Merlin Jones

Greenhorn
+ Follow
since Nov 07, 2020
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Merlin Jones

Hello again.
Thanks for the replies to this post.
I believe the information I have provided was not clear enough.

The tomcat servers are only accessible via internal network. However, what I am trying to achieve is to restrict the access to the applications (e.g. {$CATALINA_HOME}/webapps) to 2 specific servers. So, any request to the applications should be served only if coming from server A and B.
Servers A and B work as load balance for my tomcat servers. Saying that, the work I need to do is at tomcat servers. I need to find a way where the tomcats will be open to access the manager page (requesting the login details) to any user (admins and devs have access to the login details), but only reply to webapp requests IF coming from server A and B.

In the tomcat9 docs, I found some options such as add 'Valve className="org.apache.catalina.valves.RemoteAddrValve' and specify what ips are allowed (this in the server.xml file), however this also restrict the access to the manager page. I have also information there saying that, even having the 'valve' added to server.xml file, any other configuration applied at context.xml (on application level) would supersede the top level config (in this way, more granular).
But this is not the case. I must be missing something... Any suggestion/idea is much appreciated.

Ta
3 years ago
Hello all.

It was a very tiny detail.... a comma

-o, --options <list>    comma-separated list of mount options
So mount -t cifs //sambaserverexample/sambasharesexample  /mount/test -o user=usertest,context="system_u:object_r:httpd_sys_content_t:s0"
3 years ago
Hello all,

I have a webserver (nginx) running  on Centos7.
I need to mount shares of a samba server in a samba client, have have the content to be served by nginx.
It is installed on this server samba-client, samba-common  and cifs-utils.

On my research, I found out that the SELinux context for nginx is "system_u:object_r:httpd_sys_content_t:s0".
I have set this recursively to the nginx root folder, added an index.html file and successfully served the file.

I then mounted the samba shares /mount/test on my nginx server and, when I checked the SELinux context of the shares is  system_u:object_r:cifs_t:s0
Since the samba shares are read only, I can't use chcon -R -t httpd_sys_content_t /mount/test. I tried and got an error (action can't be performed).

As per this article, (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-mounting_file_systems-multiple_nfs_mounts), I should be able to declare the SELinux context that I need the local machine to work with at the mount point.
So I used mount -t cifs //sambaserverexample/sambasharesexample  /mount/test -o user=usertest context="system_u:object_r:httpd_sys_content_t:s0"
However it does not work. I get 'For more details see mount(8)'

I might be missing something here that is preventing me to achieve the above.
Any suggestions?

Thanks in advance.

Regards,
3 years ago
Hello Tim,

Thanks a lot for the welcome greetings and for replying to my very first post!  

You are right, I should have explained better who the users are.
I want to limit access to specific servers, say only server A,B,C will have access granted to the web applications running on my Tomcat server.
The reason why I would like to avoid user/password prompt is because the request to access the content comes from a servers ('the users'), instead of a 'real user'.
So I have attempted to restrict the access by IP only, and got stuck on restrict access not just to the applications, but to the manager page as well.
I am searching now the possibility of passing the 'credentials/token' of the servers that I want to grant access to the applications via the https parameters, but still no success.  

Merlin
4 years ago
Hello,

I am trying to restrict access to Tomcat applications on a server to specific users, without being prompt for username and password.
However, all the attempts  using basic authentication led me to : 1 - either restrict the access not just to the applications, but to the manager page as well (when I made the amendment on server.xml); 2 - or restrict the applications (by amending the context.xml).
The first outcome is not ideal as I need only the applications to be restricted, the second outcome requires extra checks once a deployment happens as the context.xml is going to  be replaced as part of the process (and it is also not ideal to have credentials saved in the code).

Any suggestion on using a token authentication between the servers/users to access the applications running on a Tomcat server?

Thanks in advance.
4 years ago