For now, I just decided to delete all the webapps except mine (tomee, manager, host...), and that does the trick for me, since I'm not using those right now.
One day, I would like to consider Apache httpd, Tomcat AJP, and APR, so I can have the best possible performance. On Sun, Dec 9, 2012 at 5:26 PM, Howard W. Smith, Jr. <smithh032...@gmail.com > wrote: > Jonathan, > > Thanks for the detailed response. Yes, you're right, I want port 4848 > (tomee/admin web apps) only available to myself (LAN), and port 8080 > (business webapp) available to LAN and WAN. > > I've done a lot of reading about apache httpd and tomcat, and for the most > part, I read that it's not necessary to run the two together, so I have not > done that yet (as I am new to Tomcat/TomEE), but if it is highly > recommended, then I might give it a try. Right now, TomEE is serving > dynamic web page content (JSF web app) to a small number of users at the > present. Hopefully, in the near future, the same web app (and tomEE) will > possibly serve static as well as dynamic web page content to customers. > > Most of what you mentioned below, I read recently (within last 2 or 3 > hours) in Tomcat docs, since Romain advised me to look there. > > Right now, i have no need for tomee web app, and the other admin apps, but > I might find use for them in the near future. So, for right now, if I could > have tomee/admin web apps only on 4848 and business web app on 8080, then > I'm fine with that. Also, I have no need for load balancing at the present, > but may have a need for that some time in the future. > > It's interesting how much I'm learning by talking to and interfacing with > Apache committers and users. Learning a lot...and loving it! :) > > Thanks, > Howard > > > On Sun, Dec 9, 2012 at 4:26 PM, Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > >> Hi Howard, >> >> Sounds like you want to make your application available on >> http://localhost:8080/myapp, and have the usual Tomcat / TomEE >> administrative applications available via >> http://localhost:4848/[tomee|manager|etc]. Similarly, you don't want >> http://localhost:4848/myapp or http://localhost:8080[tomee|manager|etc] >> to >> work, with the overall goal being to restrict access to the admin apps to >> just your machine, or users on your LAN - is that correct? >> >> I have a couple of suggestions: >> >> You might be able to achieve this by defining different connectors, >> engines >> and hosts in server.xml. I haven't done it myself, but I'm happy to give >> it >> a try, document it and provide a sample config if that would be helpful. I >> found a couple of questions on StackOverflow trying to do something >> similar, albeit with Tomcat 6 that might be helpful: >> >> >> http://stackoverflow.com/questions/8823290/how-to-run-different-apps-on-single-tomcat-instance-behind-different-ports >> >> >> http://stackoverflow.com/questions/4366843/how-to-deploy-mutiple-web-application-in-tomcat-which-will-run-on-different-port >> >> I have a couple of alternative suggestions as well, that might be useful. >> >> First is to try the RemoteAddressFilter valve: >> >> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter- >> we used to use this within the TomEE .war file to restrict access from >> everywhere except localhost. Everything would still be available on port >> 8080, but would access to specific apps would be allowed or blocked based >> on IP address. >> >> Alternatively, if you don't need the TomEE and Tomcat webapps, you can >> remove them (take a backup first!). To remove the TomEE webapp, copy the >> jars from $CATALINA_HOME/webapps/tomee/WEB-INF/lib >> and $CATALINA_HOME/webapps/tomee/lib to $CATALINA_HOME/lib and then remove >> the webapp (more info here: http://tomee.apache.org/tomee-webapp.html). >> The >> other webapps can safely be removed unless you are using them. >> >> The downside to this is that remote EJB invocation via HTTP won't work >> (i.e. if you are using a RemoteInitialContextFactory with a >> http://localhost:8080/tomee/ejb URL). You can still use this mechanism >> from >> within your own webapp if you wish by adding this to your web.xml: >> >> <servlet> >> <servlet-name>ServerServlet</servlet-name> >> >> <servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class> >> </servlet> >> <servlet-mapping> >> <servlet-name>ServerServlet</servlet-name> >> <url-pattern>/ejb</url-pattern> >> </servlet-mapping> >> >> You can then use http://localhost:8080/myapp/ejb to access your EJBs >> remotely. >> >> One final suggestion - use Apache httpd in front of TomEE and use >> mod_proxy >> to proxy to your app running on Tomcat's AJP port. Firewall off access to >> TomEE completely to the outside world, and only allow httpd to serve up >> your app. There are loads of options in the Apache httpd server to >> configure access control, and you can also use httpd to load balance >> several Tomcat instances as well if you wish. You can also serve up static >> parts of your webapp directly from httpd rather than forwarding from >> Tomcat, which can be quicker. I could knock an example configuration of >> this as well if that would be helpful - if you're currently allowing users >> straight on to port 8080, this option might be worth a look. >> >> I'd be interested if others also put Apache httpd in front of Tomcat as >> well or not. >> >> Hope that helps! >> >> Jon >> >> On Sun, Dec 9, 2012 at 8:35 PM, Howard W. Smith, Jr. < >> smithh032...