On 12/16/2009 11:01 PM, Bill Barker wrote: > "André Warnier" <a...@ice-sa.com> wrote in message > news:4b294eb6.4090...@ice-sa.com... >> Martin B. Smith wrote: >>> Howdy! >>> >>> I'm trying to ensure that only specific instances of Apache are allowed >>> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it >>> looks like Tomcat is seeing the actual client IP making the original >>> request to Apache. Does anyone have a configuration that only allows >>> specific Apache (mod_)proxies to be serviced by Tomcat? >>> >> Of course if your are under Linux, you could use iptables to block >> requests to port 8009, from hosts you don't like. >> And if you are under Windows, you could use the Windows firewall or >> filtering rules. >> Probably even more efficient than doing this at the Tomcat level. > > Yes, but if the OP wants to block all access to Tomcat, it is even easier to > just not have the worker configured on those Apaches that shouldn't contact > it. As a result, I'm guessing that the OP wants to restrict access to > certain webapps. > > The good news is that with the AJP connector, request.getLocalName() returns > the name of the Apache server (as specified by the ServerName directive), > not the Tomcat server. And request.getLocalAddr() returns the IP address of > request.getLocalName() as it resolves on the Tomcat machine. With that > information it isn't hard to write a Filter that does what you want. For > the truely lazy, it would also be trivial to copy RemoteAddrValve to > LocalAddrValve and have it check localAddr instead of remoteAddr. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
André, thank you for the suggestions. I had considered them, but wanted some additional, more specific protections without going to mod_jk. Bill, your post is a gem. Indeed, I can always use network ACLs and iptables and mod_jk, but I was really hoping to do mod_proxy_balancer. While there's some administrative separations between the programmers and the system administrators that prevent me from writing servlets on top of Tomcat, this is a nice tip. Thanks. -- Martin B. Smith smit...@ufl.edu - (352) 273-1374 CNS/Open Systems Group University of Florida --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
