You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yuval Schwartz <yu...@gmail.com> on 2016/09/02 11:28:22 UTC
Restrict access to manager app by IP
Tomcat: 8.0.22
JDK: 1.8.0_05
Hello,
I am currently running a web application.
I would like to restrict access to the manager app (it is currently being
hit by spammers every so often who are unable to connect (get a message
"...an attempt was made to authenticate the locked user")).
I was thinking of adding a "manager.xml" file to
$CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the
following context container:
<Context privileged="true" docBase="[path_to_manager]">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="[my_ip]"/>
</Context>
Is this the correct way to achieve my goal of limiting access to the
manager app to only my IP.
Of course, I do not want the rest of my webapp's access limited (which
is on the ROOT path). I only want access to the manager app limited.
(I know I can also place the context container in my webapp's
META-INF/context.xml file, is there any preference to doing this over
what I suggested above?)
Thank you
_
Re: Restrict access to manager app by IP
Posted by Mark Olsson <sa...@gmail.com>.
On Fri, Sep 2, 2016 at 4:28 AM, Yuval Schwartz <yu...@gmail.com>
wrote:
> Tomcat: 8.0.22
> JDK: 1.8.0_05
>
> Hello,
>
> I am currently running a web application.
>
> I would like to restrict access to the manager app (it is currently being
> hit by spammers every so often who are unable to connect (get a message
> "...an attempt was made to authenticate the locked user")).
>
> I was thinking of adding a "manager.xml" file to
> $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the
> following context container:
>
> <Context privileged="true" docBase="[path_to_manager]">
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="[my_ip]"/>
> </Context>
>
> Is this the correct way to achieve my goal of limiting access to the
> manager app to only my IP.
>
> Of course, I do not want the rest of my webapp's access limited (which
> is on the ROOT path). I only want access to the manager app limited.
>
> (I know I can also place the context container in my webapp's
> META-INF/context.xml file, is there any preference to doing this over
> what I suggested above?)
>
> Thank you
> _
>
Another way to keep them from hammering away with login attempts is to
simply rename the manager webapp. Redeploy it to something like
/manager123 instead of just /manager and the bots will never find it. It's
obviously security theater, but it works great against scanners.
Re: Restrict access to manager app by IP
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 9/6/16 2:23 PM, Mark Thomas wrote:
> On 06/09/2016 18:29, Christopher Schultz wrote:
>> Yuval,
>>
>> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>>> Thanks. I'll give it a shot and let you guys know how it goes.
>>> Any input on whether I should put this in my applications
>>> context.xml or in my [host] directory?
>>
>> I would do it in the application. Unless you have a particular
>> reason to manually-place the application's context.xml file into
>> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
>
> Tomcat no longer copies context.xml by default.
Even better: there's no confusion over which file will take effect, then
.
- -chris
>>> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
>>> <pk...@airplus.com> wrote:
>>
>>>> Hi Yuval,
>>>>
>>>>
>>>>> -----Urspr�ngliche Nachricht----- Von: Yuval Schwartz
>>>>> [mailto:yuval.schwartz@gmail.com] Gesendet: Freitag, 2.
>>>>> September 2016 13:28 An: Tomcat Users List Betreff:
>>>>> Restrict access to manager app by IP
>>>>>
>>>>> Tomcat: 8.0.22 JDK: 1.8.0_05
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am currently running a web application.
>>>>>
>>>>> I would like to restrict access to the manager app (it is
>>>>> currently
>>>> being hit by spammers every so often who are unable to
>>>> connect (get a message "...an attempt was made to
>>>> authenticate the locked user")).
>>>>>
>>>>> I was thinking of adding a "manager.xml" file to
>>>>> $CATALINA_BASE/conf/[enginename]/[hostname]/
>>>> that will contain the following context container:
>>>>>
>>>>> <Context privileged="true" docBase="[path_to_manager]">
>>>>> <Valve
>>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>>>> allow="[my_ip]"/> </Context>
>>>>>
>>>>> Is this the correct way to achieve my goal of limiting
>>>>> access to the
>>>> manager app to only my IP.
