Jonathan, Thanks for the detailed response. Yes, you're right, I want port 4848 (tomee/admin web apps) only available to myself (LAN), and port 8080 (business webapp) available to LAN and WAN.
I've done a lot of reading about apache httpd and tomcat, and for the most part, I read that it's not necessary to run the two together, so I have not done that yet (as I am new to Tomcat/TomEE), but if it is highly recommended, then I might give it a try. Right now, TomEE is serving dynamic web page content (JSF web app) to a small number of users at the present. Hopefully, in the near future, the same web app (and tomEE) will possibly serve static as well as dynamic web page content to customers. Most of what you mentioned below, I read recently (within last 2 or 3 hours) in Tomcat docs, since Romain advised me to look there. Right now, i have no need for tomee web app, and the other admin apps, but I might find use for them in the near future. So, for right now, if I could have tomee/admin web apps only on 4848 and business web app on 8080, then I'm fine with that. Also, I have no need for load balancing at the present, but may have a need for that some time in the future. It's interesting how much I'm learning by talking to and interfacing with Apache committers and users. Learning a lot...and loving it! :) Thanks, Howard On Sun, Dec 9, 2012 at 4:26 PM, Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Hi Howard, > > Sounds like you want to make your application available on > http://localhost:8080/myapp, and have the usual Tomcat / TomEE > administrative applications available via > http://localhost:4848/[tomee|manager|etc]. Similarly, you don't want > http://localhost:4848/myapp or http://localhost:8080[tomee|manager|etc] to > work, with the overall goal being to restrict access to the admin apps to > just your machine, or users on your LAN - is that correct? > > I have a couple of suggestions: > > You might be able to achieve this by defining different connectors, engines > and hosts in server.xml. I haven't done it myself, but I'm happy to give it > a try, document it and provide a sample config if that would be helpful. I > found a couple of questions on StackOverflow trying to do something > similar, albeit with Tomcat 6 that might be helpful: > > > http://stackoverflow.com/questions/8823290/how-to-run-different-apps-on-single-tomcat-instance-behind-different-ports > > > http://stackoverflow.com/questions/4366843/how-to-deploy-mutiple-web-application-in-tomcat-which-will-run-on-different-port > > I have a couple of alternative suggestions as well, that might be useful. > > First is to try the RemoteAddressFilter valve: > > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter- > we used to use this within the TomEE .war file to restrict access from > everywhere except localhost. Everything would still be available on port > 8080, but would access to specific apps would be allowed or blocked based > on IP address. > > Alternatively, if you don't need the TomEE and Tomcat webapps, you can > remove them (take a backup first!). To remove the TomEE webapp, copy the > jars from $CATALINA_HOME/webapps/tomee/WEB-INF/lib > and $CATALINA_HOME/webapps/tomee/lib to $CATALINA_HOME/lib and then remove > the webapp (more info here: http://tomee.apache.org/tomee-webapp.html). > The > other webapps can safely be removed unless you are using them. > > The downside to this is that remote EJB invocation via HTTP won't work > (i.e. if you are using a RemoteInitialContextFactory with a > http://localhost:8080/tomee/ejb URL). You can still use this mechanism > from > within your own webapp if you wish by adding this to your web.xml: > > <servlet> > <servlet-name>ServerServlet</servlet-name> > > <servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class> > </servlet> > <servlet-mapping> > <servlet-name>ServerServlet</servlet-name> > <url-pattern>/ejb</url-pattern> > </servlet-mapping> > > You can then use http://localhost:8080/myapp/ejb to access your EJBs > remotely. > > One final suggestion - use Apache httpd in front of TomEE and use mod_proxy > to proxy to your app running on Tomcat's AJP port. Firewall off access to > TomEE completely to the outside world, and only allow httpd to serve up > your app. There are loads of options in the Apache httpd server to > configure access control, and you can also use httpd to load balance > several Tomcat instances as well if you wish. You can also serve up static > parts of your webapp directly from httpd rather than forwarding from > Tomcat, which can be quicker. I could knock an example configuration of > this as well if that would be helpful - if you're currently allowing users > straight on to port 8080, this option might be worth a look. > > I'd be interested if others also put Apache httpd in front of Tomcat as > well or not. > > Hope that helps! > > Jon > > On Sun, Dec 9, 2012 at 8:35 PM, Howard W. Smith, Jr. < > smithh032...