Re: Restrict access to manager app by IP

2016-09-08 Thread Yuval Schwartz 
Thanks a lot for your replies.
For now, I removed the "path" attribute from the Context elements but left
the xml file in Catalina/[hostname].

When I have some more time, I will move to within my application
(META-INF/context.xml) since that seems to be the consensus here.

Thank you.

On Wed, Sep 7, 2016 at 8:45 PM, Mark Thomas <ma...@apache.org> wrote:

> On 07/09/2016 18:43, Jeffrey Janner wrote:
> >
> >
> >> -Original Message-
> >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> >> Sent: Tuesday, September 06, 2016 12:30 PM
> >> To: Tomcat Users List <users@tomcat.apache.org>
> >> Subject: Re: Restrict access to manager app by IP
> >>
> > Yuval,
> >
> > On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> >>>> Thanks. I'll give it a shot and let you guys know how it goes. Any
> >>>> input on whether I should put this in my applications context.xml
> >>>> or in my [host] directory?
> >
> > I would do it in the application. Unless you have a particular reason
> > to manually-place the application's context.xml file into
> > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
> >
> > -chris
> >
> >> Chris -
> >
> >> Isn't the Tomcat "/manager" an app separate from the user's webapp?
> Thus the need for the manager.xml in conf/[engine]/[host] directory?
>
> It is an application like any other so you can use:
>
> $CATALINA_BASE/webapps/manager/META-INF/context.xml
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Restrict access to manager app by IP

2016-09-07 Thread Mark Thomas 
On 07/09/2016 18:43, Jeffrey Janner wrote:
> 
> 
>> -Original Message-
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Sent: Tuesday, September 06, 2016 12:30 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Restrict access to manager app by IP
>>
> Yuval,
> 
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>>>> Thanks. I'll give it a shot and let you guys know how it goes. Any
>>>> input on whether I should put this in my applications context.xml
>>>> or in my [host] directory?
> 
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
> 
> -chris
> 
>> Chris -
> 
>> Isn't the Tomcat "/manager" an app separate from the user's webapp?  Thus 
>> the need for the manager.xml in conf/[engine]/[host] directory?

It is an application like any other so you can use:

$CATALINA_BASE/webapps/manager/META-INF/context.xml

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Restrict access to manager app by IP

2016-09-07 Thread Jeffrey Janner 


> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, September 06, 2016 12:30 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Restrict access to manager app by IP
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Yuval,
> 
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> > Thanks. I'll give it a shot and let you guys know how it goes. Any
> > input on whether I should put this in my applications context.xml
> > or in my [host] directory?
> 
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
> 
> - -chris
 
Chris -

Isn't the Tomcat "/manager" an app separate from the user's webapp?  Thus the 
need for the manager.xml in conf/[engine]/[host] directory?

Yuval: what you were proposing is the way I have done it.  Just make sure you 
specify the regular expression correctly.

Jeff


> 
> > On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
> > <pkreu...@airplus.com> wrote:
> >
> >> Hi Yuval,
> >>
> >>
> >>> -Ursprüngliche Nachricht- Von: Yuval Schwartz
> >>> [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2.
> >>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict
> >>> access to manager app by IP
> >>>
> >>> Tomcat: 8.0.22 JDK: 1.8.0_05
> >>>
> >>> Hello,
> >>>
> >>> I am currently running a web application.
> >>>
> >>> I would like to restrict access to the manager app (it is
> >>> currently
> >> being hit by spammers every so often who are unable to connect
> >> (get a message "...an attempt was made to authenticate the locked
> >> user")).
> >>>
> >>> I was thinking of adding a "manager.xml" file to
> >>> $CATALINA_BASE/conf/[enginename]/[hostname]/
> >> that will contain the following context container:
> >>>
> >>>   >> className="org.apache.catalina.valves.RemoteAddrValve"
> >>> allow="[my_ip]"/> 
> >>>
> >>> Is this the correct way to achieve my goal of limiting access
> >>> to the
> >> manager app to only my IP.
> >>>
> >>> Of course, I do not want the rest of my webapp's access limited
> >>> (which
> >> is on the ROOT path). I only want access to the manager app
> >> limited.
> >>>
> >>> (I know I can also place the context container in my webapp's
> >> META-INF/context.xml file, is there any preference to doing this
> >> over what I suggested above?)
> >>>
> >>> Thank you _
> >>>
> >>
> >> That's the proposed solution for it. I don't think that you need
> >> the docbase - unless you don't use the default location.
> >>
> >> I think you will have to quote the . in the ip with backslash,
> >> like  >> className="org.apache.catalina.valves.RemoteAddrValve"
> >> allow="10\.100\.17\.33|10\.100\.88\.92" />
> >>
> >> Best regards
> >>
> >> Peter
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt
> sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r
> ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg
> bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO
> ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN
> AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58
> eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7
> BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At
> Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47
> fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO
> erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq
> BYUo344Ks4Vjvk40V1Nz
> =gIMk
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restrict access to manager app by IP