>>>>>
>>>>> Of course, I do not want the rest of my webapp's access
>>>>> limited (which
>>>> is on the ROOT path). I only want access to the manager app
>>>> limited.
>>>>>
>>>>> (I know I can also place the context container in my
>>>>> webapp's
>>>> META-INF/context.xml file, is there any preference to doing
>>>> this over what I suggested above?)
>>>>>
>>>>> Thank you _
>>>>>
>>>>
>>>> That's the proposed solution for it. I don't think that you
>>>> need the docbase - unless you don't use the default
>>>> location.
>>>>
>>>> I think you will have to quote the . in the ip with
>>>> backslash, like <Valve
>>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>>> allow="10\.100\.17\.33|10\.100\.88\.92" />
>>>>
>>>> Best regards
>>>>
>>>> Peter
>>>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXzw/1AAoJEBzwKT+lPKRYhKwQAJ1isb7hLnjzol2dlgGbKhNy
eWTG+ND5CSyVcuSDZ8PyDUuURS3XLS6cb96VIOSyY6KoAzyAXfVqvnhsOj1k/hVx
SUxQBzbLG13RcPhzwJGUw/+0rb43Dj4A05yHnVxI1icOQHZ69ntEsAP1ZBV/OatP
F3bIiipEfB7D1aMabXdUzuJNkjooJaJfwITIQfYi/B9CCme1WDAPf6yEAZ2BPVbh
/IM/ym/fEJUjCoBTlou0bJlcTLXrKGkadTzFckeQst95myg9lSGoaGQ+V9OkeNcl
2H5BJRsmrYGM5jkR7FWcOy0rLxw0baCqIN8pMxsJ991TIS98ajOKz/ztJAPuzw/U
iljQ0RG0nR21Cz2fWGW2BA1uv5MG46YQQM7Tf1rll4Jg2/gJIH+QNDZ7lfJQMGX3
pkzAsNQ7cljOX0BdQJeTUA1l/u3ZwD1wjsv0736RP7YXTMjGRqIqKTDanS9Htc7a
783pYOk90Eb1lp54KLJvdhlV9WaST2RCymnt2uCR5n3Hq9dJz5Olg8HGoEKCzTw2
eI5MIhLUnTx1CZWewwy7sWjMFICJRbdI6nAlyuJBjQxEKKRsIqFk91iThcOUIxs6
fJum7wxts2Y9kZm7AceU2EIELp2vemncv9GBTw7XsfCagqafB+2/2clfZ+t9jmtU
TD5nnWLSx684PBw1SGqY
=bYV4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to manager app by IP
Posted by Mark Thomas <ma...@apache.org>.
On 06/09/2016 18:29, Christopher Schultz wrote:
> Yuval,
>
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>> Thanks. I'll give it a shot and let you guys know how it goes. Any
>> input on whether I should put this in my applications context.xml
>> or in my [host] directory?
>
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
Tomcat no longer copies context.xml by default.
Mark
>
> -chris
>
>> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
>> <pk...@airplus.com> wrote:
>
>>> Hi Yuval,
>>>
>>>
>>>> -----Urspr�ngliche Nachricht----- Von: Yuval Schwartz
>>>> [mailto:yuval.schwartz@gmail.com] Gesendet: Freitag, 2.
>>>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict
>>>> access to manager app by IP
>>>>
>>>> Tomcat: 8.0.22 JDK: 1.8.0_05
>>>>
>>>> Hello,
>>>>
>>>> I am currently running a web application.
>>>>
>>>> I would like to restrict access to the manager app (it is
>>>> currently
>>> being hit by spammers every so often who are unable to connect
>>> (get a message "...an attempt was made to authenticate the locked
>>> user")).
