• Post Reply Bookmark Topic Watch Topic
  • New Topic

Cannot access Tomcat from outside network  RSS feed

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,

I'm seeking for some help with a Tomcat Server.

I got an OVH server ( Windows 2012 R2 ) with 2 networks interfaces :
- WAN ( 151.X.X.X )
- LAN ( 172.16.0.0 )

These two URLs work !

http://172.16.0.6:8080/iComTest/servlet/conn
http://localhost:8080/iComTest/servlet/conn


But I need to access to http://151.X.X.X/iComTest/servlet/conn ! And it doesn't works !

My server.xml :




Furthermore, I set an inbound rule in the windows firewall allowing the port 8080 !


When I do a nmap scan, I got this : 8080/tcp filtered http-proxy

So I'm really confused.

I really appreciate some help on that topic !

Best regards,

Hugo

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
you should alter   <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               address="0.0.0.0"
               redirectPort="8443" /> suit to url= http://151.X.X.X/
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello java one,

I didnt' well understand your reply, can you be more precise please ?

Should I do that ?



Best regards,

Hugo
 
java one
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Because your url no port number,meanwhile your Connector port="" is null .too
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello java one,

Excuse me but I didn't undertsand what you said to me

Best regards,

Hugo
 
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Hugo!

When a web client (such as a browser) submits a URL request, that request has to have 2 target components: the IP address/servername of the receiving server and the port number.

By convention, the port number will be port 80. To override it, you add the port to the server component of the URL. For example, "http://www.coderanch.com:8080".

When the client looks up (resolves) a domain name address using DNS, the local machine "hosts" file or any of several other such mechanisms, the resolution returns ONLY the IP address. DNS has nowhere to store the port ID and thus the default ports (80 and 443) are hard-coded into the client.

There are several ways to route an HTTP request to Tomcat without having to have the client explicitly request some other port number. Most commonly a proxy server, such as IIS, Apache, Nginx, etc. will be configured to re-route requests targeting ports 80/443 to the Tomcat ports - either the standard HTTP(S) ports (8080/8443) or the proxy pipeline port (8009). There are also other mechanisms, such as fronting the server with a hardware proxy device and for some OS's, such as Linux, you can also do the re-routing via the IP filter/translator (iptables).

You can also simply edit the Connector statements in Tomcat's server.xml file to actually listen on ports 80 and 443, but that's not something I recommend. For one thing, to listen on those ports an application must be running with high privileges, which means that Tomcat would be a potential vector for takingover the entire machine.

A proxy server* is the most flexible option. It allows a single entry point for multiple webapps, including non-Java webapps (.Net, PHP, python and so forth). Plus it offers URL rewriting options so that each webapp can have its own URL instead of using a URL context. So, for example www.myhost.fr/app1 and www.myhost.fr/app2 might become app1.myhost.fr and app2.myhost.fr or even salesportal.myhost.fr.

===
*Technically, an inbound proxy is a reverse proxy, but most people in the business will know what you mean.
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim Hollowat ,

Thanks for you reply and your advices !

So, what should I do in my current configuration ?

My client wants to acces throught http://151.X.X.X:8080/iComTest/servlet/conn to http://172.16.0.6:8080/iComTest/servlet/conn.

You have my server.xml file in my previous post.

Best regards,

Hugo
 
Tim Holloway
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you can access via the 172.16.0.6 IP address but not the 151.x.x.x IP address, then probably you need to open a firewall.

A secondary possibility would be if the server running Tomcat wasn't the machine whose IP address was 151.x.x.x. In that case, the 151.x.x.x machine would have to proxy requests over to the Tomcat server machine (this is common for a DMZ configuration and it's what I do). Some intelligent front-end equipment, including some routers, can also do the proxying job without the need for a physical server machine at 151.x.x.x.
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim Holloway,

Yes, as I said before the port 8080 is filtered. But I open it in the Windows Firewall.

It doesn't work so I tried to disable the Windows Firewall but I still can't access to  http://151.X.X.X/iComTest/servlet/conn !

Even with the Windows Firewall disabled, the port 8080 stays filtered in a nmap scan.

Best regards,

Hugo
 
Tim Holloway
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The URL http://151.X.X.X/iComTest/servlet/conn ; does not send to port 8080. It has no explicit port number, so the default port (80) is the target. You need http://151.X.X.X:8080/iComTest/servlet/conn

Check the Tomcat server using the netstat command. I think it's "netstat -an" for Windows. See if port 8080 is open, which is probably is.

In that event, make sure that the Tomcat machine actually IS assigned IP address 151.X.X.X. Use the "ipconfig" command to list the interfaces. If the machine doesn't own that IP address, nothing else will work. A net route /show command may also be useful.

If the machine is assigned IP address 151.X.X.X but doesn't respond on port 8080, revert your server.xml to the version that comes in the original Tomcat zip file to get rid of any Connector or Valve restrictions you might have added. Then double-check the firewall to make sure that port 8080 is open for that particular IP address. Firewalls can be customized to allow only specific port/ip address combinations so it's important that you have everything set right.
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, sorry, I use that URL : http://151.X.X.X:8080/iComTest/servlet/conn .

The port 8080 is open.

The Tomcat machine has the good IP address.

I will check the server.xml file.

The firewall is disabled but the port 8080 is still filtered.

Best regards,

Hugo
 
Tim Holloway
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just did a quick memory refresh on nmap. When it says "filtered", that means that a firewall blocked it. Presumably it sent back a "reject" message instead of simply dropping the request - which should theoretically be the same as not listening on the port at all.

So check the firewall. Until it's happy, Tomcat settings won't matter.

It is possible that Tomcat's server.xml was altered to send back a "filtered/rejected" indication, but the default server.xml will not do that. You've have to have modified it.
 
Hugo Tisseau
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim Holloway,

Yes but I disabled the firewall and the port is still filtered.

I don't find what is blocking the port.

Best regards,

Hugo
 
Tim Holloway
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's no easy way to tell from here, then. I suggest you find a local networking expert who can determine where the choke point is.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!