You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim Booth <tb...@ceh.ac.uk> on 2007/04/17 20:10:34 UTC
Host-based access to web applications
Dear All,
I'm hoping someone on this list can help me out.
I'm running Tomcat 5.5.20 on a staging server (192.171.160.186), which
means that I want to be able to open some features to the world at large
but restrict others to my own trusted machines for internal use.
Specifically, my desired configuration is:
1) ROOT web application open to the world, so people can see my custom
front page
2) "/mibbi" webapp open to the world, as this is the actual thing I'm
developing and showing to beta testers
3) Everything else, including the /manager area and /exist (the XML
database RPC interface) should be off limits to all but a set of
explicitly listed IP addresses - ie. localhost and my own box,
(192.171.160.155).
Starting with a pretty-much default Tomcat installation, and based on
the info in the Tomcat manual, I've added the following to the <Host>
section in server.xml
SNIP>>>
<!-- Default rule - Restrict most services to trusted hosts: localhost and texugo -->
<Context path="">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,192.171.160.155,192.171.160.186" deny=""/>
</Context>
<!-- I want to allow public access to the front page on the site -->
<Context path="/ROOT" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" deny="" />
</Context>
<!-- Allow MIBBI area access from anyone -->
<Context path="/mibbi" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" deny="" />
</Context>
<<<SNIP
With the above settings in place I try to access the server from another
'untrusted' machine (192.171.174.146) but I get the following results:
http://192.171.160.186:8080/ - access denied (!)
http://192.171.160.186:8080/manager/html - access granted (!)
http://192.171.160.186:8080/exist - access granted (!)
http://192.171.160.186:8080/mibbi - access granted
So I have only succeeded in blocking access to the front page, which is
one of the two areas I wanted to leave unblocked. I've tried several
permutations on the above, but with no more joy. Can anyone suggest a
correct configuration, or an alternative way of getting what I want?
Many thanks in advance,
TIM
--
Tim Booth <tb...@ceh.ac.uk>
NEBC at CEH Oxford
--
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Host-based access to web applications
Posted by Mark Thomas <ma...@apache.org>.
Tim Booth wrote:
> allow="127.0.0.1,192.171.160.155,192.171.160.186" deny=""/>
The allow and deny fields take regular expressions. '.' is reserved
and needs to escaped. Take a look at the java.util.regex javadoc
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Host-based access to web applications
Posted by Mark Thomas <ma...@apache.org>.
Tim Booth wrote:
> Hi Mark and Guru,
>
> Many thanks for both your replies.
>
> Mark Thomas <ma...@apache.org> wrote:
>> The allow and deny fields take regular expressions. '.' is reserved
>> and needs to escaped. Take a look at the java.util.regex javadoc
>
> OK, I was going by the info found here:
> http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Request%20Filters
That needs to be updated.
<snip />
>> <!-- Default rule - Restrict most services to trusted hosts:
>> localhost and texugo -->
>> <Context path="">
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="127.0.0.1,192.171.160.155,192.171.160.186"
>> deny=""/>
>> </Context>
>>
>> <!-- I want to allow public access to the front page on the site -->
>> <Context path="/ROOT" >
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow=".*" deny="" />
>> </Context>
This won't work. There is no context path /ROOT. The root webapp is
referenced using a context path of "".
I have recently used the RemoteAddrValve to lock down a context to a
couple of specific IPs and subnets and it works as expected.
You don't need to configure an allow all rule since that happens by
default.
For the contexts you want to limit, add the appropriate
RemoteAddrValve settings.
HTH,
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Host-based access to web applications
Posted by Tim Booth <tb...@ceh.ac.uk>.
Hi Mark and Guru,
Many thanks for both your replies.