>>>>
>>>> I was thinking of adding a "manager.xml" file to
>>>> $CATALINA_BASE/conf/[enginename]/[hostname]/
>>> that will contain the following context container:
>>>>
>>>> <Context privileged="true" docBase="[path_to_manager]"> <Valve
>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>>> allow="[my_ip]"/> </Context>
>>>>
>>>> Is this the correct way to achieve my goal of limiting access
>>>> to the
>>> manager app to only my IP.
>>>>
>>>> Of course, I do not want the rest of my webapp's access limited
>>>> (which
>>> is on the ROOT path). I only want access to the manager app
>>> limited.
>>>>
>>>> (I know I can also place the context container in my webapp's
>>> META-INF/context.xml file, is there any preference to doing this
>>> over what I suggested above?)
>>>>
>>>> Thank you _
>>>>
>>>
>>> That's the proposed solution for it. I don't think that you need
>>> the docbase - unless you don't use the default location.
>>>
>>> I think you will have to quote the . in the ip with backslash,
>>> like <Valve
>>> className="org.apache.catalina.valves.RemoteAddrValve"
>>> allow="10\.100\.17\.33|10\.100\.88\.92" />
>>>
>>> Best regards
>>>
>>> Peter
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to manager app by IP
Posted by Yuval Schwartz <yu...@gmail.com>.
Thanks a lot for your replies.
For now, I removed the "path" attribute from the Context elements but left
the xml file in Catalina/[hostname].
When I have some more time, I will move to within my application
(META-INF/context.xml) since that seems to be the consensus here.
Thank you.
On Wed, Sep 7, 2016 at 8:45 PM, Mark Thomas <ma...@apache.org> wrote:
> On 07/09/2016 18:43, Jeffrey Janner wrote:
> >
> >
> >> -----Original Message-----
> >> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> >> Sent: Tuesday, September 06, 2016 12:30 PM
> >> To: Tomcat Users List <us...@tomcat.apache.org>
> >> Subject: Re: Restrict access to manager app by IP
> >>
> > Yuval,
> >
> > On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> >>>> Thanks. I'll give it a shot and let you guys know how it goes. Any
> >>>> input on whether I should put this in my applications context.xml
> >>>> or in my [host] directory?
> >
> > I would do it in the application. Unless you have a particular reason
> > to manually-place the application's context.xml file into
> > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
> >
> > -chris
> >
> >> Chris -
> >
> >> Isn't the Tomcat "/manager" an app separate from the user's webapp?
> Thus the need for the manager.xml in conf/[engine]/[host] directory?
>
> It is an application like any other so you can use:
>
> $CATALINA_BASE/webapps/manager/META-INF/context.xml
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Restrict access to manager app by IP
Posted by Mark Thomas <ma...@apache.org>.
On 07/09/2016 18:43, Jeffrey Janner wrote:
>
>
>> -----Original Message-----
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Sent: Tuesday, September 06, 2016 12:30 PM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Restrict access to manager app by IP
>>
> Yuval,
>
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>>>> Thanks. I'll give it a shot and let you guys know how it goes. Any
>>>> input on whether I should put this in my applications context.xml
>>>> or in my [host] directory?
>
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
>
> -chris
>
>> Chris -
>
>> Isn't the Tomcat "/manager" an app separate from the user's webapp? Thus the need for the manager.xml in conf/[engine]/[host] directory?
It is an application like any other so you can use:
$CATALINA_BASE/webapps/manager/META-INF/context.xml
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Restrict access to manager app by IP
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Tuesday, September 06, 2016 12:30 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Restrict access to manager app by IP
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Yuval,
>
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> > Thanks. I'll give it a shot and let you guys know how it goes. Any
> > input on whether I should put this in my applications context.xml
> > or in my [host] directory?
>
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
>
> - -chris
Chris -
Isn't the Tomcat "/manager" an app separate from the user's webapp? Thus the need for the manager.xml in conf/[engine]/[host] directory?
Yuval: what you were proposing is the way I have done it. Just make sure you specify the regular expression correctly.
