Re: Restrict access to manager app by IP
Thanks a lot for your replies. For now, I removed the "path" attribute from the Context elements but left the xml file in Catalina/[hostname]. When I have some more time, I will move to within my application (META-INF/context.xml) since that seems to be the consensus here. Thank you. On Wed, Sep 7, 2016 at 8:45 PM, Mark Thomas <ma...@apache.org> wrote: > On 07/09/2016 18:43, Jeffrey Janner wrote: > > > > > >> -Original Message- > >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > >> Sent: Tuesday, September 06, 2016 12:30 PM > >> To: Tomcat Users List <users@tomcat.apache.org> > >> Subject: Re: Restrict access to manager app by IP > >> > > Yuval, > > > > On 9/2/16 9:29 AM, Yuval Schwartz wrote: > >>>> Thanks. I'll give it a shot and let you guys know how it goes. Any > >>>> input on whether I should put this in my applications context.xml > >>>> or in my [host] directory? > > > > I would do it in the application. Unless you have a particular reason > > to manually-place the application's context.xml file into > > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. > > > > -chris > > > >> Chris - > > > >> Isn't the Tomcat "/manager" an app separate from the user's webapp? > Thus the need for the manager.xml in conf/[engine]/[host] directory? > > It is an application like any other so you can use: > > $CATALINA_BASE/webapps/manager/META-INF/context.xml > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Restrict access to manager app by IP
On 07/09/2016 18:43, Jeffrey Janner wrote: > > >> -Original Message- >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Sent: Tuesday, September 06, 2016 12:30 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Restrict access to manager app by IP >> > Yuval, > > On 9/2/16 9:29 AM, Yuval Schwartz wrote: >>>> Thanks. I'll give it a shot and let you guys know how it goes. Any >>>> input on whether I should put this in my applications context.xml >>>> or in my [host] directory? > > I would do it in the application. Unless you have a particular reason > to manually-place the application's context.xml file into > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. > > -chris > >> Chris - > >> Isn't the Tomcat "/manager" an app separate from the user's webapp? Thus >> the need for the manager.xml in conf/[engine]/[host] directory? It is an application like any other so you can use: $CATALINA_BASE/webapps/manager/META-INF/context.xml Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restrict access to manager app by IP
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, September 06, 2016 12:30 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Restrict access to manager app by IP > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Yuval, > > On 9/2/16 9:29 AM, Yuval Schwartz wrote: > > Thanks. I'll give it a shot and let you guys know how it goes. Any > > input on whether I should put this in my applications context.xml > > or in my [host] directory? > > I would do it in the application. Unless you have a particular reason > to manually-place the application's context.xml file into > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. > > - -chris Chris - Isn't the Tomcat "/manager" an app separate from the user's webapp? Thus the need for the manager.xml in conf/[engine]/[host] directory? Yuval: what you were proposing is the way I have done it. Just make sure you specify the regular expression correctly. Jeff > > > On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter > > <pkreu...@airplus.com> wrote: > > > >> Hi Yuval, > >> > >> > >>> -Ursprüngliche Nachricht- Von: Yuval Schwartz > >>> [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2. > >>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict > >>> access to manager app by IP > >>> > >>> Tomcat: 8.0.22 JDK: 1.8.0_05 > >>> > >>> Hello, > >>> > >>> I am currently running a web application. > >>> > >>> I would like to restrict access to the manager app (it is > >>> currently > >> being hit by spammers every so often who are unable to connect > >> (get a message "...an attempt was made to authenticate the locked > >> user")). > >>> > >>> I was thinking of adding a "manager.xml" file to > >>> $CATALINA_BASE/conf/[enginename]/[hostname]/ > >> that will contain the following context container: > >>> > >>> >> className="org.apache.catalina.valves.RemoteAddrValve" > >>> allow="[my_ip]"/> > >>> > >>> Is this the correct way to achieve my goal of limiting access > >>> to the > >> manager app to only my IP. > >>> > >>> Of course, I do not want the rest of my webapp's access limited > >>> (which > >> is on the ROOT path). I only want access to the manager app > >> limited. > >>> > >>> (I know I can also place the context container in my webapp's > >> META-INF/context.xml file, is there any preference to doing this > >> over what I suggested above?) > >>> > >>> Thank you _ > >>> > >> > >> That's the proposed solution for it. I don't think that you need > >> the docbase - unless you don't use the default location. > >> > >> I think you will have to quote the . in the ip with backslash, > >> like >> className="org.apache.catalina.valves.RemoteAddrValve" > >> allow="10\.100\.17\.33|10\.100\.88\.92" /> > >> > >> Best regards > >> > >> Peter > >> > > > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt > sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r > ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg > bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO > ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN > AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58 > eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7 > BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At > Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47 > fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO > erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq > BYUo344Ks4Vjvk40V1Nz > =gIMk > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restrict access to manager app by IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/6/16 2:23 PM, Mark Thomas wrote: > On 06/09/2016 18:29, Christopher Schultz wrote: >> Yuval, >> >> On 9/2/16 9:29 AM, Yuval Schwartz wrote: >>> Thanks. I'll give it a shot and let you guys know how it goes. >>> Any input on whether I should put this in my applications >>> context.xml or in my [host] directory? >> >> I would do it in the application. Unless you have a particular >> reason to manually-place the application's context.xml file into >> conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. > > Tomcat no longer copies context.xml by default. Even better: there's no confusion over which file will take effect, then . - -chris >>> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter >>>wrote: >> Hi Yuval, > -Ursprüngliche Nachricht- Von: Yuval Schwartz > [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2. > September 2016 13:28 An: Tomcat Users List Betreff: > Restrict access to manager app by IP > > Tomcat: 8.0.22 JDK: 1.8.0_05 > > Hello, > > I am currently running a web application. > > I would like to restrict access to the manager app (it is > currently being hit by spammers every so often who are unable to connect (get a message "...an attempt was made to authenticate the locked user")). > > I was thinking of adding a "manager.xml" file to > $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the following context container: > > > >>> className="org.apache.catalina.valves.RemoteAddrValve" > allow="[my_ip]"/> > > Is this the correct way to achieve my goal of limiting > access to the manager app to only my IP. > > Of course, I do not want the rest of my webapp's access > limited (which is on the ROOT path). I only want access to the manager app limited. > > (I know I can also place the context container in my > webapp's META-INF/context.xml file, is there any preference to doing this over what I suggested above?) > > Thank you _ > That's the proposed solution for it. I don't think that you need the docbase - unless you don't use the default location. I think you will have to quote the . in the ip with backslash, like >>> className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.100\.17\.33|10\.100\.88\.92" /> Best regards Peter >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXzw/1AAoJEBzwKT+lPKRYhKwQAJ1isb7hLnjzol2dlgGbKhNy eWTG+ND5CSyVcuSDZ8PyDUuURS3XLS6cb96VIOSyY6KoAzyAXfVqvnhsOj1k/hVx SUxQBzbLG13RcPhzwJGUw/+0rb43Dj4A05yHnVxI1icOQHZ69ntEsAP1ZBV/OatP F3bIiipEfB7D1aMabXdUzuJNkjooJaJfwITIQfYi/B9CCme1WDAPf6yEAZ2BPVbh /IM/ym/fEJUjCoBTlou0bJlcTLXrKGkadTzFckeQst95myg9lSGoaGQ+V9OkeNcl 2H5BJRsmrYGM5jkR7FWcOy0rLxw0baCqIN8pMxsJ991TIS98ajOKz/ztJAPuzw/U iljQ0RG0nR21Cz2fWGW2BA1uv5MG46YQQM7Tf1rll4Jg2/gJIH+QNDZ7lfJQMGX3 pkzAsNQ7cljOX0BdQJeTUA1l/u3ZwD1wjsv0736RP7YXTMjGRqIqKTDanS9Htc7a 783pYOk90Eb1lp54KLJvdhlV9WaST2RCymnt2uCR5n3Hq9dJz5Olg8HGoEKCzTw2 eI5MIhLUnTx1CZWewwy7sWjMFICJRbdI6nAlyuJBjQxEKKRsIqFk91iThcOUIxs6 fJum7wxts2Y9kZm7AceU2EIELp2vemncv9GBTw7XsfCagqafB+2/2clfZ+t9jmtU TD5nnWLSx684PBw1SGqY =bYV4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restrict access to manager app by IP
