我有一个运行Apache反向代理的Tomcat应用程序。 我试图限制只能从本地主机访问经理和主机pipe理器上下文。
所以我从两个上下文中取消了关于context.xml文件的以下行:
<!-- Remove the comment markers from around the Valve below to limit access to the manager application to clients connecting from localhost --> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> 但是当我尝试从本地主机访问这些上下文时,它总是向我显示错误403页面。
我没有在allow属性中得到d +的东西,所以我也试过allow =“127 \ .0 \ .0 \ .1 | :: 1 | 0:0:0:0:0:0:0:1”也没有运气。
在我的context.xmlconfiguration中有什么问题吗?
当它们首先通过apache的mod_proxy( ProxyPass ajp:// localhost:8009 )进行过滤时,它的行为是否有所不同?
谢谢
这里有两种不同的机制:限制访问上下文(使用RemoteAddrValve完成)和server.xml的内置RBAC:
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />
以下已经使用tomcat-8.0.23进行了testing:
通过修改apache-tomcat-8.0.23/webapps/manager/META-INF/context.xml文件以删除阀门上的注释,仅修改了一个库存configuration以限制从localhost到manager上下文的访问:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
没有进一步的修改,尝试访问上下文失败,出现401 HTTP错误:
$ curl -v -L localhost:8080/manager/ * Trying ::1... * Connected to localhost (::1) port 8080 (#0) > GET /manager/ HTTP/1.1 > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 302 Found < Server: Apache-Coyote/1.1 < Set-Cookie: JSESSIONID=F3F2A25463ED1CD49E154FA5428B853A; Path=/manager/; HttpOnly < Location: http://localhost:8080/manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550 < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 0 < Date: Sun, 14 Jun 2015 08:47:27 GMT < * Connection #0 to host localhost left intact * Issue another request to this URL: 'http://localhost:8080/manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550' * Found bundle for host localhost: 0x256e460 * Re-using existing connection! (#0) with host localhost * Connected to localhost (::1) port 8080 (#0) > GET /manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550 HTTP/1.1 > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 401 Unauthorized < Server: Apache-Coyote/1.1 < Cache-Control: private < Expires: Thu, 01 Jan 1970 01:00:00 GMT < WWW-Authenticate: Basic realm="Tomcat Manager Application" < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 2474 < Date: Sun, 14 Jun 2015 08:47:27 GMT
修改apache-tomcat-8.0.23/conf/tomcat-users.xml文件后添加如下内容:
<role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="manager-gui"/>
并尝试访问上下文,这次使用身份validation成功:
$ curl -v -L -utomcat:tomcat localhost:8080/manager/ * Trying ::1... * Connected to localhost (::1) port 8080 (#0) * Server auth using Basic with user 'tomcat' > GET /manager/ HTTP/1.1 > Authorization: Basic dG9tY2F0OnRvbWNhdA== > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 302 Found < Server: Apache-Coyote/1.1 < Set-Cookie: JSESSIONID=7890CA71EC221A152BDB4F04B66BE49E; Path=/manager/; HttpOnly < Location: http://localhost:8080/manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84 < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 0 < Date: Sun, 14 Jun 2015 08:48:09 GMT < * Connection #0 to host localhost left intact * Issue another request to this URL: 'http://localhost:8080/manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84' * Found bundle for host localhost: 0x69e4c0 * Re-using existing connection! (#0) with host localhost * Connected to localhost (::1) port 8080 (#0) * Server auth using Basic with user 'tomcat' > GET /manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84 HTTP/1.1 > Authorization: Basic dG9tY2F0OnRvbWNhdA== > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Cache-Control: private < Expires: Thu, 01 Jan 1970 01:00:00 GMT < Set-Cookie: JSESSIONID=42B0B26688726A802B665B0B33D1690B; Path=/manager/; HttpOnly < Content-Type: text/html;charset=utf-8 < Transfer-Encoding: chunked < Date: Sun, 14 Jun 2015 08:48:09 GMT
现在,如果您尝试使用不同的接口来执行请求(即不是localhost ),则无论您是否使用身份validation,您都将遇到403 HTTP错误:
$ curl --interface wlp6s0 -v -L -utomcat:tomcat localhost:8080/manager/ * Trying ::1... * Trying 127.0.0.1... * Local Interface wlp6s0 is ip 192.168.1.187 using address family 2 * SO_BINDTODEVICE wlp6s0 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0 * Connected to localhost (127.0.0.1) port 8080 (#0) * Server auth using Basic with user 'tomcat' > GET /manager/ HTTP/1.1 > Authorization: Basic dG9tY2F0OnRvbWNhdA== > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 403 Forbidden < Server: Apache-Coyote/1.1 < Set-Cookie: JSESSIONID=2F3ADE627300D4D264478927D1F0BBFC; Path=/manager/; HttpOnly < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 3196 < Date: Sun, 14 Jun 2015 09:06:52 GMT <
这是预期的,因为我们只限制从localhost访问。
总之,如果你得到一个403错误的响应,请检查tomcat正在监听的接口:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> $ ss -tulpan | grep LISTEN.*8080
以及您用于请求的界面。
tcp LISTEN 0 100 :::8080 :::* users:(("java",pid=32490,fd=48))
所以,知道我的请求是从我的服务器的公共IP发送我改变我的context.xml到:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="xxx\.xxx\.xxx\.xxx|127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
其中xxx.xxx.xxx.xxx是服务的公共IP。 现在正在工作。
感谢您的帮助