Jeff
>
> > On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
> > <pk...@airplus.com> wrote:
> >
> >> Hi Yuval,
> >>
> >>
> >>> -----Ursprüngliche Nachricht----- Von: Yuval Schwartz
> >>> [mailto:yuval.schwartz@gmail.com] Gesendet: Freitag, 2.
> >>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict
> >>> access to manager app by IP
> >>>
> >>> Tomcat: 8.0.22 JDK: 1.8.0_05
> >>>
> >>> Hello,
> >>>
> >>> I am currently running a web application.
> >>>
> >>> I would like to restrict access to the manager app (it is
> >>> currently
> >> being hit by spammers every so often who are unable to connect
> >> (get a message "...an attempt was made to authenticate the locked
> >> user")).
> >>>
> >>> I was thinking of adding a "manager.xml" file to
> >>> $CATALINA_BASE/conf/[enginename]/[hostname]/
> >> that will contain the following context container:
> >>>
> >>> <Context privileged="true" docBase="[path_to_manager]"> <Valve
> >> className="org.apache.catalina.valves.RemoteAddrValve"
> >>> allow="[my_ip]"/> </Context>
> >>>
> >>> Is this the correct way to achieve my goal of limiting access
> >>> to the
> >> manager app to only my IP.
> >>>
> >>> Of course, I do not want the rest of my webapp's access limited
> >>> (which
> >> is on the ROOT path). I only want access to the manager app
> >> limited.
> >>>
> >>> (I know I can also place the context container in my webapp's
> >> META-INF/context.xml file, is there any preference to doing this
> >> over what I suggested above?)
> >>>
> >>> Thank you _
> >>>
> >>
> >> That's the proposed solution for it. I don't think that you need
> >> the docbase - unless you don't use the default location.
> >>
> >> I think you will have to quote the . in the ip with backslash,
> >> like <Valve
> >> className="org.apache.catalina.valves.RemoteAddrValve"
> >> allow="10\.100\.17\.33|10\.100\.88\.92" />
> >>
> >> Best regards
> >>
> >> Peter
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt
> sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r
> ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg
> bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO
> ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN
> AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58
> eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7
> BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At
> Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47
> fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO
> erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq
> BYUo344Ks4Vjvk40V1Nz
> =gIMk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to manager app by IP
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Yuval,
On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> Thanks. I'll give it a shot and let you guys know how it goes. Any
> input on whether I should put this in my applications context.xml
> or in my [host] directory?
I would do it in the application. Unless you have a particular reason
to manually-place the application's context.xml file into
conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
- -chris
> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
> <pk...@airplus.com> wrote:
>
>> Hi Yuval,
>>
>>
>>> -----Urspr�ngliche Nachricht----- Von: Yuval Schwartz
>>> [mailto:yuval.schwartz@gmail.com] Gesendet: Freitag, 2.
>>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict
>>> access to manager app by IP
>>>
>>> Tomcat: 8.0.22 JDK: 1.8.0_05
>>>
>>> Hello,
>>>
>>> I am currently running a web application.
>>>
>>> I would like to restrict access to the manager app (it is
>>> currently
>> being hit by spammers every so often who are unable to connect
>> (get a message "...an attempt was made to authenticate the locked
>> user")).
>>>
>>> I was thinking of adding a "manager.xml" file to
>>> $CATALINA_BASE/conf/[enginename]/[hostname]/
>> that will contain the following context container:
>>>
>>> <Context privileged="true" docBase="[path_to_manager]"> <Valve
>> className="org.apache.catalina.valves.RemoteAddrValve"
>>> allow="[my_ip]"/> </Context>
>>>
>>> Is this the correct way to achieve my goal of limiting access
>>> to the
>> manager app to only my IP.
>>>
>>> Of course, I do not want the rest of my webapp's access limited
>>> (which
>> is on the ROOT path). I only want access to the manager app
>> limited.
