You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Richard S. Huntrods" <hu...@nucleus.com> on 2001/12/20 17:23:11 UTC

Tompcat - Manager Functions without the Manager?

Greetings!

For security purposes, my tomcat server is behind a firewall, with the
firewall forwarding port 8080 requests to the server (as port 8080).
All works very well. FTP and Telnet are blocked by the firewall as
well.  Only port 80 (another machine running Apache to serve a web site)
and port 8080 are open on this firewall.

Also for security, I have removed the original "webapps" directory and
replaced it with my own "webapps" directory with just my servlets and
such in it.  Again, all works very, very well.

NOW - I would like to track who is currently using the system.  Apache
is not running - only Tomcat.  Rather than try to track users internally
with my servlets, I would like to be able to use the Tomcat manager
functions to do this. Is there a way to use manager functions without
the original webapps/manager directory - i.e. ONLY from behind the
firewall, perhaps even only when logged on to the server as root?  My
understanding is that if I put the manager directory back, then it is
open to the world (password protection is rarely enough, I've found).

Thanks in advance,

-Richard



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Tompcat - Manager Functions without the Manager?

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Thu, 20 Dec 2001, Richard S. Huntrods wrote:

> Date: Thu, 20 Dec 2001 09:23:11 -0700
> From: Richard S. Huntrods <hu...@nucleus.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: "tomcat-user@jakarta.apache.org" <to...@jakarta.apache.org>
> Subject: Tompcat - Manager Functions without the Manager?
>
> Greetings!
>
> For security purposes, my tomcat server is behind a firewall, with the
> firewall forwarding port 8080 requests to the server (as port 8080).
> All works very well. FTP and Telnet are blocked by the firewall as
> well.  Only port 80 (another machine running Apache to serve a web site)
> and port 8080 are open on this firewall.
>
> Also for security, I have removed the original "webapps" directory and
> replaced it with my own "webapps" directory with just my servlets and
> such in it.  Again, all works very, very well.
>
> NOW - I would like to track who is currently using the system.  Apache
> is not running - only Tomcat.  Rather than try to track users internally
> with my servlets, I would like to be able to use the Tomcat manager
> functions to do this. Is there a way to use manager functions without
> the original webapps/manager directory - i.e. ONLY from behind the
> firewall, perhaps even only when logged on to the server as root?  My
> understanding is that if I put the manager directory back, then it is
> open to the world (password protection is rarely enough, I've found).
>

The manager app doesn't really track users -- it only tells you how many
active sessions there are.  However, it's possible to set up this app (or
any other) in a manner that makes it available only inside the firewall.
It works like this:

* Add the "manager" webapp's subdirectory back in to your "webapps"
  directory.

* Add a <Context> element in server.xml that includes a request filter
  preventing access to the manager webapp from anywhere *other* than
  inside the firewall:

    <Context path="/manager" docBase="manager">
      <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                accept="xxx.xxx.xxx.xxxx"/>
    </Context>

  where "xxx.xxx.xxx.xxx" is the IP address (or a regular expression
  pattern) that must match in order for this request to succeed.

* This filter will accept *only* requests that match the "accept"
  pattern, so any outside-the-firewall attempt will fail (even if
  they know the right username and password).

More information is in the Server Configuration Reference documentation
that ships with Tomcat.


> Thanks in advance,
>
> -Richard
>

Craig


>
>
> --
> To unsubscribe:   <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>