I asked this on server fault but really havent had much luck, hoping that someone here would be able to offer some advice...
I have a Tomcat 6 server running just fine. I have external access working. I wanted to know how to prevent someone from seeing specific webapps, for example, I dont want external access to the ROOT tomcat page. How would I go about preventing some webapps while leaving other webapps visible to external users ?
Here's what I've tried:
This denies everything even 127.0.0.1 requests
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/examples" docBase="" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context>
</Host>
This denies everything as well.
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/examples" docBase="" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
</Context>
</Host>
Basically I am trying to prevent access to the ROOT default tomcat page and the example apps....
Any ideas?
You can't use a wild card for the allow attribute...on the other hand you can use one for the deny attribute.
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
This is why I was getting a 403 with the above code.
Also another way I handled this was I created a jsp that redirected traffic to wherever I wanted.
take a look at the documentation.
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
What you have seems to be correct. it says "If this attribute is specified, the remote address MUST match for this request to be accepted."
One thing you might look at is to see whether 127.0.0.1 is really the correct IP. You might be actually using the actual IP of the box. try adding that IP address after the localhost one.
The value of the "allow" property must be defined using backslashes to escape the dots of the allowed IP address:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>
This could be an IPv6 issue. This is what my tomcat6/Catalina/myApp.xml looks like:
<!--<?xml version="1.0" encoding="UTF-8"?> -->
<Context path="/myApp" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1,0:0:0:0:0:0:0:1"/>
</Context>
This can be tested by the following which would yield 403 if you're denied access
wget --inet4-only http://localhost:8080/myApp
Related
I have a command line script (actually a git post-checkout hook) that reloads my Solr application by doing a cURL to:
http://localhost:8080/manager/html/reload?path=/solr
Since I upgraded to Ubuntu 13.04, it now fails, where it used to work before the upgrade.
The cause of the problem is that my newer version of Tomcat (6.0.35), has some new CSRF protection and it now returns 403 Access Denied.
How can I solve the issue and bypass the CSRF protection?
More info:
My /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager"/>
<user username="tomcat" password="secret" roles="manager"/>
</tomcat-users>
The documentation for Configuring Manager Application access in tomcat mentions some new manager roles, however my error specifically mentions that the single "manager" role still exists for the moment (and I tried the other roles anyway without success).
(As I was writing the question, I found the answer.) Instead of cURLing to the HTML application, I needed to cURL to the "plain text interface".
i.e. instead of
http://localhost:8080/manager/html/reload?path=/solr
Use:
http://localhost:8080/manager/reload?path=/solr
It turns out:
The HTML interface is protected against CSRF but the text and JMX interfaces are not.
This fits with the new role called "manager-script". To ensure my app will work in the future I changed my /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="secret" roles="manager-gui,manager-script"/>
</tomcat-users>
we are two people and i want my friend can use my local host but it is giving error
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
needless to say
we are using python 2.7 and appcfg.py cmd to run app
In order to access your sites using local address, either use RemoteDeskTop, or remotedesktop shaing by chrome .
if your friend is in same network then he can browse your application using your LocalIp address.
http://192.168.10.20/YourApplication.aspx
If your Local Ip is not accessible in other computers of same network, then change your network to Home Network, and Add allow your IIS in Firewall.
When I am running solr with runjetty in eclipse ,I am getting an exception(IlleagalStateException) and port no:8080 already in use?
Can anyone help me on this?
in your solr installation folders, search for "example/etc/jetty.xml"
this is the relevant part you're looking for:
<Set name="port">
<SystemProperty name="jetty.port" default="8080"/>
</Set>
change the "default" value as you like (unused port)
or launch jetty adding
-Djetty.port=11111
from the command line (1111 is just a random number, you choose again the one you need)
This means that there is a java service which is using the port, go to task manager and process and kill any javaw process that is running currently ...
Hope that might fix.
change you apache tomcat port to some other port and try again...
Please set port value in server.xml file
Its path is like,
Tomcat-installation-dir\conf\server.xml
Search tag like this,
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
Change the port number to any other number like 9090 for example, and after changes it should look like this,
<!-- Define a non-SSL HTTP/1.1 Connector on port 9090 -->
<Connector port="9090" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
Dont change anything other than connector port,change only the value of port and save the file and now hit the url,
localhost:9090
Or use the port number which you have updated in the server.xml file.
localhost:port_in_server.xml
So if every thing goes fine it should open the tomcat home page....This will make sure that you have changed the tomcat's default port(i.e.8080)listen to 9090.
Shutdown the tomcat server at this point.
Now you stop and restart the jetty server and it will work for you with no issues..
Hope this helps....
I am using Tomcat 7.0.29 fronted with Apache 2.2.22 modproxy.
Configured Ajp as the protocol in httpd.conf and AjpNioProtocol in server.xml.
