Restrict Tomcat Webapp external access by IP
Solution 1
Envite is right, the firewall approach is way simpler:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s $SOME_IP1 --dport 8080 -j ACCEPT
iptables -A INPUT -s $SOME_IP2 --dport 8080 -j ACCEPT
iptables -A INPUT --dport 8080 -j DROP
It is highly likely that you didn't configure your firewall properly, or there is another rule before the ones you inserted that allows traffic to that port/host
Solution 2
I would use a different approach. Either use a firewall (this is the best method unless you need the web server to be accessable but the appserver to be not), or use Apache's own controls Allow and Deny.
Solution 3
Have you examined the tomcat logs? That should be the first place you look in for troubleshooting such issues. That file is typically called catalina.out. Reproduce the issue and update your question with the corresponding log entries.
However, a couple of things stand out:
Try replacing the double \\
with a single \
. For e.g., this in the Engine, Host or Context containers will allow access from 127.0.0.1
and 11.22.33.44
(from Remote Address Filter):
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|11\.22\.33\.44"/>
You could also try dropping the deny=""
.
Related videos on Youtube
Santiago
Updated on September 18, 2022Comments
-
Santiago over 1 year
I am successfully able to access my webapp using the external IP for my server. However I would now like to restrict access to the server by IP.
I have added the following in conf/server.xml:
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" resolveHosts="true"/> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\\.0\\.0\\.1|192\\.*\\.*\\.*|0\\.*\\.*\\.*|<my external machine ip>" deny=""/>
However i still cant access the webapp from my . If i remove the RemoveAddrValue block then i can access the webapp from the external machine.
I am using apache-tomcat-7.0.47
How can i restrict external access via IP. Is this the correct approach?
-
Santiago over 10 yearsi did try the firewall approach but i need port 8080 to be open therefore this didnt work. Which controls are you referring to in Apache?
-
Envite over 10 yearsIn Apache config you can (in the Location section or in teh Directory section) put Allow and Deny directives: httpd.apache.org/docs/current/mod/mod_access_compat.html#allow
-
Santiago over 10 yearsI have tried this but the its still open to all
-
Santiago over 10 yearsIm using Mac OS X, i have ipfw show has allow ip from any to any. Ive not used ipfw before, do you know how to restrict just to an external IP address?
-
Santiago over 10 yearsyes i have tried all variations. Changing the firewall rules has an affect. However i cannot figure out the correct correct command. I assumed the following would work but unfortunately not: sudo ipfw add reject src-ip any dst-ip me dst-port 22