Tomcat Behind Proxy: How to Block Direct Access

As discussed in my last post, after installing and configuring Nginx as the reversed proxy server for Tomcat, it’s necessary to block remote access to the original port served by Tomcat. To achieve this, iptables should be a good solution. Simpler solution is to change one line in the Tomcat server configuration file so that Tomcat accepts only requests from local host.

With Tomcat 7 on Ubuntu, the configuration file is /var/lib/tomcat7/conf/server.xml. Just add address=”″ into the related Connector section as follows:

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

    <Connector executor="tomcatThreadPool" address="" port="8080"
		protocol="HTTP/1.1" connectionTimeout="20000"
		maxKeepAliveRequests="100" proxyPort="80"/>

The address attribute is really used for specifying which IP address the server be listening. According to the Tomcat 7 doc:

“For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server. A value of indicates that the Connector will only listen on the loopback interface.”

Although simpler, this approach is not nearly as flexible as using iptables which can have much finer control, for example block or allow access from certain remote hosts. Using iptables can also work on multiple ports, and go beyond Tomcat. If you have a complex environment with complicated requirements, iptables should be a good choice.

This entry was posted in Applications & Tools and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.