tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Some initial config help needed (limiting manager/admin pages to specific IPs)
Date Mon, 07 Aug 2006 23:22:30 GMT
FH wrote:
> This past week is my first experience/time working w/ tomcat so please bear w/
> me.  I think I have most of it figured out, the server seems to be running ok
> and I've successfully limited the connections to it to ssl only by a couple of
> hacks to the server.xml config file[1]  The one final thing I can't quite
> figure out is how to limit access to the admin and manager pages to either the
> local host or a specific set of IPs.  From looking around various help
> sites/FAQs it seems to have something to do w/ a setting like this:
> 
> <Context path="/manager" debug="0" privileged="true"
>          docBase="/usr/local/kinetic/tomcat4/server/webapps/manager">
>          <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>                 allow="127.0.0.1"/>
> </Context>
> 
> What I don't know though, and can't find an example of off hand, is where does
> this line go?  In the $TOMCAT/conf/server.xml file right?

It can do. Not the best place for it but it will work. See
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html for other
placement options.

>  Just in there in
> general or do I have to associate it specifically w/ the connector on 8080
> (which btw is the only one allowed in by the firewall)?

Again,http://tomcat.apache.org/tomcat-5.5-doc/config/context.html


  Also if I want to
> limit access to both the manager and admin webapps to specific IPs do I have
> to do two different <Context> settings or can I do just one.

You would have to do it for each.

> Any hints/clues/suggestions are appreciated
> Thanks

Have another read of
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html
In particular the text that states:
<quote>
A comma-separated list of regular expression patterns that the remote
client's IP address is compared to. If this attribute is specified,
the remote address MUST match for this request to be accepted. If this
attribute is not specified, all requests will be accepted UNLESS the
remote address matches a deny  pattern.
</quote>

The period is a reserved character in a regular expression so you will
need to use something like allow="127\.0\.0\.1"

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message