tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "FH" <>
Subject Some initial config help needed (limiting manager/admin pages to specific IPs)
Date Mon, 07 Aug 2006 15:41:32 GMT
This past week is my first experience/time working w/ tomcat so please bear w/
me.  I think I have most of it figured out, the server seems to be running ok
and I've successfully limited the connections to it to ssl only by a couple of
hacks to the server.xml config file[1]  The one final thing I can't quite
figure out is how to limit access to the admin and manager pages to either the
local host or a specific set of IPs.  From looking around various help
sites/FAQs it seems to have something to do w/ a setting like this:

<Context path="/manager" debug="0" privileged="true"
         <Valve className="org.apache.catalina.valves.RemoteAddrValve"

What I don't know though, and can't find an example of off hand, is where does
this line go?  In the $TOMCAT/conf/server.xml file right?  Just in there in
general or do I have to associate it specifically w/ the connector on 8080
(which btw is the only one allowed in by the firewall)?  Also if I want to
limit access to both the manager and admin webapps to specific IPs do I have
to do two different <Context> settings or can I do just one.  In general
tomcat is being used for the Meeting Maker webapp client so if I want
everything but that client locked down to a specific set of IPs is there an
easier way of doing that?  The desired effect would be anyone can access the
MM webapp from anywhere w/o any sort of tomcat based authentication but
everything else served by tomcat (including the index page) would require
authentication (based on the tomcat-users.xml file) and limited to specific

Any hints/clues/suggestions are appreciated

[1]  I'm not sure if this is the "correct" way but this is what I figured out
and it seems to be working.  Atleast whenever I try to connect w/o the https
it prompts me to d/l a .bin file.  BTW is there any sort of security risk w/
that?  I mean if someone d/ls the bin file are they going to be able to get
any info about my config (and specifically the user accounts/passwords)?

     <Connector port="8080" maxHttpHeaderSize="8192"
               keystoreFile="[removed]" keystorePass="[removed]"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message