tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Date Thu, 17 Dec 2009 04:01:46 GMT

"André Warnier" <> wrote in message
> Martin B. Smith wrote:
>> Howdy!
>> I'm trying to ensure that only specific instances of Apache are allowed 
>> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it 
>> looks like Tomcat is seeing the actual client IP making the original 
>> request to Apache. Does anyone have a configuration that only allows 
>> specific Apache (mod_)proxies to be serviced by Tomcat?
> Of course if your are under Linux, you could use iptables to block 
> requests to port 8009, from hosts you don't like.
> And if you are under Windows, you could use the Windows firewall or 
> filtering rules.
> Probably even more efficient than doing this at the Tomcat level.

Yes, but if the OP wants to block all access to Tomcat, it is even easier to 
just not have the worker configured on those Apaches that shouldn't contact 
it.  As a result, I'm guessing that the OP wants to restrict access to 
certain webapps.

The good news is that with the AJP connector, request.getLocalName() returns 
the name of the Apache server (as specified by the ServerName directive), 
not the Tomcat server.  And request.getLocalAddr() returns the IP address of 
request.getLocalName() as it resolves on the Tomcat machine.  With that 
information it isn't hard to write a Filter that does what you want.  For 
the truely lazy, it would also be trivial to copy RemoteAddrValve to 
LocalAddrValve and have it check localAddr instead of remoteAddr. 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message