tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Date Wed, 16 Dec 2009 21:02:45 GMT
Martin B. Smith wrote:
> Howdy!
> 
> I'm trying to ensure that only specific instances of Apache are allowed 
> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it 
> looks like Tomcat is seeing the actual client IP making the original 
> request to Apache. Does anyone have a configuration that only allows 
> specific Apache (mod_)proxies to be serviced by Tomcat?
> 
> I will be using other ways to protect Tomcat, but I'd like something 
> inside Tomcat filtering these AJP requests too, and RemoteAddressValve 
> sounds like it should work :)
> 
Yees, but as you noticed, it does use the IP address of the original client.

> Here's what I'm using now --
> 
> Apache:
> 
>     ProxyPass / balancer://foo/ stickysession=JSESSIONID nofailover=On
> 
>     <Proxy balancer://foo>
>         BalancerMember ajp://host1:1234 route=foo
>         BalancerMember ajp://host2:1235 route=foo
>     </Proxy>
> 
> Tomcat:
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="127.0.0.1,apache-front-end-ip"/>
> 

But this being getting close to Christmas, and me being in the mood for 
some reindeers and chocolate, I did a bit of detective work for you.

First, there is the simple case where the Apache you want to allow is on 
the same host, and Apache's on other hosts are not allowed.
In that case, there is the following hack :
In your Tomcat AJP connector, set
address="127.0.0.1"

and have your Apache AJP connectors connect to that address only.

The means that this connector will only be listening on the loopback 
connector of the machine itself. Since only another process on this same 
machine can connect to that IP address.. ( ;-), that's why it is a hack).

Other than that, I found this attribute of the Tomcat AJP Connector :
request.secret	
Only requests from workers with this secret keyword will be accepted.
(That's in http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html)

That's pretty neat, because in the workers.properties of the Apache 
mod_jk connector, you can set

worker.someworker.secret :
	You can set a secret keyword on the Tomcat AJP Connector. Then only 
requests from workers with the same secret keyword will be accepted. 
Use request.secret="secret key word" in your Tomcat AJP Connector 
configuration.
If you set a secret on a load balancer, all its members will inherit 
this secret.
This feature has been added in jk 1.2.12.
(That's in http://tomcat.apache.org/connectors-doc/reference/workers.html)


Now comes the bummer however : I don't know mod_proxy_ajp, and I don't 
know if you can set such a secret password at the mod_proxy_ajp level.
But you could always switch to mod_jk...





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message