2016-09-06 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 9/6/16 2:23 PM, Mark Thomas wrote:
> On 06/09/2016 18:29, Christopher Schultz wrote:
>> Yuval,
>> 
>> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>>> Thanks. I'll give it a shot and let you guys know how it goes.
>>> Any input on whether I should put this in my applications
>>> context.xml or in my [host] directory?
>> 
>> I would do it in the application. Unless you have a particular
>> reason to manually-place the application's context.xml file into 
>> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.
> 
> Tomcat no longer copies context.xml by default.

Even better: there's no confusion over which file will take effect, then
.

- -chris

>>> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter 
>>>  wrote:
>> 
 Hi Yuval,
 
 
> -Ursprüngliche Nachricht- Von: Yuval Schwartz 
> [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2. 
> September 2016 13:28 An: Tomcat Users List Betreff:
> Restrict access to manager app by IP
> 
> Tomcat: 8.0.22 JDK: 1.8.0_05
> 
> Hello,
> 
> I am currently running a web application.
> 
> I would like to restrict access to the manager app (it is 
> currently
 being hit by spammers every so often who are unable to
 connect (get a message "...an attempt was made to
 authenticate the locked user")).
> 
> I was thinking of adding a "manager.xml" file to 
> $CATALINA_BASE/conf/[enginename]/[hostname]/
 that will contain the following context container:
> 
> 
> >>> className="org.apache.catalina.valves.RemoteAddrValve"
> allow="[my_ip]"/> 
> 
> Is this the correct way to achieve my goal of limiting
> access to the
 manager app to only my IP.
> 
> Of course, I do not want the rest of my webapp's access
> limited (which
 is on the ROOT path). I only want access to the manager app 
 limited.
> 
> (I know I can also place the context container in my
> webapp's
 META-INF/context.xml file, is there any preference to doing
 this over what I suggested above?)
> 
> Thank you _
> 
 
 That's the proposed solution for it. I don't think that you
 need the docbase - unless you don't use the default
 location.
 
 I think you will have to quote the . in the ip with
 backslash, like >>> className="org.apache.catalina.valves.RemoteAddrValve" 
 allow="10\.100\.17\.33|10\.100\.88\.92" />
 
 Best regards
 
 Peter
 
>> 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXzw/1AAoJEBzwKT+lPKRYhKwQAJ1isb7hLnjzol2dlgGbKhNy
eWTG+ND5CSyVcuSDZ8PyDUuURS3XLS6cb96VIOSyY6KoAzyAXfVqvnhsOj1k/hVx
SUxQBzbLG13RcPhzwJGUw/+0rb43Dj4A05yHnVxI1icOQHZ69ntEsAP1ZBV/OatP
F3bIiipEfB7D1aMabXdUzuJNkjooJaJfwITIQfYi/B9CCme1WDAPf6yEAZ2BPVbh
/IM/ym/fEJUjCoBTlou0bJlcTLXrKGkadTzFckeQst95myg9lSGoaGQ+V9OkeNcl
2H5BJRsmrYGM5jkR7FWcOy0rLxw0baCqIN8pMxsJ991TIS98ajOKz/ztJAPuzw/U
iljQ0RG0nR21Cz2fWGW2BA1uv5MG46YQQM7Tf1rll4Jg2/gJIH+QNDZ7lfJQMGX3
pkzAsNQ7cljOX0BdQJeTUA1l/u3ZwD1wjsv0736RP7YXTMjGRqIqKTDanS9Htc7a
783pYOk90Eb1lp54KLJvdhlV9WaST2RCymnt2uCR5n3Hq9dJz5Olg8HGoEKCzTw2
eI5MIhLUnTx1CZWewwy7sWjMFICJRbdI6nAlyuJBjQxEKKRsIqFk91iThcOUIxs6
fJum7wxts2Y9kZm7AceU2EIELp2vemncv9GBTw7XsfCagqafB+2/2clfZ+t9jmtU
TD5nnWLSx684PBw1SGqY
=bYV4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restrict access to manager app by IP