@gmail.com > > wrote: > > > Sorry, i don't understand. The following is in my server.xml, I added the > > port 4848, but if I go to localhost:4848 and localhost:8080 in my > browser, > > then I'm seeing the same 'tomcat' page that has a way for hackers to > click > > on TomEE Gui, Server Status, Manager App, and Host manager. I only want > to > > see that page when access localhost:4848, I do not want to see that page > > when accessing localhost:8080. > > > > > > <Connector port="8080" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="8443" /> > > <!-- A "Connector" using the shared thread pool--> > > <Connector executor="tomcatThreadPool" > > port="4848" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="8443" /> > > > > > > On Sun, Dec 9, 2012 at 11:30 AM, Romain Manni-Bucau > > <rmannibu...@gmail.com>wrote: > > > > > Just look tomcat site. Basically connector(s) ports and shutdown port > > > (<Server> and < Connector>) > > > Le 9 déc. 2012 17:26, "Howard W. Smith, Jr." <smithh032...@gmail.com> > a > > > écrit : > > > > > > > Can you reply with a URL or two that advises how to configure > > server.xml? > > > > thanks. > > > > > > > > > > > > On Sun, Dec 9, 2012 at 11:23 AM, Romain Manni-Bucau > > > > <rmannibu...@gmail.com>wrote: > > > > > > > > > That's right, tomee webapp only serve for default ejbd (remote ejb > > > > > transport). > > > > > > > > > > For port just update server.xml > > > > > Le 9 déc. 2012 17:20, "Howard W. Smith, Jr." < > smithh032...@gmail.com > > > > > > a > > > > > écrit : > > > > > > > > > > > Romain, > > > > > > > > > > > > I have TomEE 1.5.1 running on production server, and I am getting > > > > > > hack-attempts late at night (midnight) by someone, trying to > login > > to > > > > > > 'admin' acct of TomEE (tomcat7). I have a strong password and a > > > > > different > > > > > > admin-user-name in place. > > > > > > > > > > > > I really would like to change configuration to put the tomee app > on > > > > > > localhost:4848 (port 4848) instead of port 80 or 8080. > > > > > > > > > > > > I have not been successful at this yet. I think I read in tomee > or > > > > > tomcat7 > > > > > > user guide, that I can delete the tomee app? I can also delete > > > > > manager/etc > > > > > > apps as well, so they won't even be served. Right? > > > > > > > > > > > > Howard > > > > > > > > > > > > > > > > > > On Tue, Nov 27, 2012 at 6:06 AM, Romain Manni-Bucau > > > > > > <rmannibu...@gmail.com>wrote: > > > > > > > > > > > > > By default in dev more you should get tomee user (but only to > > > access > > > > > > tomee > > > > > > > webapp, not tomcat one) > > > > > > > > > > > > > > if you set openejb.profile to something else (system property) > > > you'll > > > > > > need > > > > > > > to define it explicitely > > > > > > > > > > > > > > *Romain Manni-Bucau* > > > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > > > > > > > *Blog: **http://rmannibucau.wordpress.com/*< > > > > > > > http://rmannibucau.wordpress.com/> > > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > > > > > > > *Github: https://github.com/rmannibucau* > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2012/11/27 Howard W. Smith, Jr. <smithh032...@gmail.com> > > > > > > > > > > > > > > > Wow, check this out. I'm so glad that you all ship tomee.xml > > with > > > > all > > > > > > > > users/passwords 'commented out'! :) > > > > > > > > > > > > > > > > Nov 27, 2012 5:48:05 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > > "manager" > > > > > > > > Nov 27, 2012 5:48:05 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > > "manager" > > > > > > > > Nov 27, 2012 5:48:06 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > "role1" > > > > > > > > Nov 27, 2012 5:48:06 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > "role1" > > > > > > > > Nov 27, 2012 5:48:07 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "root" > > > > > > > > Nov 27, 2012 5:48:07 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "root" > > > > > > > > Nov 27, 2012 5:48:07 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "root" > > > > > > > > Nov 27, 2012 5:48:08 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > "tomcat" > > > > > > > > Nov 27, 2012 5:48:08 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > > "tomcat" > > > > > > > > Nov 27, 2012 5:48:09 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "both" > > > > > > > > Nov 27, 2012 5:48:09 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "both" > > > > > > > > Nov 27, 2012 5:48:09 AM > org.apache.catalina.realm.LockOutRealm > > > > > > > authenticate > > > > > > > > WARNING: An attempt was made to authenticate the locked user > > > "both" > > > > > > > > > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:58 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > > /manager/html > > > > > > > HTTP/1.0" > > > > > > > > 401 - > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
