Martin B. Smith wrote:
Howdy!
I'm trying to ensure that only specific instances of Apache are allowed
to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
looks like Tomcat is seeing the actual client IP making the original
request to Apache. Does anyone have a configuration that only allows
specific Apache (mod_)proxies to be serviced by Tomcat?
I will be using other ways to protect Tomcat, but I'd like something
inside Tomcat filtering these AJP requests too, and RemoteAddressValve
sounds like it should work :)
Yees, but as you noticed, it does use the IP address of the original client.
Here's what I'm using now --
Apache:
ProxyPass / balancer://foo/ stickysession=JSESSIONID nofailover=On
<Proxy balancer://foo>
BalancerMember ajp://host1:1234 route=foo
BalancerMember ajp://host2:1235 route=foo
</Proxy>
Tomcat:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,apache-front-end-ip"/>
But this being getting close to Christmas, and me being in the mood for
some reindeers and chocolate, I did a bit of detective work for you.
First, there is the simple case where the Apache you want to allow is on
the same host, and Apache's on other hosts are not allowed.
In that case, there is the following hack :
In your Tomcat AJP connector, set
address="127.0.0.1"
and have your Apache AJP connectors connect to that address only.
The means that this connector will only be listening on the loopback
connector of the machine itself. Since only another process on this same
machine can connect to that IP address.. ( ;-), that's why it is a hack).
Other than that, I found this attribute of the Tomcat AJP Connector :
request.secret
Only requests from workers with this secret keyword will be accepted.
(That's in http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html)
That's pretty neat, because in the workers.properties of the Apache
mod_jk connector, you can set
worker.someworker.secret :
You can set a secret keyword on the Tomcat AJP Connector. Then only
requests from workers with the same secret keyword will be accepted.
Use request.secret="secret key word" in your Tomcat AJP Connector
configuration.
If you set a secret on a load balancer, all its members will inherit
this secret.
This feature has been added in jk 1.2.12.
(That's in http://tomcat.apache.org/connectors-doc/reference/workers.html)
Now comes the bummer however : I don't know mod_proxy_ajp, and I don't
know if you can set such a secret password at the mod_proxy_ajp level.
But you could always switch to mod_jk...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
