Tomcat – How to create a IP whitelist for tomcat

iptomcatwhitelist

I'm extremely new to tomcat but I need to configure my company's tomcat server so that we can allow restricted IP addresses only.

I understand this is normally the job of the firewall but in this case that is not an option.

We are doing a deployment to the production server and while that's happening we need to be able to show a maintenance page run by Apache which rests in the same server as tomcat.

In this case, what would I need to do in order to only allow access to selected ip addresses to the whole tomcat server?

Best Answer

Take a look at Tomcat's Remote Address Filter:

The Remote Address Filter allows you to compare the IP address of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client.

Edit: Which file to edit depends on whether you want the filter to apply to a single webapp or to all of them. From the same page linked above:

Tomcat provides a number of Filters which may be configured for use with all web applications using $CATALINA_BASE/conf/web.xml or may be configured for individual web applications by configuring them in the application's WEB-INF/web.xml.

Edit 2: Here's an example for 3 IPv4 addresses:

<filter>
  <filter-name>Remote Address Filter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
    <param-name>allow</param-name>
    <param-value>x\.x\.x\.x|y\.y\.y\.y|z\.z\.z\.z</param-value>
  </init-param>
</filter>

Related Solutions

Tomcat – Mutliple VMs for Tomcat cluster vs Multiple Tomcat instances on one physical box

the os updates are valid on both physical server and vmware machines. it depends mostly by your application, what server you have and the environment.

for example if you have a 32 bit server I would go with vmware machines this is because you can access only up to 4GB from whole memory - yes you can ran pae kernels but there is an overhead. if you have 64 bits is no such problem because you can run each jvm with up to 4GB.

all the points you mentioned are valid.

it comes down to how much you can invest into this solution, as an alternative you can use a different virtualization technology as xen server or kvm

Cisco – How to whitelist external access to an internal webserver via Cisco ACLs

I would think your outside access list should reference the global inside address (x.x.x.x) for 192.168.0.52 based on the NAT order of operations guide (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml)

So the below configuration blocks facebook, allows TCP from allowed subnet y.y.y.y to hit x.x.x.x, denies everything else destined for port 80 of x.x.x.x, then allows everything else.

access-list 106 deny   ip 66.220.144.0 0.0.7.255 any
access-list 106 deny   ip ... (so on for the Facebook blocking)
!Where y.y.y.y equals an 'allowed' subnet to hit the webserver, and x.x.x.x equals your outside IP address
access-list 106 permit tcp y.y.y.y 0.0.255.255 host x.x.x.x eq 80
access-list 106 deny tcp any x.x.x.x eq 80
access-list 106 permit ip any any
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.248
 ip access-group 106 in
 ip nat outside

Best Answer

Related Solutions

Tomcat – Mutliple VMs for Tomcat cluster vs Multiple Tomcat instances on one physical box

Cisco – How to whitelist external access to an internal webserver via Cisco ACLs

Related Topic