Limiting Tomcat http connector to Apache server

Question

I am using Apache 2.4 in front of Tomcat 7. I am trying to use web-sockets so I have configured http based connector in tomcat as below

<Connector port="8009"
           protocol="HTTP/1.1"
           proxyPort="80"
           maxPostSize="10485760"
           redirectPort="8443"
           URIEncoding="UTF-8"/>

I have configured mod_proxy and mod_proxy_wstunnel and mod_proxy_http in Apache 2.4 Web-socket connections works fine when accessed App via "http://webserver/myapp".

However app can also be accessed via http://webserver:8009/myapp.

I want my app to be accessible only via Apache webserver (http://webserver/myapp) and NOT directly using tomcat(http://webserver:8009/myapp). I cannot use AJP modules (mod_proxy_ajp or mod_jk) because AJP modules doesn't support web-sockets.

Is there a way I can limit tomcat Connector to Apache webserver only.

Answer 1

You can use this.

<Context path="/manager" docBase="manager" reloadable="true" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteIpValve"/>
    <Valve className="org.apache.catalina.valves.RemoteHostValve" allow="<your IP regex>"/>
</Context>

Change appropriate valve in Context Path, docbase and IP Address. This would at least restrict to localhost.

Other way is to listen tomcat only on localhost with help of below code.

<Connector port="8009" address="127.0.0.1" 

Answer 2

Use a firewall on your server. This way you not only make tomcat unavailable, but also any other process that happens to open a port on that machine.

Whitelist the ports that you want to be available to the world and default to blocking every other port.