On 06/09/2016 18:29, Christopher Schultz wrote: > Yuval, > > On 9/2/16 9:29 AM, Yuval Schwartz wrote: >> Thanks. I'll give it a shot and let you guys know how it goes. Any >> input on whether I should put this in my applications context.xml >> or in my [host] directory? > > I would do it in the application. Unless you have a particular reason > to manually-place the application's context.xml file into > conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. Tomcat no longer copies context.xml by default. Mark > > -chris > >> On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter >>wrote: > >>> Hi Yuval, >>> >>> -Ursprüngliche Nachricht- Von: Yuval Schwartz [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2. September 2016 13:28 An: Tomcat Users List Betreff: Restrict access to manager app by IP Tomcat: 8.0.22 JDK: 1.8.0_05 Hello, I am currently running a web application. I would like to restrict access to the manager app (it is currently >>> being hit by spammers every so often who are unable to connect >>> (get a message "...an attempt was made to authenticate the locked >>> user")). I was thinking of adding a "manager.xml" file to $CATALINA_BASE/conf/[enginename]/[hostname]/ >>> that will contain the following context container: >> className="org.apache.catalina.valves.RemoteAddrValve" allow="[my_ip]"/> Is this the correct way to achieve my goal of limiting access to the >>> manager app to only my IP. Of course, I do not want the rest of my webapp's access limited (which >>> is on the ROOT path). I only want access to the manager app >>> limited. (I know I can also place the context container in my webapp's >>> META-INF/context.xml file, is there any preference to doing this >>> over what I suggested above?) Thank you _ >>> >>> That's the proposed solution for it. I don't think that you need >>> the docbase - unless you don't use the default location. >>> >>> I think you will have to quote the . in the ip with backslash, >>> like >> className="org.apache.catalina.valves.RemoteAddrValve" >>> allow="10\.100\.17\.33|10\.100\.88\.92" /> >>> >>> Best regards >>> >>> Peter >>> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restrict access to manager app by IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yuval, On 9/2/16 9:29 AM, Yuval Schwartz wrote: > Thanks. I'll give it a shot and let you guys know how it goes. Any > input on whether I should put this in my applications context.xml > or in my [host] directory? I would do it in the application. Unless you have a particular reason to manually-place the application's context.xml file into conf/[engine]/[host]/[app].xml, allow Tomcat to do that for you. - -chris > On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peter >wrote: > >> Hi Yuval, >> >> >>> -Ursprüngliche Nachricht- Von: Yuval Schwartz >>> [mailto:yuval.schwa...@gmail.com] Gesendet: Freitag, 2. >>> September 2016 13:28 An: Tomcat Users List Betreff: Restrict >>> access to manager app by IP >>> >>> Tomcat: 8.0.22 JDK: 1.8.0_05 >>> >>> Hello, >>> >>> I am currently running a web application. >>> >>> I would like to restrict access to the manager app (it is >>> currently >> being hit by spammers every so often who are unable to connect >> (get a message "...an attempt was made to authenticate the locked >> user")). >>> >>> I was thinking of adding a "manager.xml" file to >>> $CATALINA_BASE/conf/[enginename]/[hostname]/ >> that will contain the following context container: >>> >>> > className="org.apache.catalina.valves.RemoteAddrValve" >>> allow="[my_ip]"/> >>> >>> Is this the correct way to achieve my goal of limiting access >>> to the >> manager app to only my IP. >>> >>> Of course, I do not want the rest of my webapp's access limited >>> (which >> is on the ROOT path). I only want access to the manager app >> limited. >>> >>> (I know I can also place the context container in my webapp's >> META-INF/context.xml