You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Cox, Charlie" <cc...@cincom.com> on 2004/06/11 19:58:39 UTC

bypassing apache directives with jk2 and multiple hosts/ip addres ses

I am running Apache 2.0.49 / jk2 2.0.4 / tomcat 4.1.29

I have several ip-based virtual hosts set up through Apache which use jk2 to
get to tomcat. My problem is that I can bypass Apache settings for the
domain by changing the ipaddress used for those domains with a client.

Example configuration:

<VirtualHost 10.1.1.1:80>
    ServerName www.aaa.com:80
    DocumentRoot /www/aaa/
    DirectoryIndex index.html
    <Location / >
	Order Deny,Allow
	Allow from all
    </Location>
    <LocationMatch "\.jsp$">
	JkUriSet worker ajp13:localhost:8009 
    </Location>
</VirtualHost>

<VirtualHost 10.2.2.2:80>
    ServerName www.bbb.com:80
    DocumentRoot /www/bbb/
    DirectoryIndex index.html
    <Location / >
	Order Allow,Deny
	Deny from all
	Allow from 10.10.10
    </Location>
    <LocationMatch "/examples/*.jsp">
	JkUriSet worker ajp13:localhost:8009 
    </Location>
</VirtualHost>

Server.xml:
<Host name="www.aaa.com">
	...
</Host>
<Host name="www.bbb.com">
	...
</Host>

What I want is that all users can access www.aaa.com, while only specific
users can access www.bbb.com. The problem is that I can modify my host file
with the following:

10.1.1.1	www.bbb.com

The request is received by the first <VirtualHost> because of the ip
address, regardless of the host name. This will allow all of the JSP files
for the host to be viewed(not just the /examples and by anyone). The
LocationMatch allows the request to get to tomcat and once it receives the
request, tomcat only looks at the domain name.

Can jk2/tomcat prevent this behavior? I see a couple of ways that I can
change my configuration, but it wasn't obvious that I needed to do either
until I realized the problem.

1. Create a tomcat <service> in server.xml for each hostname(and its
ipaddress) that I want to be separate. Therefore each host/ip will have its
own jk2 worker.

2. Create an Apache default virtual host for each ipaddress with no
JkUriSet. 

3. Add the RemoteAddressValve to my tomcat host. But this seems repetitive
and people unaware of this problem will probably not use this in addition to
the Apache directives.

Charlie