2016-09-06 Thread Mark Thomas 
On 06/09/2016 18:29, Christopher Schultz wrote:
> Yuval,
> 
> On 9/2/16 9:29 AM, Yuval Schwartz wrote:
>> Thanks. I'll give it a shot and let you guys know how it goes. Any 
>> input on whether I should put this in my applications context.xml
>> or in my [host] directory?
> 
> I would do it in the application. Unless you have a particular reason
> to manually-place the application's context.xml file into
> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.

Tomcat no longer copies context.xml by default.

Mark


> 
> -chris
> 
>> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
>>  wrote:
> 
>>> Hi Yuval,
>>>
>>>
 -Ursprüngliche Nachricht- Von: Yuval Schwartz
 [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2.
 September 2016 13:28 An: Tomcat Users List Betreff: Restrict
 access to manager app by IP

 Tomcat: 8.0.22 JDK: 1.8.0_05

 Hello,

 I am currently running a web application.

 I would like to restrict access to the manager app (it is
 currently
>>> being hit by spammers every so often who are unable to connect
>>> (get a message "...an attempt was made to authenticate the locked
>>> user")).

 I was thinking of adding a "manager.xml" file to
 $CATALINA_BASE/conf/[enginename]/[hostname]/
>>> that will contain the following context container:

  >> className="org.apache.catalina.valves.RemoteAddrValve"
 allow="[my_ip]"/> 

 Is this the correct way to achieve my goal of limiting access
 to the
>>> manager app to only my IP.

 Of course, I do not want the rest of my webapp's access limited
 (which
>>> is on the ROOT path). I only want access to the manager app
>>> limited.

 (I know I can also place the context container in my webapp's
>>> META-INF/context.xml file, is there any preference to doing this
>>> over what I suggested above?)

 Thank you _

>>>
>>> That's the proposed solution for it. I don't think that you need
>>> the docbase - unless you don't use the default location.
>>>
>>> I think you will have to quote the . in the ip with backslash,
>>> like >> className="org.apache.catalina.valves.RemoteAddrValve" 
>>> allow="10\.100\.17\.33|10\.100\.88\.92" />
>>>
>>> Best regards
>>>
>>> Peter
>>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restrict access to manager app by IP

2016-09-06 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Yuval,

On 9/2/16 9:29 AM, Yuval Schwartz wrote:
> Thanks. I'll give it a shot and let you guys know how it goes. Any 
> input on whether I should put this in my applications context.xml
> or in my [host] directory?

I would do it in the application. Unless you have a particular reason
to manually-place the application's context.xml file into
conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you.

