You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by dk...@ccilindia.co.in on 2014/05/12 16:42:09 UTC
denying the request if it comes through IP address instead of DNS
Hello All,
We are using -
Tomcat Version - 7.0.22
Operating System Version : Windows 2003 server
To close a vulnerability, "To denying the request if it comes through IP
address instead of DNS", we have made below configuration changes in
server.xml
<Engine name="Catalina" defaultHost="server DNS name"> defaultHost was
set to localhost prior to change
<Host name= "server DNS name" appBase="webapps" unpackWARs="true"
autoDeploy="true"> Hostname was set to localhost prior to change
But Due this change we are losing logging in localhost.log in logs folder
of TOMCAT, Please suggest how to redirect console logging to a given file
or how to retain the localhost.log file of tomcat.
Kindly also let us know instead of above settings any other configuration
setting will make denial of any request if it comes through IP address
instead of DNS,
Thanks & Regards
Deepak Kumar
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: denying the request if it comes through IP address instead of
DNS
Posted by André Warnier <aw...@ice-sa.com>.
dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We are using -
> Tomcat Version - 7.0.22
> Operating System Version : Windows 2003 server
>
>
> To close a vulnerability, "To denying the request if it comes through IP
> address instead of DNS", we have made below configuration changes in
> server.xml
>
>
> <Engine name="Catalina" defaultHost="server DNS name"> defaultHost was
> set to localhost prior to change
>
>
> <Host name= "server DNS name" appBase="webapps" unpackWARs="true"
> autoDeploy="true"> Hostname was set to localhost prior to change
>
>
>
> But Due this change we are losing logging in localhost.log in logs folder
> of TOMCAT, Please suggest how to redirect console logging to a given file
> or how to retain the localhost.log file of tomcat.
>
> Kindly also let us know instead of above settings any other configuration
> setting will make denial of any request if it comes through IP address
> instead of DNS,
>
Hi.
What you really need first, is to understand how "virtual hosting" works, in HTTP
webservers in general.
HTTP requests do not "come through DNS" or "come through IP address". They all come in
the same way, through a TCP/IP connection established by the browser, to the IP address of
your server.
In short, what you did above was not the right way, for what you seem to want.
What you should have done is this :
1) start from a standard configuration again
2) leave the <Host name="localhost"> as it is (also in the <Engine> tag)
3) *add another* <Host name="the DNS name" appBase="(another path to the real webapps)"
That is where your real applications should be.
(and a few more details not entered into here)
Then what will happen is :
- any request addressed to the "DNS name" will be processed by the second Host (the one
that you added). That is where your real webapps should be.
- any request with another hostname (or IP address) will be processed by the "default
host" (the one named "localhost"). That one should then just have a default webapp, which
answers "forbidden" or something like that.
For more details, search Google for "tomcat virtual hosts".
I found a reasonable basic explanation here :
http://www.ramkitech.com/2012/02/understanding-virtual-host-concept-in.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: denying the request if it comes through IP address instead of DNS
Posted by David Kerber <dc...@verizon.net>.
On 5/12/2014 3:32 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Deepak,
>
> On 5/12/14, 10:42 AM, dkumar@ccilindia.co.in wrote:
>> We are using - Tomcat Version - 7.0.22
>
> You should upgrade. Really. We are currently on Tomcat 7.0.53 which
> includes improvements and security fixes relative to 7.0.22.
>
>> Operating System Version : Windows 2003 server
>
> Isn't support for that dead, now? Maybe it's distinct from Windows XP.
It's only desktop/consumer XP that has timed out. Server 2003 support
runs about another year. XP Embedded has about two more years.
>
>> To close a vulnerability, "To denying the request if it comes
>> through IP address instead of DNS", we have made below
>> configuration changes in server.xml
>>
>>
>> <Engine name="Catalina" defaultHost="server DNS name"> defaultHost
>> was set to localhost prior to change
>
> You didn't need to do this. Instead, you could make a smaller change
> that introduces a new <Host> within your existing engine. The name of
> the host would be the IP-address of the server instead of its DNS name.
>
> I'm curious as to why you think that responding to a request that uses
> the server's IP address is a vulnerability.
>
>> But Due this change we are losing logging in localhost.log in logs
>> folder of TOMCAT, Please suggest how to redirect console logging to
>> a given file or how to retain the localhost.log file of tomcat.
>
> The console log goes to catalina.out regardless of the Engine, Host,
> etc. If you didn't configure a logger for your host, I think you'll
> get nothing.
>
> You will need to modify conf/logging.properties to route messages for
> your new <Host> to the existing "localhost" log file.
>
>> Kindly also let us know instead of above settings any other
>> configuration setting will make denial of any request if it comes
>> through IP address instead of DNS.
>
> You could also install a Filter into your web application that simply
> rejects all requests whose Host header does not match your DNS
> hostname. No configuration in Tomcat would be necessary: just a new
> class in your web application and (possibly) a bit of configuration in
> your WEB-INF/web.xml file.