file, is there any preference to doing this >> over what I suggested above?) >>> >>> Thank you _ >>> >> >> That's the proposed solution for it. I don't think that you need >> the docbase - unless you don't use the default location. >> >> I think you will have to quote the . in the ip with backslash, >> like > className="org.apache.catalina.valves.RemoteAddrValve" >> allow="10\.100\.17\.33|10\.100\.88\.92" /> >> >> Best regards >> >> Peter >> > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXzv0QAAoJEBzwKT+lPKRYzmAP/j8dKzBSD6tVZ/BgIy+zMugt sSKse+GWF52mPs3bhTx6Mghil0pLxCL8kROHUVVPrq8DknGf81qaSsxCqEgi7r6r ZnK8YYG0GAVFbUjDHcBGDtD4jGV+S7Vwfp7CxJqdpuM2XAzU/EX+A2vwsDxm96Hg bNhZ0Dv1xeErKzH+X6zcEeqSGXS411dxfH86zpoQrispygSEzFQ4eZ+qXcg/39rO ukN2L6gkeN0wo4rqLTTIEOz/qoIqWjB7Oi+DQFEZWxSQuFeM2XHZ6XcVR7W6D+zN AmiKuFQp6jrsmnpIaWWdLk5BGAogb0aGTE6sgBhYuutLvB9JA4XqCq57fzlR8y58 eR2hoTlEdqs8hSvllOBpyYoZdoOlpdCEHoTc/6LEMP+JIFL7QAy+/wQNXJv8XeQ7 BKFlkSceNvRWLdYFi4q2aVIgr1ZtgzP5VwZjMNVyeO5/oYzKp0PS7+3s52rBs3At Jj7WuqUDob6ZMp5Q4DgM2SCK1xe0Q1bgooJMC8zaxyyzfPcY1i3DiIls/RTXPd47 fGnHEIHSrkDbsMq3Jxr+3pCWukZqRsnWcMIzORRHWEGlDF2NidnC5h1M7y0p7yhO erjwuLmDwwNZzpWMhjjMPB6avoiy46wa+lhIjbCyuCLiJGp1gIkFfcIUsvXxkKFq BYUo344Ks4Vjvk40V1Nz =gIMk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restrict access to manager app by IP
On Fri, Sep 2, 2016 at 4:28 AM, Yuval Schwartzwrote: > Tomcat: 8.0.22 > JDK: 1.8.0_05 > > Hello, > > I am currently running a web application. > > I would like to restrict access to the manager app (it is currently being > hit by spammers every so often who are unable to connect (get a message > "...an attempt was made to authenticate the locked user")). > > I was thinking of adding a "manager.xml" file to > $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the > following context container: > > > allow="[my_ip]"/> > > > Is this the correct way to achieve my goal of limiting access to the > manager app to only my IP. > > Of course, I do not want the rest of my webapp's access limited (which > is on the ROOT path). I only want access to the manager app limited. > > (I know I can also place the context container in my webapp's > META-INF/context.xml file, is there any preference to doing this over > what I suggested above?) > > Thank you > _ > Another way to keep them from hammering away with login attempts is to simply rename the manager webapp. Redeploy it to something like /manager123 instead of just /manager and the bots will never find it. It's obviously security theater, but it works great against scanners.
Re: Restrict access to manager app by IP
Hello Peter, Thanks. I'll give it a shot and let you guys know how it goes. Any input on whether I should put this in my applications context.xml or in my [host] directory? Thank you. On Fri, Sep 2, 2016 at 4:24 PM, Kreuser, Peterwrote: > Hi Yuval, > > > > -Ursprüngliche Nachricht- > > Von: Yuval Schwartz [mailto:yuval.schwa...@gmail.com] > > Gesendet: Freitag, 2. September 2016 13:28 > > An: Tomcat Users List > > Betreff: Restrict access to manager app by IP > > > > Tomcat: 8.0.22 > > JDK: 1.8.0_05 > > > > Hello, > > > > I am currently running a web application. > > > > I would like to restrict access to the manager app (it is currently > being hit by spammers every so often who are unable to connect (get a > message "...an attempt was made to authenticate the locked user")). > > > > I was thinking of adding a "manager.xml" file to > > $CATALINA_BASE/conf/[enginename]/[hostname]/ > that will contain the following context container: > > > > className="org.apache.catalina.valves.RemoteAddrValve" > > allow="[my_ip]"/> > > > > > > Is this the correct way to achieve my goal of limiting access to the > manager app to only my IP. > > > > Of course, I do not want the rest of my webapp's access limited (which > is on the ROOT path). I only want access to the manager app limited. > > > > (I know I can also place the context container in my webapp's > META-INF/context.xml file, is there any preference to doing this over what > I suggested above?) > > > > Thank you > > _ > > > > That's the proposed solution for it. I don't think that you need the > docbase - unless you don't use the default location. > > I think you will have to quote the . in the ip with backslash, like > allow="10\.100\.17\.33|10\.100\.88\.92" /> > > Best regards > > Peter >