>>>
>>> (I know I can also place the context container in my webapp's
>> META-INF/context.xml file, is there any preference to doing this
>> over what I suggested above?)
>>>
>>> Thank you _
>>>
>>
>> That's the proposed solution for it. I don't think that you need
>> the docbase - unless you don't use the default location.
>>
>> I think you will have to quote the . in the ip with backslash,
>> like <Valve
>> className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="10\.100\.17\.33|10\.100\.88\.92" />
>>
>> Best regards
>>
>> Peter
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt
sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r
ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg
bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO
ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN
AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58
eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7
BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At
Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47
fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO
erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq
BYUo344Ks4Vjvk40V1Nz
=gIMk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to manager app by IP
Posted by Yuval Schwartz <yu...@gmail.com>.
Hello Peter,
Thanks. I'll give it a shot and let you guys know how it goes.
Any input on whether I should put this in my applications context.xml or in
my [host] directory?
Thank you.
On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter <pk...@airplus.com> wrote:
> Hi Yuval,
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Yuval Schwartz [mailto:yuval.schwartz@gmail.com]
> > Gesendet: Freitag, 2. September 2016 13:28
> > An: Tomcat Users List
> > Betreff: Restrict access to manager app by IP
> >
> > Tomcat: 8.0.22
> > JDK: 1.8.0_05
> >
> > Hello,
> >
> > I am currently running a web application.
> >
> > I would like to restrict access to the manager app (it is currently
> being hit by spammers every so often who are unable to connect (get a
> message "...an attempt was made to authenticate the locked user")).
> >
> > I was thinking of adding a "manager.xml" file to $CATALINA_BASE/conf/[enginename]/[hostname]/
> that will contain the following context container:
> >
> > <Context privileged="true" docBase="[path_to_manager]"> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> > allow="[my_ip]"/>
> > </Context>
> >
> > Is this the correct way to achieve my goal of limiting access to the
> manager app to only my IP.
> >
> > Of course, I do not want the rest of my webapp's access limited (which
> is on the ROOT path). I only want access to the manager app limited.
> >
> > (I know I can also place the context container in my webapp's
> META-INF/context.xml file, is there any preference to doing this over what
> I suggested above?)
> >
> > Thank you
> > _
> >
>
> That's the proposed solution for it. I don't think that you need the
> docbase - unless you don't use the default location.
>
> I think you will have to quote the . in the ip with backslash, like
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="10\.100\.17\.33|10\.100\.88\.92" />
>
> Best regards
>
> Peter
>
AW: Restrict access to manager app by IP
Posted by "Kreuser, Peter" <pk...@airplus.com>.
Hi Yuval,
> -----Ursprüngliche Nachricht-----
> Von: Yuval Schwartz [mailto:yuval.schwartz@gmail.com]
> Gesendet: Freitag, 2. September 2016 13:28
> An: Tomcat Users List
> Betreff: Restrict access to manager app by IP
>
> Tomcat: 8.0.22
> JDK: 1.8.0_05
>
> Hello,
>
> I am currently running a web application.
>
> I would like to restrict access to the manager app (it is currently being hit by spammers every so often who are unable to connect (get a message "...an attempt was made to authenticate the locked user")).
>
> I was thinking of adding a "manager.xml" file to $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the following context container:
>
> <Context privileged="true" docBase="[path_to_manager]"> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="[my_ip]"/>
> </Context>
>
> Is this the correct way to achieve my goal of limiting access to the manager app to only my IP.
>
> Of course, I do not want the rest of my webapp's access limited (which is on the ROOT path). I only want access to the manager app limited.
>
> (I know I can also place the context container in my webapp's META-INF/context.xml file, is there any preference to doing this over what I suggested above?)
>
> Thank you
> _
>
That's the proposed solution for it. I don't think that you need the docbase - unless you don't use the default location.
I think you will have to quote the . in the ip with backslash, like
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="10\.100\.17\.33|10\.100\.88\.92" />
Best regards
Peter