• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to configure access to manager application?

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am running my tomcat instance with apache in front of it.
Because of this, a webapp "myapp" is accessible like this:


To achieve this, I use proxy directives in my apache virtual host configuration:


I have secured my web apps within the apache configuration:


However, my app is still accessible like this:


In this case, the application is accessible without password!
To forbid access to this address from the internet, I restricted the connector to 127.0.0.1:


When I do this, nearly everything is ok:
The apps are still available through myhost.com/myapp and access through port 8080 is not allowed anymore.

But: The tomcat manager app is also not reachable anymore from the internet.

What would be a suitable configuration, so that my apps are not reachable through myhost:8080, and that the manager app is still available?

Thank you very much
Magnus
 
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I have exactly the same setup with multiple prod apps.

1) Use a VPN or shh tunnel to access manager remotely. Ssh tunnel is much simpler.

2) You may also consider firewall rules and allowing specific IP addresses to access manager but if you aren't familiar with it, solution 1 is much simpler.

P.S. I use solution 2 but it is more complicated security wise. You have to make sure nobody can ever access manager at large. I can access manager only from specific IP addresses and only using TLS (https) going through an apache reverse-proxy and mod_security filtering. In doubts, please use solution 1.
 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
oh, without firewall rules you could use apache like it was some kind of firewall:




 
Magnus Warker
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much!

Could you please provide more detailed info on how to access the manager app via VPN//SSH?
Do I have to change the apache confguration or the tomcat configuration? And how?
A minimal example would be really helpful.

Thanks
Magnus
 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you already have an ssh server running on your webserver?

e.g. can you remotely control your server through ssh logins?

What type of server are you using? OS. etc.
 
Magnus Warker
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

it's a Debian system with sshd running. I can login using ssh. But ssh is a commandline interface, I don't know how to get the manager app into my browser... #-)
If I get this running with SSH, I'd prefer that.

But in the meantime, I tried another approach, based on your apache directives:



Here, I changed the path you used from "/" to "/tom". I need this, because the root directory is already redirected to another subdirectory.

Then, when I go to mydomain.com/tom, I get the tiomcat start page ("It works!").

When I then click on the link "manager webapp", it brings me to mydomain.com/manager/html.
But this is a wrong UIRL, the "/tom" part is missing.

When I correct this path and go to mydomain.com/tom/manager/html, I see the correct manager web app ("Tomcat Web Application Manager").
However, again, all the links on this page are wrong.

For example, when I try to undeploy a webapp, I again get an error:

The requested URL /manager/html/undeploy;jsessionid=D7CD3E7573C049C44E8CBAB27CE94C68 was not found on this server.



So, somehow it works, but I am missing some fine tuning. What's wrong here?

Magnus
 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, this would work better but would leave manager accessible from every where on the internet.

2 proxy pass directives is valid:



Just use ssh like this instead to connect to the server from your machine:
ssh -L8080:127.0.0.1:8080 your_server_ip

This (-L8080:127.0.0.1:8080) creates a secure tunnel between your machine and the server.

Then, on your machine just go:
http://127.0.0.1:8080/manager

The connection will be redirected to 127.0.0.1:8080 on the server using the ssh secure and encrypted tunnel so, no need to make manager accessible to everybody. You need ssh access to access manager in this setup.


 
Magnus Warker
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Rock'n roll!!! :-)))

Many thanks, this is cool!

Magnus
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic