fedoratomcat10

Tomcat 10 (10.1.16) how to add access to host manager app to localhost and local network but not for internet?

I'm using Tomcat 10 (10.1.16) and I have 2 instances of the webserver running on Fedora 39 that I installed on my Raspberry Pi 4 Mobel B.

Tomcat instances:

  1. For home, personal projects and some Java development.
  2. For internet, to expose my finished web sites and web services/APIs.

For the first instance, I want to enable access to the host manager only for localhost and local network IP's.

For the second instance, I want to enable access to the host manager only for localhost and local network IP's but I want other apps deployed there be accessible through the internet for general public. What is the most secure way to achieve this without compromising performance?

What I know and did so far:

On both instances I just commented the "Valve" tag on the file $TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml

<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->

But this leaves both instances completly exposed and accessible to local traffic and internet traffic.

I understand that I need to change the allow attribute in the Valve tag but I'm not very good with regular expressions.

Also am I following the best practises on how my system is structured? I would appreciate some guidelines or feedback.

How I structured the instances on Linux:

Users:

root: Holds the Tomcat bin and lib folder. As specified here: Tomcat - CATALINA_BASE and CATALINA_HOME variables

userhome: ENV variables that point to root $CATALINA_HOME. No sudo privileges. No port redirect on the router.

userprod: ENV variables that point to root $CATALINA_HOME. No sudo privileges. Router port redirect from external 80 to internal 9090.

On Fedora firewalld port 8080 is open for local TCP traffic (source: 192.168.1.0/24). Port 9090 is open for TCP traffic from any source.

Thanks for the help.

Solution

  • I found a possible solution that works.

    On the second instance, I changed the name of the index.jsp file on the folder $TOMCAT_INSTANCE/webapps/ROOT/index.jsp so it won't be acessible to anyone on the internet.

    On the manager and host-manager apps I removed the commented tag and changed the Valve to allow local network traffic (|192\.168\.1\.\d+).

    Files changed:

    $TOMCAT_INSTANCE/webapps/manager/META-INF/context.xml

    $TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml

    The Valve on both apps now looks like this:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
     allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.1\.\d+" />

    Restarted the Tomcat server and now it works as expected.

    I found this solution on a comment here: Access Tomcat Manager App from different host

    Hope this helps someone with a similar configuration problem.