I'm using Tomcat 10 (10.1.16) and I have 2 instances of the webserver running on Fedora 39 that I installed on my Raspberry Pi 4 Mobel B.
Tomcat instances:
- For home, personal projects and some Java development.
- For internet, to expose my finished web sites and web services/APIs.
For the first instance, I want to enable access to the host manager only for localhost and local network IP's.
For the second instance, I want to enable access to the host manager only for localhost and local network IP's but I want other apps deployed there be accessible through the internet for general public. What is the most secure way to achieve this without compromising performance?
What I know and did so far:
On both instances I just commented the "Valve" tag on the file $TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml
<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
But this leaves both instances completly exposed and accessible to local traffic and internet traffic.
I understand that I need to change the allow attribute in the Valve tag but I'm not very good with regular expressions.
Also am I following the best practises on how my system is structured? I would appreciate some guidelines or feedback.
How I structured the instances on Linux:
Users:
root: Holds the Tomcat bin and lib folder. As specified here: Tomcat - CATALINA_BASE and CATALINA_HOME variables
userhome: ENV variables that point to root $CATALINA_HOME. No sudo privileges. No port redirect on the router.
userprod: ENV variables that point to root $CATALINA_HOME. No sudo privileges. Router port redirect from external 80 to internal 9090.
On Fedora firewalld port 8080 is open for local TCP traffic (source: 192.168.1.0/24). Port 9090 is open for TCP traffic from any source.
Thanks for the help.
I found a possible solution that works.
On the second instance, I changed the name of the index.jsp file on the folder $TOMCAT_INSTANCE/webapps/ROOT/index.jsp so it won't be acessible to anyone on the internet.
On the manager and host-manager apps I removed the commented tag and changed the Valve to allow local network traffic (|192\.168\.1\.\d+).
Files changed:
$TOMCAT_INSTANCE/webapps/manager/META-INF/context.xml
$TOMCAT_INSTANCE/webapps/host-manager/META-INF/context.xml
The Valve on both apps now looks like this:
Restarted the Tomcat server and now it works as expected.
I found this solution on a comment here: Access Tomcat Manager App from different host
Hope this helps someone with a similar configuration problem.