After the server starts, the logs are filled with the following message:
Severe: Invalid message received with signature 20599
com.apache.coyote.ajp.AjpMessage processHeader
There are no requests sent to the web or tomcat server and it still throws that error. Access logs in tomcat and apache show that no request is coming in.
What is causing the invalid message error?
Here is the configuration :
httpd.conf
ProxyPass /wl ajp:// ip : port /wl
ProxyPassReverse /wl ajp:// ip : port /wl
server.xml
<Connector port="port"
protocol="org.apache.coyote.ajp.AjpNioProtocol"
connectionTimeout="20000"
acceptorThreadCount="2"
maxThreads="1600"
redirectPort="8443" />
For me, the problem was simple. I was sending HTTP requests but the connector was configured with AJP protocol. My connector in server.xml was configured like this:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
But when I changed it to this:
<Connector port="8009" protocol="HTTP/1.1" redirectPort="8443"/>
The error went away.
Hopefully that will help someone with this error.
This may also happen when buffer sizes are not same at both ends: logs mention invalid AJP message and browser receive 400 error code.
I have fixed the situation with both packetSize on AJP connector and ProxyIOBufferSize in Apache2 configuration.
In Tomcat server.xml:
<Connector protocol="AJP/1.3" port="8009"
connectionTimeout="20000"
packetSize="65536"
proxyName="yourproxy.domain.ltd" proxyPort="80"
/>
In Apache2 mod_proxy_ajp configuration, add the statement ProxyIOBufferSize 65536.
It was found that one of the internal processes was calling that port and sending http requests causing the "Invalid message.." error. So I ended up adding an additional http Connector for those internal processes
There are no requests sent to the web or tomcat server and it still throws that error. Access logs in tomcat and apache show that no request is coming in. What is causing the invalid message error?
Just some hint for other people because I forgot the same in one of my configs by accident: The mentioned Connector in server.xml is listening globally, because only port is specified, without any address. The latter is defined to listen globally by default:
By default, this port will be used on all IP addresses associated with the server.
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
So without any additional firewall or such it might be that bad clients are simply testing for open ports using various protocols, which might or might not be HTTP and therefore resulting in error messages with different signatures. Without very good reasons, there shouldn't be any need to make AJP globally available, especially not in case of a proxy-setup like used by the thread starter.
<Connector address="localhost" port="port"
protocol="org.apache.coyote.ajp.AjpNioProtocol"
connectionTimeout="20000"
acceptorThreadCount="2"
maxThreads="1600"
redirectPort="8443" />
I got a similar message today:
Nov 18, 2016 4:25:00 PM org.apache.coyote.ajp.AjpMessage processHeader
SEVERE: Invalid message received with signature 65524
The root cause of my problem was that selinux wasn't letting apache connect to tomcat. I'm a little confused as to how this error was a result - I'd expect that there would be no connection, period. Best guess, i probably attempted to manually connect to that port with telnet. Doing that certainly gives a similar message.
Regardless, perhaps this selinux reminder will be helpful to someone else who ends up here.
I've created a ClientAccessPolicy.xml that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
and put it in C:\Inetpub\wwwroot\wss\VirtualDirectories\intranet-80 and then run an iisreset. Still, when I access the webservices through Silverlight, I get a CommunicationException saying that a correct cross-domain policy isn't in place. What more do I need to do to be able to access my webservices? I cannot access it from another host, and I cannot access it from the generated file E:\Development\MySLProject\ MySLProject\bin\Debug\Default.html?
Cheers
Nik
It's easier to tell you how to troubleshoot this problem than tell you where exactly you have to put the file:
Step 1: install and start Fiddler
Step 2: open your silverlight client
Step 3: watch in Fiddler where your client is requesting clientAccessPolicy.xml (it's a simple http GET request, like downloading an image or whatever)
Step 4: put your clientAccessPolicy file in the correct place (test by downloading it directly with your browser)
I bet you'll solve the problem in less than 10 minutes (been there, done that :-) )
You have to put this file in the server root, not in your virtual directory root.
In the past I had a similar problem with the clientaccesspolicy.xml file and nothing I did to the file would get my Silverlight app to accept it and proceed onto calling the web services. I was using ProxyTrace to make sure the file was being requested by Silverlight and returned correctly which it was.
Eventually out of desperation I removed the clientaccesspolicy.xml file and tried the alternative crossdomain.xml file which is meant to be for Silverlight to work with Flash targetted web sites and that worked straight away.
In Silverlight: use a relative path in the ServiceReferences.ClientConfig file
<client>
<endpoint address="../Service1.svc"
Good luck
It's took 4 hours to resolve the issue. Initially I was putting "clientaccesspolicy.xml" and crossdomain into web service root. Once I put these files into server root C:\Inetpub\wwwroot" My applicatio has been started working.
Best solution is >> findout root physical path for your site >> copy the file "ClientAccessPolicy.xml" into it >> Now try to access.