kjkoster
14-08-2008, 14:06
Dear All,
Tomcat has the option to bind its HTTP connectors to specific interfaces. This is useful for multi-homed machines, and in certain instances for locking down Tomcat instances.
A connector will bind to all available IP addresses by default. In order to limit a connector to a single local IP address, add the "address" attribute on the Connector tag. This is documented in Tomcat's reference documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html).
You'd use this in two situations: one is for multi-homed servers, where you want Tomcat to only listen to a certain IP address and not all of them.
The second situation is to lock down Tomcat, so that it only accepts connections from the local host. To do so, add address="127.0.0.1" to the Connector tag of you HTTP connection. It may look like this afterwards:
<Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192"
maxThreads="15" minSpareThreads="2" maxSpareThreads="7"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on" compressionMinSize="0"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml" />
Use netstat(1) (http://www.freebsd.org/cgi/man.cgi?query=netstat) to check how Tomcat is bound to your network interfaces.
% netstat -na | grep 8080
tcp46 0 0 *.8080 *.* LISTEN
% _
And this is what it looks like when Tomcat is only listening to the local host:
% netstat -na | grep 8080
tcp4 0 0 127.0.0.1.8080 *.* LISTEN
% _
As you can see, it is no longer listening to *.8080, but only to 127.0.0.1.8080. Incidenlty, it also no longer accepts IPv6 connections. Only IPv4 connections are accepted. The line now starts with tpc4 instead of tcp46.
The Tomcat that is embedded in JBoss uses this attribute. As you may know, JBoss instances are bound to localhost only by default. This allows you to play around with it and confugure the JBoss instance before you expose it to the world wide web.
Kees Jan
Tomcat has the option to bind its HTTP connectors to specific interfaces. This is useful for multi-homed machines, and in certain instances for locking down Tomcat instances.
A connector will bind to all available IP addresses by default. In order to limit a connector to a single local IP address, add the "address" attribute on the Connector tag. This is documented in Tomcat's reference documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html).
You'd use this in two situations: one is for multi-homed servers, where you want Tomcat to only listen to a certain IP address and not all of them.
The second situation is to lock down Tomcat, so that it only accepts connections from the local host. To do so, add address="127.0.0.1" to the Connector tag of you HTTP connection. It may look like this afterwards:
<Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192"
maxThreads="15" minSpareThreads="2" maxSpareThreads="7"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on" compressionMinSize="0"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml" />
Use netstat(1) (http://www.freebsd.org/cgi/man.cgi?query=netstat) to check how Tomcat is bound to your network interfaces.
% netstat -na | grep 8080
tcp46 0 0 *.8080 *.* LISTEN
% _
And this is what it looks like when Tomcat is only listening to the local host:
% netstat -na | grep 8080
tcp4 0 0 127.0.0.1.8080 *.* LISTEN
% _
As you can see, it is no longer listening to *.8080, but only to 127.0.0.1.8080. Incidenlty, it also no longer accepts IPv6 connections. Only IPv4 connections are accepted. The line now starts with tpc4 instead of tcp46.
The Tomcat that is embedded in JBoss uses this attribute. As you may know, JBoss instances are bound to localhost only by default. This allows you to play around with it and confugure the JBoss instance before you expose it to the world wide web.
Kees Jan