As discussed in my last post, after installing and configuring Nginx as the reversed proxy server for Tomcat, it’s necessary to block remote access to the original port served by Tomcat. To achieve this, iptables should be a good solution. Simpler solution is to change one line in the Tomcat server configuration file so that Tomcat accepts only requests from local host.
With Tomcat 7 on Ubuntu, the configuration file is /var/lib/tomcat7/conf/server.xml. Just add address=”127.0.0.1″ into the related Connector section as follows:
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
<Connector executor="tomcatThreadPool" address="127.0.0.1" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" maxKeepAliveRequests="100" proxyPort="80"/>
The address attribute is really used for specifying which IP address the server be listening. According to the Tomcat 7 doc:
“For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server. A value of 127.0.0.1 indicates that the Connector will only listen on the loopback interface.”
Although simpler, this approach is not nearly as flexible as using iptables which can have much finer control, for example block or allow access from certain remote hosts. Using iptables can also work on multiple ports, and go beyond Tomcat. If you have a complex environment with complicated requirements, iptables should be a good choice.