Login/Register
Restrict access to Tomcat manager by IP
Asked Answered
Solved tomcattomcat7tomcat-valvetomcat-manager
D

2

9

I'm trying to restrict all the requests to my Tomcat manager which don't come from my IP.

So far, I found that adding a Valve to the server.xml like this:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="IP"/>

will block all requests except the ones coming from "IP" to the whole Tomcat (including the webapps). Does anyone know how to do the same but applying only to the Tomcat manager?

By the way, I'm using Tomcat7.

Documentary answered 3/11, 2015 at 9:23 Comment(0)
C
25

In [tomcat]/conf/Catalina/[hostname] create a file manager.xml.

So if your hostname is www.yourdomainname.com and tomcat is in opt/tomcat7/ that would be:

/opt/tomcat7/conf/Catalina/www.yourdomainname.com/manager.xml

In this newly created manager.xml you put the RemoteAddrValve in the Context:

<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">

   <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
    allow="127\.0\.0\.1|11\.22\.33\.44" denyStatus="404" />

</Context>

Separate multiple ip adresses by a pipe character.

I choose denyStatus=404 so possible trespassers wont have a clue there even exists a manager.

Restart Tomcat.

UPDATE 3/2020

If Tomcat sits behind a proxy server, requests will all be coming from that proxy server, so you need to tell the proxy server to forward remote addresses to Tomcat (in Nginx you would include a line proxy_set_header x-forwarded-for $remote_addr;).

In addition you need to tell Tomcat to watch for that forwarded header by including a RemoteIpValve in either an Engine or a Host block:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="X-Forwarded-For" 
        requestAttributesEnabled="true" />
Cockroach answered 3/11, 2015 at 15:22 Comment(4)
works perfect! also great addition to deny the status!Documentary
I just tried this with Tomcat 7.0.64 and 8.0.36 without restarting and they worked.Casern
how to test this?Ermines
@Ermines You could request the manager with a browser from an ipaddress not in the allow list. It should show the 404.Cockroach
A
7

In Tomcat8 I found the RemoteAddrValve already in C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\manager\META-INF\context.xml, and I just needed to uncomment it...

<Context antiResourceLocking="false" privileged="true" >
  <!--
    Remove the comment markers from around the Valve below to limit access to
    the manager application to clients connecting from localhost
  -->

  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->

</Context>

I added @acdhirr's suggestion to the valve to deny the status denyStatus="404", and that worked also.

Antonomasia answered 14/3, 2017 at 16:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.