Author Topic: Apache<->Tomcat Instead of firewalling Tomcat:8080 bind it to 127.0.0.1  (Read 11027 times)

Wessel

  • Newbie
  • *
  • Posts: 18
  • Karma: 2
    • View Profile
Hi,
In the steps of putting Apache in front of Tomcat we use mod_jk.
However if we use the default settings on tomcat, it binds to 0.0.0.0 exposing the 8080 port for the world to exploid.

Now we can put a firewall in front of it but that;s way to brutal.
Binding Tomcat to 127.0.0.1 instead of 0.0.0.0 solves this problem elegantly.
Now apache mod_jk can reach the tomcat server and pull its pages out there as requests come in on the apache webserver.
But nobody from outside can reach the 8080 port any more.
( i know this works with unix/linux, i have no clue if Windows understands a lo interface )

Go to the follow lines in your tomcat setup:
Code: [Select]
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

And change it into:
Code: [Select]
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" address="127.0.0.1"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

And the HTTP port:
Code: [Select]
<Connector port="8080"  protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />

into
Code: [Select]
<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />
PLEASE NOTE!!! Once you bind it to 127.0.0.1 you cant reach it any more from outside with your InternetExplorer! as this is the whole purpose of this excersise :-D
Use a ssh tunnel like:
ssh -L 8080:127.0.0.1:8080 <your remote host with Queuemetrics & tomcat >
now you can look at it again with http://127.0.0.1/

Now do the same with the cmd port:
Code: [Select]
<Server port="8005" address="127.0.0.1" shutdown="SHUTDOWN">

Then follow all the steps of the mod_jk
MAKE SURE YOUR Acces the worker also on localhost:
Code: [Select]
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13

Enjoy!
        Wessel

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Nice tutorial!
I'd go for a firewall anyway, just in case  :D