Tomcat Behind Proxy: How to Block Direct Access
As discussed in my last post, after installing and configuring Nginx as the reversed proxy server for Tomcat, it’s necessary to block remote access to the original port served by Tomcat. To achieve this, iptables should be a good solution. Simpler solution is to change one line in the Tomcat server configuration file so that Tomcat accepts only requests from local host.
With Tomcat 7 on Ubuntu, the configuration file is /var/lib/tomcat7/conf/server.xml. Just add address=”127.0.0.1″ into the related Connector section as follows:
Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.
<Connector executor="tomcatThreadPool" address="127.0.0.1" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" maxKeepAliveRequests="100" proxyPort="80"/>
The address attribute is really used for specifying which IP address the server be listening. According to the Tomcat 7 doc:
“For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server. A value of 127.0.0.1 indicates that the Connector will only listen on the loopback interface.”
Although simpler, this approach is not nearly as flexible as using iptables which can have much finer control, for example block or allow access from certain remote hosts. Using iptables can also work on multiple ports, and go beyond Tomcat. If you have a complex environment with complicated requirements, iptables should be a good choice.