0

I know it's possible to limit the access to one of our oldest tomcat servers ( legacy server, our client doens't want to pay to upgrade :\ ).by adding the address="". But how could i limit the acess for a given network ?

if i'm not wrong, the file would be the server.xml:

<Connector port="2222"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="2443" acceptCount="100"
               debug="0" connectionTimeout="20000"
               disableUploadTimeout="true" />

Thanks in advance.

thclpr
  • 155
  • 2
  • 8

2 Answers2

1

The address directive applies to which IP will the server be listening to, not which IPs can connect to it.

If you want to limit the access to your tomcat server, you can put an iptables rule in place that checks the source IP.

dawud
  • 14,918
  • 3
  • 41
  • 61
  • Hi, iptables would be the only option? I found this link : http://www.adriancourreges.com/articles/ip-range-filter-with-apache-or-tomcat/ where it shows that i could use that settings to limit to our local network. but it would be adequate? – thclpr May 15 '14 at 16:56
  • Yes, that would work too. – dawud May 15 '14 at 16:57
  • set that as you answer so i can give you the green flag. – thclpr May 15 '14 at 16:58
  • I'd prefer if you documented your findings yourself in an answer. – dawud May 15 '14 at 17:00
  • @Thales if you are worried that someone exploits the old tomcat installation then iptables is better. If you limit it via configuration in tomcat, the request still reaches it. With iptables it's already blocked before that. – faker May 15 '14 at 17:15
  • @faker We doens't iptables avaliable, our client uses a hardware firewall behind a bigip solution. – thclpr May 15 '14 at 17:20
0

I was able to solve the problem by using the following reference:

Professional Apache Tomcat 5, Volume 5 Page 171

The change consists into adding the following line between the tag on your conf/server.xml file

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="xx.xx.xx.*"/>
thclpr
  • 155
  • 2
  • 8