You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor <rc...@googlemail.com> on 2009/03/01 01:25:24 UTC
Re: RemoteAddrValve and RemoteHostValve
marc,
do i understand you correct that you only whant to accept requests
from "localhost"?
next: wouldn't authorization solve your problem?
rgds
gregor
Am 28.02.2009 um 19:14 schrieb Zak Mc Kracken <za...@yahoo.it>:
> Thank you all for replies and detailed explanation. Now I understand
> what's happening. My specific problem is restrict a single web
> application to clients coming from localhost only. This was not
> working (everything blocked):
>
> <Context>
> <Valve className="org.apache.catalina.valves.RemoteHostValve"
> allow="localhost"/>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1" deny="" />
> </Context>
>
> I am using a Mac and, after your replies, I tried to see what
> request.getRemoteAddr() and request.getRemoteHost(). Well, it turns
> out that they both return "0:0:0:0:0:0:0:1%0", so now everything
> works with:
>
> <Context>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1,0:0:0:0:0:0:0:1\%0" deny="" />
> </Context>
>
>
> Moreover, André's reply is pretty convincing, although it seems to i
> mply that RemoteHostValve should be avoided (isn't DNS reverse looku
> p cached?) and cannot be chained with RemoteAddrValve. Of course one
> can do what you suggests, although this is a bit impractical in lar
> ge networks where one wouldn't like to care about IP changes of symb
> olic names. Worse, I don't see what I could do to grant access to si
> ngle PCs in those LANs where users have fixed host names for their P
> Cs, but DHCP-assigned IPs (OK, maybe it's a theoretical case, I woul
> d probably switch to user/password).
>
> Cheers.
>
> Marco.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Zak Mc Kracken <za...@yahoo.it>.
Thanks Gregor, that's very interesting for production environments. I'll
try it.
Cheers.
M.
Gregor Schneider wrote:
> On Mon, Mar 2, 2009 at 11:25 AM, Zak Mc Kracken <za...@yahoo.it> wrote:
>> Gregor Schneider wrote:
>>> you've been asking the valve-stuff because you want to limit the
>>> access to requests coming from localhost only?
>> Yep!
>>
>>> why then not make tomcat listen on localhost only? configuration for
>>> that's a walk in the park...
>>>
>> My Tomcat is serving a number of webapps, I want to restrict access to one
>> only (the others are proper end-user-dedicated applications). Furthermore,
>> it's more modular if I can set up such restriction rules into the app's WAR,
>> rather than at Tomcat configuration level. So, it should be as previously
>> explained, or am I missing something?
>>
>
> That wasn't clear to me.
>
> Have you ever thought about fronting Tomcat with Apache HTTPD, then
> connecting it via mod_jk?
>
> Thus, Tomcat would listen on localhost only, and Apache HTTPD takes
> care about forwarding appropriate requests to Tomcat on localhost.
>
> Besides, you could use Apache's mod_authz
> (http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html) to specify
> the authorized ips / hosts.
>
> Might be a little bit more work beforehand, but that would be my
> preferred solution.
>
> Rgds
>
> Gregor
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: RemoteAddrValve and RemoteHostValve
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> Subject: Re: RemoteAddrValve and RemoteHostValve
>
> I understood that there was one open issue that Zac
> needed to combine a hostname and IP-adress
Early in the thread, someone pointed out that there's never any need to specify a host name, and, in fact, doing so increases overhead considerably. All that's needed is the set of IP addresses that are allowed to run this webapp, and configure the <Valve> inside the <Conext> of interest.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Chuck,
On Mon, Mar 2, 2009 at 3:07 PM, Caldarale, Charles R
<Ch...@unisys.com> wrote:
> Since a working <Valve> setup was already provided, why not just use that?
>
Ehem - was it? I understood that there was one open issue that Zac
needed to combine a hostname and IP-adress - which was not possible
since both RemoteAdressValve & RemoteHostValve cannot be combined -
something with IPs via DHCP - or did I get that wrong?
Beside, setting up mod_jk is all that complicated - as long as you
know your Apache.
My prefered solution still would be AAA - however, according to the OP
that was not an option due to his requirements.
If the valve does everything the OP asked for - hey, go for it!
Sorry if I confused anyone here - will stop just "scanning" the
threads but read them properly - word of a boyscout!
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: RemoteAddrValve and RemoteHostValve
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> Subject: Re: RemoteAddrValve and RemoteHostValve
>
> Have you ever thought about fronting Tomcat with Apache HTTPD, then
> connecting it via mod_jk?
Are you serious? You want to add complexity and overhead just to control access to one webapp? Since a working <Valve> setup was already provided, why not just use that?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Gregor Schneider <rc...@googlemail.com>.
On Mon, Mar 2, 2009 at 11:25 AM, Zak Mc Kracken <za...@yahoo.it> wrote:
> Gregor Schneider wrote:
>>
>> you've been asking the valve-stuff because you want to limit the
>> access to requests coming from localhost only?
>
> Yep!
>
>> why then not make tomcat listen on localhost only? configuration for
>> that's a walk in the park...
>>
>
> My Tomcat is serving a number of webapps, I want to restrict access to one
> only (the others are proper end-user-dedicated applications). Furthermore,
> it's more modular if I can set up such restriction rules into the app's WAR,
> rather than at Tomcat configuration level. So, it should be as previously
> explained, or am I missing something?
>
That wasn't clear to me.
Have you ever thought about fronting Tomcat with Apache HTTPD, then
connecting it via mod_jk?
Thus, Tomcat would listen on localhost only, and Apache HTTPD takes
care about forwarding appropriate requests to Tomcat on localhost.
Besides, you could use Apache's mod_authz
(http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html) to specify
the authorized ips / hosts.
Might be a little bit more work beforehand, but that would be my
preferred solution.
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Zak Mc Kracken <za...@yahoo.it>.
Gregor Schneider wrote:
>
> you've been asking the valve-stuff because you want to limit the
> access to requests coming from localhost only?
Yep!
> why then not make tomcat listen on localhost only? configuration for
> that's a walk in the park...
>
My Tomcat is serving a number of webapps, I want to restrict access to
one only (the others are proper end-user-dedicated applications).
Furthermore, it's more modular if I can set up such restriction rules
into the app's WAR, rather than at Tomcat configuration level. So, it
should be as previously explained, or am I missing something?
Cheer.
M.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Gregor Schneider <rc...@googlemail.com>.
On Sun, Mar 1, 2009 at 6:05 PM, Zak Mc Kracken <za...@yahoo.it> wrote:
>
> Yes, but localhost-only is simpler in my case.
>
ehem, still not sure if i got you right:
you've been asking the valve-stuff because you want to limit the
access to requests coming from localhost only?
why then not make tomcat listen on localhost only? configuration for
that's a walk in the park...
rgds
gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RemoteAddrValve and RemoteHostValve
Posted by Zak Mc Kracken <za...@yahoo.it>.
Gregor wrote:
> marc,
> do i understand you correct that you only whant to accept requests from
> "localhost"?
I have a Java web application that computes some data from an existing
Java-based infrastructure and output it as simple plain text. The output
is intended to be consumed by other PHP applications on the same server,
not by end-users.
> next: wouldn't authorization solve your problem?
>
Yes, but localhost-only is simpler in my case.
Marco.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org