0

I have a server http://example.com with a load balancer in front of it named https://example.net performing SSL offloading and redirecting traffic to port 443 on it to 8080 in http://example.com.

The server example.com is isolated in a virtual network and not reachable from the internet. The load balancer example.net can reach example.com and is publicly exposed to the internet.

How can I set up the Apache Tomcat 8 manager web interface to be reachable only from http://example.com/manager but not from https://example.net/manager?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Navarro
  • 187
  • 6

2 Answers2

1

I dont know what load balancer you are using so cannot give a specific config to that, i myself have a public accessible tomcat server through Nginx as it's proxy.

Nginx

upstream websites {
    server 192.168.x.x:8080 fail_timeout=0;
}

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com example.com;

    location / {
            proxy_pass http://websites/;
            include proxy_params;
    }

    #SSL configuration here
}

I also let Nginx do SSL termination and compression because it is way easier to manage and setup, and if i want to later create loadbalance i can also do that with Nginx so no reason to do it in Tomcat. https://www.digitalocean.com/community/tutorials/how-to-add-the-gzip-module-to-nginx-on-ubuntu-14-04

https://letsencrypt.org/

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Than on Tomcat server.xml add a new virtual host for your site if not already present.

<Host name="www.example.com"  appBase="webapps" unpackWARs="true" autoDeploy="true">
    <Alias>example.com</Alias>

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
        prefix="test_example_access_log" suffix=".txt"
        pattern="%h %l %u %t &quot;%r&quot; %s %b" />
</Host>

Than in the manager.xml file for the manager project you can set who can access the manager HTML page, either set it to your public ip address or a jump-host, as i recall as standard only localhost can connect to the HTML manager.

Personally i have deleted the manager project from my own installation to avoid the security issues related to it if not managed correctly and that i didn't need it.

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="192.168.1.*" />

Set a user and password for the manager in tomcat-users.xml and you're good to go.

Cristian Matthias Ambæk
  • 257
  • 1
  • 13
0

Configure Proxpass/Porxyalias in the Webserver. You should make the configuration in the HTTP(80) for doing this, but best practise is you can load in https with restricted Access

JeswinKNinan
  • 1
  • 3