You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/10/08 06:42:46 UTC

DO NOT REPLY [Bug 31594] New: - Change server.xml default Connector address to localhost + AJP docs tweak

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31594>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31594

Change server.xml default Connector address to localhost + AJP docs tweak

           Summary: Change server.xml default Connector address to localhost
                    + AJP docs tweak
           Product: Tomcat 5
           Version: 5.0.29
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Connector:Coyote
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: arjaquith@mindspring.com


My company (an application security services firm) was recently asked by a very large institution to 
review Tomcat's code base and deployment defaults, in preparation for broader use by the client. One 
of our recommendations was to change the address of AJP connectors from * to 127.0.0.1. 

This got me thinking... I'd like to suggest that ALL of Tomcat's Connectors be set to listen on loopback 
by default. This would be perfect for development and testing purposes on a single machine, but if 
customers wanted to use it in production, all that would be needed is a one-line change.

I have submitted patches for server.xml, server-minimal.xml, and to the docs (http.xml and ajp.xml) 
explaining the defaults. I have also, for good measure, added a note about minProcessors/
maxProcessors in the AJP docs because they were missing and really ought to be there.

In my view default configurations are a safety issue; default-deny seems prudent. If folks feel this is too 
aggressive for the HTTP Connector, could we at least consider locking down AJP? In 90% of the cases I 
see, customers put Apache and Tomcat on the same box.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org