Mark Thomas <ma...@apache.org> wrote:
> The allow and deny fields take regular expressions. '.' is reserved
> and needs to escaped. Take a look at the java.util.regex javadoc
OK, I was going by the info found here:
http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Request%20Filters
The documentation states that the filters are specified by regexes, but
then goes on to give an example where a glob pattern is used. I'm
familiar with regexes, and for these particular patterns I would expect
the same result whether the periods were escaped or not. I just tried
it and this is indeed the case, so I'm none the wiser.
On Wed, 2007-04-18 at 09:56 +0100, Raghupathy, Gurumoorthy wrote:
> Best thing to do is front apache http server listening on port 80 to
> forward request to tomcat using mod_jk.
A colleague suggested this solution already. He then proceeded to give
two whole pages of instructions on how to set it up. I can see that it
will work but it seems an incredibly complicated way to get a feature
that I should be able to achieve with just a few lines in the Tomcat
configuration file.
> You can then use "allow and deny" in your web server (apache http
> server) to control the access for specific URLs ..... this far more easy
> to maintain :)
Far more easy to maintain than what? Either I can get the setup I need
with a combination of directives in the Tomcat configuration, in which
case I'm all done, or else I can't, in which case I have to maintain a
separate Apache installation on my server. The latter certainly sounds
like the bigger headache to me (and yes, I am familiar with running
Apache).
> Have a look at http://httpd.apache.org/docs/2.0/mod/core.html (allow
> from and deny from)
> And http://tomcat.apache.org/faq/connectors.html for mod_jk stuff ...
> Please do not use mod_jk2....
>
> If you want more info please let us know ...
I'd feel a lot more comfortable going the mod_jk route if somebody in
the know could vouch for one of the following statements:
a) "The access policy you propose cannot be achieved within the Tomcat
configuration, and a separate security manager is necessary - eg. Apache
+mod_jk"
and/or
b) "Tomcat should not be used directly as a public web server, and it is
advisable to run it behind an Apache instance"
(the FAQ referenced above is non-committal on this point, which is
understandable but still leaves me none the wiser :-( )
If either of those is true then I can comfortably justify (to myself, my
boss, and my network admin) the setup you suggest. If not, then I'm
back to asking how access can be controlled from within Tomcat, as this
still seems to me the simpler way.
Many thanks again,
TIM
> ------------------------------------------------------------------------
> -----------
> -----Original Message-----
> From: Tim Booth [mailto:tbooth@ceh.ac.uk]
> Sent: 17 April 2007 19:11
> To: users@tomcat.apache.org
> Subject: Host-based access to web applications
>
> Dear All,
>
> I'm hoping someone on this list can help me out.
>
> I'm running Tomcat 5.5.20 on a staging server (192.171.160.186), which
> means that I want to be able to open some features to the world at large
> but restrict others to my own trusted machines for internal use.
> Specifically, my desired configuration is:
>
> 1) ROOT web application open to the world, so people can see my custom
> front page
>
> 2) "/mibbi" webapp open to the world, as this is the actual thing I'm
> developing and showing to beta testers
>
> 3) Everything else, including the /manager area and /exist (the XML
> database RPC interface) should be off limits to all but a set of
> explicitly listed IP addresses - ie. localhost and my own box,
> (192.171.160.155).
>
> Starting with a pretty-much default Tomcat installation, and based on
> the info in the Tomcat manual, I've added the following to the <Host>
> section in server.xml
>
> SNIP>>>
>
> <!-- Default rule - Restrict most services to trusted hosts:
> localhost and texugo -->
> <Context path="">
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.0.0.1,192.171.160.155,192.171.160.186"
> deny=""/>
> </Context>
>
> <!-- I want to allow public access to the front page on the site -->
> <Context path="/ROOT" >
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow=".*" deny="" />
> </Context>
>
> <!-- Allow MIBBI area access from anyone -->
> <Context path="/mibbi" >
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow=".*" deny="" />
> </Context>
>
> <<<SNIP
>
> With the above settings in place I try to access the server from another
> 'untrusted' machine (192.171.174.146) but I get the following results:
>
> http://192.171.160.186:8080/ - access denied (!)
