You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by je...@bull.net on 2008/01/18 17:20:52 UTC

Filtering the apache clients

                                                                                                                                      
                      Jean-Louis Mateo                                                                                                
                                               Pour :   users@tomcat.apache.org                                                       
                      18/01/2008 17:09         cc :                                                                                   
                                               Objet :  Filtering the apache clients                                                  
                                                                                                                                      



Hello,

Is there any way of configuring the Tomcat <Connector> to only accept AJP
connections from a specific apache server ? It seems that the <Connector>
can accept any requests from any machine.
I don't want to do a "filtering IP" by the unix means (no firewall).

Thank you for your response



Regards



Jean-Louis Matéo
Bull, Architect of an Open World TM
Bull SA - 53 r de l'Etang BP39 - 69578 LIMONEST
tél - 08 20 08 20 00
fax - 04 72 52 51 24
______________________________________________________________________
BULL TELESERVICE : Support et conseil logiciels & progiciels multi-éditeurs
GCOS - AIX - Open Source - Microsoft
______________________________________________________________________






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Filtering the apache clients

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: news [mailto:news@ger.gmane.org] On Behalf Of Bill Barker
> Subject: Re: Filtering the apache clients
> 
> This won't work, since under AJP/1.3 the "Remote Address" is 
> the address of the client that connects to Apache, not the 
> address of the Apache machine. 

Ahah - thanks for the correction.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Filtering the apache clients

Posted by Bill Barker <wb...@wilshire.com>.

"Bill Barker" <wb...@wilshire.com> wrote in message 
news:fmrnle$9af$1@ger.gmane.org...
>
> "Caldarale, Charles R" <Ch...@unisys.com> wrote in message 
> news:2828B04F0113CD468E6D1D51DF4362A4048F5117@USEA-EXCH2.na.uis.unisys.com...
>>> From: jean-louis.mateo@bull.net [mailto:jean-louis.mateo@bull.net]
>>> Subject: Filtering the apache clients
>>>
>>> Is there any way of configuring the Tomcat <Connector> to
>>> only accept AJP connections from a specific apache server?
>>
>>1) Comment out the other <Connector> elements.
>>
>>2) Configure the RemoteAddrValve for the desired IP address:
>>http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter
>>
>
> This won't work, since under AJP/1.3 the "Remote Address" is the address 
> of the client that connects to Apache, not the address of the Apache 
> machine. From a quick code check, it looks like the "secure" option isn't 
> supported any longer in mod_jk (it was never that secure to begin with). 
> You can duplicate it by setting:
>  JkEnvVar MyAuthCode password
> in trusted Apache's, and write a filter that rejects requests that don't 
> have a Request attribute of MyAuthCode with value "password".  Of course, 
> it is only as secure as your way to secure the name and value.
>

You can also use a filter that checks request.getLocalName() (which is the 
name of the Apache server) against the allowed servers.  But again, this is 
easy enough to spoof, since TC trusts the name it was sent.  As a variant, 
you can also use IP-based VHosts in Tomcat (which directs off of LocalName), 
but this suffers from the same weakness.

> If you want to restrict access to only the copy of Apache running on the 
> same machine as Tomcat, then you can do:
>  <Connector protocol="AJP/1.3" address="localhost" ...... />
> For any other configuration, you should really have a firewall between the 
> internet and Tomcat.
>
>
>
>
>>- Chuck
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Filtering the apache clients

Posted by Bill Barker <wb...@wilshire.com>.

"Caldarale, Charles R" <Ch...@unisys.com> wrote in message 
news:2828B04F0113CD468E6D1D51DF4362A4048F5117@USEA-EXCH2.na.uis.unisys.com...
>> From: jean-louis.mateo@bull.net [mailto:jean-louis.mateo@bull.net]
>> Subject: Filtering the apache clients
>>
>> Is there any way of configuring the Tomcat <Connector> to
>> only accept AJP connections from a specific apache server?
>
>1) Comment out the other <Connector> elements.
>
>2) Configure the RemoteAddrValve for the desired IP address:
>http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter
>

This won't work, since under AJP/1.3 the "Remote Address" is the address of 
the client that connects to Apache, not the address of the Apache machine. 
>From a quick code check, it looks like the "secure" option isn't supported 
any longer in mod_jk (it was never that secure to begin with).  You can 
duplicate it by setting:
  JkEnvVar MyAuthCode password
in trusted Apache's, and write a filter that rejects requests that don't 
have a Request attribute of MyAuthCode with value "password".  Of course, it 
is only as secure as your way to secure the name and value.

If you want to restrict access to only the copy of Apache running on the 
same machine as Tomcat, then you can do:
  <Connector protocol="AJP/1.3" address="localhost" ...... />
For any other configuration, you should really have a firewall between the 
internet and Tomcat.




>- Chuck






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Filtering the apache clients

Posted by Ben Stringer <be...@burbong.com>.

On Fri, 2008-01-18 at 10:53 -0600, Caldarale, Charles R wrote:
> > From: jean-louis.mateo@bull.net [mailto:jean-louis.mateo@bull.net] 
> > Subject: Filtering the apache clients 
> > 
> > Is there any way of configuring the Tomcat <Connector> to 
> > only accept AJP connections from a specific apache server?
> 
> 1) Comment out the other <Connector> elements.
> 
> 2) Configure the RemoteAddrValve for the desired IP address:
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Addre
> ss%20Filter
> 
>  - Chuck

In addition to Chuck's suggestions, you may also be interested in the
"secret" setting that can be set in workers.properties on Apache HTTPD
and in the tomcat connector conf. This allows you to specify a shared
secret between Apache HTTPD and Tomcat, so connections will only be
accepted if the secret is provided in the connection attempt. 

Search for "secret" in this page:

http://tomcat.apache.org/connectors-doc/reference/workers.html

Cheers, Ben

> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Filtering the apache clients

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: jean-louis.mateo@bull.net [mailto:jean-louis.mateo@bull.net] 
> Subject: Filtering the apache clients 
> 
> Is there any way of configuring the Tomcat <Connector> to 
> only accept AJP connections from a specific apache server?

1) Comment out the other <Connector> elements.

2) Configure the RemoteAddrValve for the desired IP address:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Addre
ss%20Filter

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org