Tomcat 10 (10.1.16) how to add access to host manager app to localhost and local network but not for internet?

118 views Asked by At

I'm using Tomcat 10 (10.1.16) and I have 2 instances of the webserver running on Fedora 39 that I installed on my Raspberry Pi 4 Mobel B.

Tomcat instances:

  1. For home, personal projects and some Java development.
  2. For internet, to expose my finished web sites and web services/APIs.

For the first instance, I want to enable access to the host manager only for localhost and local network IP's.

For the second instance, I want to enable access to the host manager only for localhost and local network IP's but I want other apps deployed there be accessible through the internet for general public. What is the most secure way to achieve this without compromising performance?

What I know and did so far:

On both instances I just commented the "Valve" tag on the file $TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml

<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->

But this leaves both instances completly exposed and accessible to local traffic and internet traffic.

I understand that I need to change the allow attribute in the Valve tag but I'm not very good with regular expressions.

Also am I following the best practises on how my system is structured? I would appreciate some guidelines or feedback.

How I structured the instances on Linux:

Users:

root: Holds the Tomcat bin and lib folder. As specified here: Tomcat - CATALINA_BASE and CATALINA_HOME variables

userhome: ENV variables that point to root $CATALINA_HOME. No sudo privileges. No port redirect on the router.

userprod: ENV variables that point to root $CATALINA_HOME. No sudo privileges. Router port redirect from external 80 to internal 9090.

On Fedora firewalld port 8080 is open for local TCP traffic (source: 192.168.1.0/24). Port 9090 is open for TCP traffic from any source.

Thanks for the help.

1

There are 1 answers

0
Silverwolf On BEST ANSWER

I found a possible solution that works.

On the second instance, I changed the name of the index.jsp file on the folder $TOMCAT_INSTANCE/webapps/ROOT/index.jsp so it won't be acessible to anyone on the internet.

On the manager and host-manager apps I removed the commented tag and changed the Valve to allow local network traffic (|192\.168\.1\.\d+).

Files changed:

$TOMCAT_INSTANCE/webapps/manager/META-INF/context.xml

$TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml

The Valve on both apps now looks like this:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
     allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.1\.\d+" />

Restarted the Tomcat server and now it works as expected.

I found this solution on a comment here: Access Tomcat Manager App from different host

Hope this helps someone with a similar configuration problem.