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTcSHQAAoJEBzwKT+lPKRY89UP/39c40k2h9wu8M0A3vmN/bbI
> /fUmWv9mcUerQCXfU8IWfwK28cefTRBNgjXnxXFOuP9FNIDfaJQS35FKpPpiI2Jr
> OV1HLEJc75FqSQvbSF2cQtYg/CQvITMv6nuLjY+ysoQf7tE3epmrnWyI/lr/FCV3
> B66eoVGmA17CuhMDvhoFzgViy8qVga+84WKZzKN+j8m+a2zzK8dvKGEErsvYrisd
> bPLWBMprdVUY2xMysDzREJUsRIdmBNyBFamtwUtCDCpme+RhNytkB9I8zJ8gxvs3
> XP2vLd80kAIJxJLDNJ97bNoOO30zvl26rFsdHqrSEUAUMGd0faRPelkwZ+257dEi
> RCmo6ApVu3Y1YcYlGnYkfX/iq88JPsM8ZxwzMz79WDWrZ6ZzeVLDsfJJ6zIUV+iA
> RW0Rca9I4U0QJB/bezdf1b5IJXh1M7oQtvFjgo0cfPNgfQs0LUWkepVRcQhbl0QA
> FTOy88Dl5ebg2kfK38gHBO9L/5OvPFg2yQzNT04V28pDSx3DuyrxOZKcgC8iihjp
> Rtx9xLoq8Wcjji/y4pgc5Uuk2U/eAbCNsdimIffzrFxUiFRuBcIofEiU9nHBk2ak
> 5wnlNUnIW4/+81q1ocCgRkFrad0Hz7k6tHPFlQbFZGHscpGNvxD8NGUhtO88zkMg
> iyyOpWXcnW8pIWnkWQEn
> =14mk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: denying the request if it comes through IP address instead of
DNS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Deepak,
On 5/12/14, 10:42 AM, dkumar@ccilindia.co.in wrote:
> We are using - Tomcat Version - 7.0.22
You should upgrade. Really. We are currently on Tomcat 7.0.53 which
includes improvements and security fixes relative to 7.0.22.
> Operating System Version : Windows 2003 server
Isn't support for that dead, now? Maybe it's distinct from Windows XP.
> To close a vulnerability, "To denying the request if it comes
> through IP address instead of DNS", we have made below
> configuration changes in server.xml
>
>
> <Engine name="Catalina" defaultHost="server DNS name"> defaultHost
> was set to localhost prior to change
You didn't need to do this. Instead, you could make a smaller change
that introduces a new <Host> within your existing engine. The name of
the host would be the IP-address of the server instead of its DNS name.
I'm curious as to why you think that responding to a request that uses
the server's IP address is a vulnerability.
> But Due this change we are losing logging in localhost.log in logs
> folder of TOMCAT, Please suggest how to redirect console logging to
> a given file or how to retain the localhost.log file of tomcat.
The console log goes to catalina.out regardless of the Engine, Host,
etc. If you didn't configure a logger for your host, I think you'll
get nothing.
You will need to modify conf/logging.properties to route messages for
your new <Host> to the existing "localhost" log file.
> Kindly also let us know instead of above settings any other
> configuration setting will make denial of any request if it comes
> through IP address instead of DNS.
You could also install a Filter into your web application that simply
rejects all requests whose Host header does not match your DNS
hostname. No configuration in Tomcat would be necessary: just a new
class in your web application and (possibly) a bit of configuration in
your WEB-INF/web.xml file.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTcSHQAAoJEBzwKT+lPKRY89UP/39c40k2h9wu8M0A3vmN/bbI
/fUmWv9mcUerQCXfU8IWfwK28cefTRBNgjXnxXFOuP9FNIDfaJQS35FKpPpiI2Jr
OV1HLEJc75FqSQvbSF2cQtYg/CQvITMv6nuLjY+ysoQf7tE3epmrnWyI/lr/FCV3
B66eoVGmA17CuhMDvhoFzgViy8qVga+84WKZzKN+j8m+a2zzK8dvKGEErsvYrisd
bPLWBMprdVUY2xMysDzREJUsRIdmBNyBFamtwUtCDCpme+RhNytkB9I8zJ8gxvs3
XP2vLd80kAIJxJLDNJ97bNoOO30zvl26rFsdHqrSEUAUMGd0faRPelkwZ+257dEi
RCmo6ApVu3Y1YcYlGnYkfX/iq88JPsM8ZxwzMz79WDWrZ6ZzeVLDsfJJ6zIUV+iA
RW0Rca9I4U0QJB/bezdf1b5IJXh1M7oQtvFjgo0cfPNgfQs0LUWkepVRcQhbl0QA
FTOy88Dl5ebg2kfK38gHBO9L/5OvPFg2yQzNT04V28pDSx3DuyrxOZKcgC8iihjp
Rtx9xLoq8Wcjji/y4pgc5Uuk2U/eAbCNsdimIffzrFxUiFRuBcIofEiU9nHBk2ak
5wnlNUnIW4/+81q1ocCgRkFrad0Hz7k6tHPFlQbFZGHscpGNvxD8NGUhtO88zkMg
iyyOpWXcnW8pIWnkWQEn
=14mk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org