@gmail.com >> > wrote: >> >> > Sorry, i don't understand. The following is in my server.xml, I added >> the >> > port 4848, but if I go to localhost:4848 and localhost:8080 in my >> browser, >> > then I'm seeing the same 'tomcat' page that has a way for hackers to >> click >> > on TomEE Gui, Server Status, Manager App, and Host manager. I only want >> to >> > see that page when access localhost:4848, I do not want to see that page >> > when accessing localhost:8080. >> > >> > >> > <Connector port="8080" protocol="HTTP/1.1" >> > connectionTimeout="20000" >> > redirectPort="8443" /> >> > <!-- A "Connector" using the shared thread pool--> >> > <Connector executor="tomcatThreadPool" >> > port="4848" protocol="HTTP/1.1" >> > connectionTimeout="20000" >> > redirectPort="8443" /> >> > >> > >> > On Sun, Dec 9, 2012 at 11:30 AM, Romain Manni-Bucau >> > <rmannibu...@gmail.com>wrote: >> > >> > > Just look tomcat site. Basically connector(s) ports and shutdown port >> > > (<Server> and < Connector>) >> > > Le 9 déc. 2012 17:26, "Howard W. Smith, Jr." <smithh032...@gmail.com> >> a >> > > écrit : >> > > >> > > > Can you reply with a URL or two that advises how to configure >> > server.xml? >> > > > thanks. >> > > > >> > > > >> > > > On Sun, Dec 9, 2012 at 11:23 AM, Romain Manni-Bucau >> > > > <rmannibu...@gmail.com>wrote: >> > > > >> > > > > That's right, tomee webapp only serve for default ejbd (remote ejb >> > > > > transport). >> > > > > >> > > > > For port just update server.xml >> > > > > Le 9 déc. 2012 17:20, "Howard W. Smith, Jr." < >> smithh032...@gmail.com >> > > >> > > a >> > > > > écrit : >> > > > > >> > > > > > Romain, >> > > > > > >> > > > > > I have TomEE 1.5.1 running on production server, and I am >> getting >> > > > > > hack-attempts late at night (midnight) by someone, trying to >> login >> > to >> > > > > > 'admin' acct of TomEE (tomcat7). I have a strong password and a >> > > > > different >> > > > > > admin-user-name in place. >> > > > > > >> > > > > > I really would like to change configuration to put the tomee >> app on >> > > > > > localhost:4848 (port 4848) instead of port 80 or 8080. >> > > > > > >> > > > > > I have not been successful at this yet. I think I read in tomee >> or >> > > > > tomcat7 >> > > > > > user guide, that I can delete the tomee app? I can also delete >> > > > > manager/etc >> > > > > > apps as well, so they won't even be served. Right? >> > > > > > >> > > > > > Howard >> > > > > > >> > > > > > >> > > > > > On Tue, Nov 27, 2012 at 6:06 AM, Romain Manni-Bucau >> > > > > > <rmannibu...@gmail.com>wrote: >> > > > > > >> > > > > > > By default in dev more you should get tomee user (but only to >> > > access >> > > > > > tomee >> > > > > > > webapp, not tomcat one) >> > > > > > > >> > > > > > > if you set openejb.profile to something else (system property) >> > > you'll >> > > > > > need >> > > > > > > to define it explicitely >> > > > > > > >> > > > > > > *Romain Manni-Bucau* >> > > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* >> > > > > > > *Blog: **http://rmannibucau.wordpress.com/*< >> > > > > > > http://rmannibucau.wordpress.com/> >> > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* >> > > > > > > *Github: https://github.com/rmannibucau* >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > 2012/11/27 Howard W. Smith, Jr. <smithh032...@gmail.com> >> > > > > > > >> > > > > > > > Wow, check this out. I'm so glad that you all ship tomee.xml >> > with >> > > > all >> > > > > > > > users/passwords 'commented out'! :) >> > > > > > > > >> > > > > > > > Nov 27, 2012 5:48:05 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > > "manager" >> > > > > > > > Nov 27, 2012 5:48:05 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > > "manager" >> > > > > > > > Nov 27, 2012 5:48:06 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > "role1" >> > > > > > > > Nov 27, 2012 5:48:06 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > "role1" >> > > > > > > > Nov 27, 2012 5:48:07 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "root" >> > > > > > > > Nov 27, 2012 5:48:07 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "root" >> > > > > > > > Nov 27, 2012 5:48:07 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "root" >> > > > > > > > Nov 27, 2012 5:48:08 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > "tomcat" >> > > > > > > > Nov 27, 2012 5:48:08 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > > "tomcat" >> > > > > > > > Nov 27, 2012 5:48:09 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "both" >> > > > > > > > Nov 27, 2012 5:48:09 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "both" >> > > > > > > > Nov 27, 2012 5:48:09 AM >> org.apache.catalina.realm.LockOutRealm >> > > > > > > authenticate >> > > > > > > > WARNING: An attempt was made to authenticate the locked user >> > > "both" >> > > > > > > > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:58 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD >> > /manager/html >> > > > > > > HTTP/1.0" >> > > > > > > > 401 - >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> > >