> http://192.171.160.186:8080/manager/html - access granted (!)
> http://192.171.160.186:8080/exist - access granted (!)
> http://192.171.160.186:8080/mibbi - access granted
>
> So I have only succeeded in blocking access to the front page, which is
> one of the two areas I wanted to leave unblocked. I've tried several
> permutations on the above, but with no more joy. Can anyone suggest a
> correct configuration, or an alternative way of getting what I want?
>
> Many thanks in advance,
>
> TIM
>
> --
> Tim Booth <tb...@ceh.ac.uk>
> NEBC at CEH Oxford
>
>
> --
> This message (and any attachments) is for the recipient only. NERC
> is subject to the Freedom of Information Act 2000 and the contents
> of this email and any reply you make may be disclosed by NERC unless
> it is exempt from release under the Act. Any material supplied to
> NERC may be stored in an electronic records management system.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Tim Booth <tb...@ceh.ac.uk>
NEBC at CEH Oxford
--
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Host-based access to web applications
Posted by "Raghupathy, Gurumoorthy" <Gu...@nielsen.com>.
Best thing to do is front apache http server listening on port 80 to
forward request to tomcat using mod_jk.
You can then use "allow and deny" in your web server (apache http
server) to control the access for specific URLs ..... this far more easy
to maintain :)
Have a look at http://httpd.apache.org/docs/2.0/mod/core.html (allow
from and deny from)
And http://tomcat.apache.org/faq/connectors.html for mod_jk stuff ...
Please do not use mod_jk2....
If you want more info please let us know ...
Regards
Guru
------------------------------------------------------------------------
-----------
Gurumoorthy Raghupathy
Email : gurumoorthy.raghupathy@nielsen.com
------------------------------------------------------------------------
-----------
-----Original Message-----
From: Tim Booth [mailto:tbooth@ceh.ac.uk]
Sent: 17 April 2007 19:11
To: users@tomcat.apache.org
Subject: Host-based access to web applications
Dear All,
I'm hoping someone on this list can help me out.
I'm running Tomcat 5.5.20 on a staging server (192.171.160.186), which
means that I want to be able to open some features to the world at large
but restrict others to my own trusted machines for internal use.
Specifically, my desired configuration is:
1) ROOT web application open to the world, so people can see my custom
front page
2) "/mibbi" webapp open to the world, as this is the actual thing I'm
developing and showing to beta testers
3) Everything else, including the /manager area and /exist (the XML
database RPC interface) should be off limits to all but a set of
explicitly listed IP addresses - ie. localhost and my own box,
(192.171.160.155).
Starting with a pretty-much default Tomcat installation, and based on
the info in the Tomcat manual, I've added the following to the <Host>
section in server.xml
SNIP>>>
<!-- Default rule - Restrict most services to trusted hosts:
localhost and texugo -->
<Context path="">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,192.171.160.155,192.171.160.186"
deny=""/>
</Context>
<!-- I want to allow public access to the front page on the site -->
<Context path="/ROOT" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" deny="" />
</Context>
<!-- Allow MIBBI area access from anyone -->
<Context path="/mibbi" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" deny="" />
</Context>
<<<SNIP
With the above settings in place I try to access the server from another
'untrusted' machine (192.171.174.146) but I get the following results:
http://192.171.160.186:8080/ - access denied (!)
http://192.171.160.186:8080/manager/html - access granted (!)
http://192.171.160.186:8080/exist - access granted (!)
http://192.171.160.186:8080/mibbi - access granted
So I have only succeeded in blocking access to the front page, which is
one of the two areas I wanted to leave unblocked. I've tried several
permutations on the above, but with no more joy. Can anyone suggest a
correct configuration, or an alternative way of getting what I want?
Many thanks in advance,
TIM
--
Tim Booth <tb...@ceh.ac.uk>
NEBC at CEH Oxford
--
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org