通过IP限制对Tomcat管理器的访问
[英]Restrict access to Tomcat manager by IP
问题描述
I'm trying to restrict all the requests to my Tomcat manager which don't come from my IP.
我试图将所有请求限制在我的 Tomcat 管理器上,而这些请求不是来自我的 IP。
So far, I found that adding a Valve to the server.xml like this:到目前为止,我发现在 server.xml 中添加一个 Valve 是这样的:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="IP"/>
will block all requests except the ones coming from "IP" to the whole Tomcat (including the webapps).将阻止除来自“IP”到整个 Tomcat(包括 webapps)的请求之外的所有请求。 Does anyone know how to do the same but applying only to the Tomcat manager?有谁知道如何做同样的事情但只适用于 Tomcat 管理器?
By the way, I'm using Tomcat7.顺便说一下,我使用的是Tomcat7。
2 个解决方案
解决方案1
22 已采纳 2015-11-03 15:22:44
In [tomcat]/conf/Catalina/[hostname] create a file manager.xml .在[tomcat]/conf/Catalina/[hostname]创建一个文件manager.xml 。
So if your hostname is www.yourdomainname.com and tomcat is in opt/tomcat7/ that would be:因此,如果您的主机名是www.yourdomainname.com并且 tomcat 在opt/tomcat7/ ,那将是:
/opt/tomcat7/conf/Catalina/www.yourdomainname.com/manager.xml
In this newly created manager.xml you put the RemoteAddrValve in the Context:在这个新创建的manager.xml您将RemoteAddrValve放在上下文中:
<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1|11\.22\.33\.44" denyStatus="404" />
</Context>
Separate multiple ip adresses by a pipe character.用竖线字符分隔多个 ip 地址。
I choose denyStatus=404 so possible trespassers wont have a clue there even exists a manager.我选择denyStatus=404因此可能的入侵者甚至不知道存在经理。
Restart Tomcat.重启Tomcat。
UPDATE 3/2020更新 3/2020
If Tomcat sits behind a proxy server, requests will all be coming from that proxy server, so you need to tell the proxy server to forward remote addresses to Tomcat (in Nginx you would include a line proxy_set_header x-forwarded-for $remote_addr; ).如果 Tomcat 位于代理服务器后面,则请求都将来自该代理服务器,因此您需要告诉代理服务器将远程地址转发到 Tomcat(在 Nginx 中,您将包含一行proxy_set_header x-forwarded-for $remote_addr; ) .
In addition you need to tell Tomcat to watch for that forwarded header by including a RemoteIpValve in either an Engine or a Host block:此外,您需要通过在 Engine 或 Host 块中包含RemoteIpValve来告诉 Tomcat 监视转发的标头:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
requestAttributesEnabled="true" />
解决方案2
6 2017-03-14 16:04:56
In Tomcat8 I found the RemoteAddrValve already in C:\\Program Files\\Apache Software Foundation\\Tomcat 8.0\\webapps\\manager\\META-INF\\context.xml , and I just needed to uncomment it...在 Tomcat8 中,我发现 RemoteAddrValve 已经在C:\\Program Files\\Apache Software Foundation\\Tomcat 8.0\\webapps\\manager\\META-INF\\context.xml ,我只需要取消注释...
<Context antiResourceLocking="false" privileged="true" >
<!--
Remove the comment markers from around the Valve below to limit access to
the manager application to clients connecting from localhost
-->
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>
I added @acdhirr's suggestion to the valve to deny the status denyStatus="404" , and that worked also.我在阀门中添加了 @acdhirr 的建议,以拒绝状态denyStatus="404" ,这也有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.