You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Travis Morris <tr...@webmedtechnology.com> on 2005/12/27 03:48:31 UTC

Tomcat uses locally only.

This may be a newbie question forgive me for that.   I'm currently 
using Tomcat as a client-side server which is intended to only be 
accessed by the local user.   Therefore it does not need to be accessed 
via a remote IP.  Is there a setting in the connector to specify that 
the server is only to be accessed via localhost?   I know I can just 
setup the firewall to not allow incoming on that port but I'd like to 
do it at the server level as well.

The reason for the client-side server is we needed an 'offline' version 
of our application and rather then support two codelines I went to the 
easier solution of creating an offline web application on the local 
client.

Anyways, one of our customers is voicing concerns about hackers gaining 
access to the laptop via the webserver, and I'd rather go back with 
them for with not only the local firewall solution but also a way to 
lock down the application server itself.  Or is there an application 
server which would be better suited for this?  We use tomcat in 
production which is why I went with it for the client-side suite.

Thanks for your assistance :)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat uses locally only.

Posted by Pulkit Singhal <pu...@gmail.com>.

Hello,

I am a n00b myself so I don't know how much this will help you but here's an
interesting bit of fact for you:

1) My config: Apache Web Server + mod_jk (tomcat connector) + Tomcat 5.x

2) When I was sending GET or POST requests to my webserver for content that
was actually being housed in Tomcat, it only worked for localhost by
default. Heck it wouldn't even work for my own computer's external-facing-ip
address.

3) Try the following out, you SHOULD notice that only the localhost requests
are served and that the rest give you a 404...ofcourse I'll make an
assumption that you are actually serving jsp-examples successfully...u can
check this: "http://127.0.0.1/:<tomcat_port>/jsp-examples/" (port 8080 is
the default tomcat port unless u have changed this)
In your browser enter:
a) http://<ur.ip.add.ress>:<web_server_port>/jsp-examples/
    This should fail...
b) http://127.0.0.1:<web_server_port>/jsp-examples/
    This should succeed...

4) IF THIS IS NOT THE CASE...then that means your
"tomcat_home\conf\server.xml" has been altered with additional Virtual
Hosts. In that case, (1)BACK_UP your server.xml file and then (2)remove all
hosts from it other than localhost and (3)make sure that localhost is your
default host...(4)stop tomcat and your webserver....(5)start tomcat and then
your webserver...after that give the above experiment another shot :)

If your server.xml used to look something like:

<!-- Pay attention to the default host -->
<Engine name="Catalina" defaultHost="localhost">

<!-- HOST A -->
<Host name="localhost" ...>
  <Listener className="org.apache.jk.config.ApacheConfig"
                 modJk="/apache/modules/mod_jk-apache-2.0.55.so" />
</Host>

<!-- HOST B-->
<Host name="your.domain.com" ...>
  <Listener className="org.apache.jk.config.ApacheConfig"
                 modJk="/apache/modules/mod_jk-apache-2.0.55.so" />
</Host>

After your changes it should look something like:

<!-- Pay attention to the default host -->
<Engine name="Catalina" defaultHost="localhost">

<!-- ONLY LOCALHOST IS LEFT ALONE--->
<Host name="localhost" ...>
  <Listener className="org.apache.jk.config.ApacheConfig"
                 modJk="/apache/modules/mod_jk-apache-2.0.55.so" />
</Host>

5) If this doesn't work or anybody else reading this post has objections to
what I said...please post and help Travis out :)

Cheers,
- Pulkit

On 12/26/05, Travis Morris <tr...@webmedtechnology.com> wrote:
>
> This may be a newbie question forgive me for that.   I'm currently
> using Tomcat as a client-side server which is intended to only be
> accessed by the local user.   Therefore it does not need to be accessed
> via a remote IP.  Is there a setting in the connector to specify that
> the server is only to be accessed via localhost?   I know I can just
> setup the firewall to not allow incoming on that port but I'd like to
> do it at the server level as well.
>
> The reason for the client-side server is we needed an 'offline' version
> of our application and rather then support two codelines I went to the
> easier solution of creating an offline web application on the local
> client.
>
> Anyways, one of our customers is voicing concerns about hackers gaining
> access to the laptop via the webserver, and I'd rather go back with
> them for with not only the local firewall solution but also a way to
> lock down the application server itself.  Or is there an application
> server which would be better suited for this?  We use tomcat in
> production which is why I went with it for the client-side suite.
>
> Thanks for your assistance :)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>