- -chris

> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter
>  wrote:
> 
>> Hi Yuval,
>> 
>> 
>>> -Ursprüngliche Nachricht- Von: Yuval Schwartz
>>> [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2.
>>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict
>>> access to manager app by IP
>>> 
>>> Tomcat: 8.0.22 JDK: 1.8.0_05
>>> 
>>> Hello,
>>> 
>>> I am currently running a web application.
>>> 
>>> I would like to restrict access to the manager app (it is
>>> currently
>> being hit by spammers every so often who are unable to connect
>> (get a message "...an attempt was made to authenticate the locked
>> user")).
>>> 
>>> I was thinking of adding a "manager.xml" file to
>>> $CATALINA_BASE/conf/[enginename]/[hostname]/
>> that will contain the following context container:
>>> 
>>>  > className="org.apache.catalina.valves.RemoteAddrValve"
>>> allow="[my_ip]"/> 
>>> 
>>> Is this the correct way to achieve my goal of limiting access
>>> to the
>> manager app to only my IP.
>>> 
>>> Of course, I do not want the rest of my webapp's access limited
>>> (which
>> is on the ROOT path). I only want access to the manager app
>> limited.
>>> 
>>> (I know I can also place the context container in my webapp's
>> META-INF/context.xml file, is there any preference to doing this
>> over what I suggested above?)
>>> 
>>> Thank you _
>>> 
>> 
>> That's the proposed solution for it. I don't think that you need
>> the docbase - unless you don't use the default location.
>> 
>> I think you will have to quote the . in the ip with backslash,
>> like > className="org.apache.catalina.valves.RemoteAddrValve" 
>> allow="10\.100\.17\.33|10\.100\.88\.92" />
>> 
>> Best regards
>> 
>> Peter
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt
sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r
ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg
bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO
ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN
AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58
eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7
BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At
Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47
fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO
erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq
BYUo344Ks4Vjvk40V1Nz
=gIMk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restrict access to manager app by IP

2016-09-02 Thread Mark Olsson 
On Fri, Sep 2, 2016 at 4:28 AM, Yuval Schwartz 
wrote:

> Tomcat: 8.0.22
> JDK: 1.8.0_05
>
> Hello,
>
> I am currently running a web application.
>
> I would like to restrict access to the manager app (it is currently being
> hit by spammers every so often who are unable to connect (get a message
> "...an attempt was made to authenticate the locked user")).
>
> I was thinking of adding a "manager.xml" file to
> $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the
> following context container:
>
> 
>   allow="[my_ip]"/>
> 
>
> Is this the correct way to achieve my goal of limiting access to the
> manager app to only my IP.
>
> Of course, I do not want the rest of my webapp's access limited (which
> is on the ROOT path). I only want access to the manager app limited.
>
> (I know I can also place the context container in my webapp's
> META-INF/context.xml file, is there any preference to doing this over
> what I suggested above?)
>
> Thank you
> _
>

Another way to keep them from hammering away with login attempts is to
simply rename the manager webapp.  Redeploy it to something like
/manager123 instead of just /manager and the bots will never find it.  It's
obviously security theater, but it works great against scanners.

Re: Restrict access to manager app by IP

2016-09-02 Thread Yuval Schwartz 
Hello Peter,

Thanks. I'll give it a shot and let you guys know how it goes.
Any input on whether I should put this in my applications context.xml or in
my [host] directory?

Thank you.

On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter  wrote:

> Hi Yuval,
>
>
> > -Ursprüngliche Nachricht-
> > Von: Yuval Schwartz [mailto:yuval.schwa...@gmail.com]
> > Gesendet: Freitag, 2. September 2016 13:28
> > An: Tomcat Users List
> > Betreff: Restrict access to manager app by IP
> >
> > Tomcat: 8.0.22
> > JDK: 1.8.0_05
> >
> > Hello,
> >
> > I am currently running a web application.
> >
> > I would like to restrict access to the manager app (it is currently
> being hit by spammers every so often who are unable to connect (get a
> message "...an attempt was made to authenticate the locked user")).
> >
> > I was thinking of adding a "manager.xml" file to 
> > $CATALINA_BASE/conf/[enginename]/[hostname]/
> that will contain the following context container:
> >
> >   className="org.apache.catalina.valves.RemoteAddrValve"
> >  allow="[my_ip]"/>
> > 
> >
> > Is this the correct way to achieve my goal of limiting access to the
> manager app to only my IP.
> >
> > Of course, I do not want the rest of my webapp's access limited (which
> is on the ROOT path). I only want access to the manager app limited.
> >
> > (I know I can also place the context container in my webapp's
> META-INF/context.xml file, is there any preference to doing this over what
> I suggested above?)
> >
> > Thank you
> > _
> >
>
> That's the proposed solution for it. I don't think that you need the
> docbase - unless you don't use the default location.
>
> I think you will have to quote the . in the ip with backslash, like
> allow="10\.100\.17\.33|10\.100\.88\.92" />
>
> Best regards
>
> Peter
>