
Sent: Friday, April 28, 2006 8:20 AM
To: Tomcat Users List
Subject: Re: Restricting access to Tomcat

* Edward Quick wrote (28/04/06 13:07):
>>* Edward Quick wrote (28/04/06 10:53):
>> >
>> >> >
>> >> > I have an Apache mod_jk Tomcat server set up on the same host, 
>> >> > and
[...]
> 
> Thanks, I know what you mean but my problem is the Apache is not on 
> the same box as the Tomcat.

Sorry. I misunderstood your original post. I thought you meant they were on
the same machine.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Restricting access to Tomcat

Posted by Chris Lear <ch...@laculine.com>.

* Edward Quick wrote (28/04/06 13:07):
>>* Edward Quick wrote (28/04/06 10:53):
>> >
>> >> >
>> >> > I have an Apache mod_jk Tomcat server set up on the same host, and 
[...]
> 
> Thanks, I know what you mean but my problem is the Apache is not on the same 
> box as the Tomcat.

Sorry. I misunderstood your original post. I thought you meant they were
on the same machine.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Restricting access to Tomcat

Posted by Edward Quick <ed...@hotmail.com>.

>* Edward Quick wrote (28/04/06 10:53):
> >
> >> > Hi,
> >> >
> >> > I have an Apache mod_jk Tomcat server set up on the same host, and 
>want
> >>to
> >> > restrict access to the Tomcat so that only the Apache on the 
>localhost
> >>can
> >> > connect to port 8009.
> >> >
> >> > I tried using org.apache.catalina.valves.RemoteAddrValve, with
> >> > allow="127.0.0.1", but the issue is that Tomcat picks up the IP 
>address
> >>of
> >> > the client, and not the Apache which is passing traffic onto it.
> >> >
> >> > Is there a way round this?
> >>
> >>
> >><Connector port="8009" protocol="AJP/1.3"
> >>                address="127.0.0.1">
> >>
> >>Won't that do it?
> >>
> >>Chris
> >>
> >
> > I don't think so because that's saying, bind the ajp listener to the
> > localhost. It's not saying restrict access to the ajp listener to 
>localhost.
>
>If it's bound to the loopback interface only, then only local
>applications will be able to connect to it. Nothing else can access
>127.0.0.1.
>Try it, and then try using
>telnet i.p.add.ress 8009 from a different machine
>You should get connection refused. I'm fairly confident that this solves
>your problem.
>
>Chris
>

Thanks, I know what you mean but my problem is the Apache is not on the same 
box as the Tomcat.

Ed.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Restricting access to Tomcat

Posted by Chris Lear <ch...@laculine.com>.

* Edward Quick wrote (28/04/06 10:53):
> 
>> > Hi,
>> >
>> > I have an Apache mod_jk Tomcat server set up on the same host, and want 
>>to
>> > restrict access to the Tomcat so that only the Apache on the localhost 
>>can
>> > connect to port 8009.
>> >
>> > I tried using org.apache.catalina.valves.RemoteAddrValve, with
>> > allow="127.0.0.1", but the issue is that Tomcat picks up the IP address 
>>of
>> > the client, and not the Apache which is passing traffic onto it.
>> >
>> > Is there a way round this?
>>
>>
>><Connector port="8009" protocol="AJP/1.3"
>>                address="127.0.0.1">
>>
>>Won't that do it?
>>
>>Chris
>>
> 
> I don't think so because that's saying, bind the ajp listener to the 
> localhost. It's not saying restrict access to the ajp listener to localhost.

If it's bound to the loopback interface only, then only local
applications will be able to connect to it. Nothing else can access
127.0.0.1.
Try it, and then try using
telnet i.p.add.ress 8009 from a different machine
You should get connection refused. I'm fairly confident that this solves
your problem.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Restricting access to Tomcat

Posted by Edward Quick <ed...@hotmail.com>.


> > Hi,
> >
> > I have an Apache mod_jk Tomcat server set up on the same host, and want 
>to
> > restrict access to the Tomcat so that only the Apache on the localhost 
>can
> > connect to port 8009.
> >
> > I tried using org.apache.catalina.valves.RemoteAddrValve, with
> > allow="127.0.0.1", but the issue is that Tomcat picks up the IP address 
>of
> > the client, and not the Apache which is passing traffic onto it.
> >
> > Is there a way round this?
>
>
><Connector port="8009" protocol="AJP/1.3"
>                address="127.0.0.1">
>
>Won't that do it?
>
>Chris
>

I don't think so because that's saying, bind the ajp listener to the 
localhost. It's not saying restrict access to the ajp listener to localhost.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Restricting access to Tomcat

Posted by Chris Lear <ch...@laculine.com>.

* Edward Quick wrote (28/04/06 09:09):
> Hi,
> 
> I have an Apache mod_jk Tomcat server set up on the same host, and want to 
> restrict access to the Tomcat so that only the Apache on the localhost can 
> connect to port 8009.
> 
> I tried using org.apache.catalina.valves.RemoteAddrValve, with 
> allow="127.0.0.1", but the issue is that Tomcat picks up the IP address of 
> the client, and not the Apache which is passing traffic onto it.
> 
> Is there a way round this?


<Connector port="8009" protocol="AJP/1.3"
               address="127.0.0.1">

Won't that do it?

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org