我有一个使用 Apache 反向代理运行的 Tomcat 应用程序。我试图限制对经理和主机管理器仅来自本地主机的上下文。
因此,我在两个上下文中都取消了 context.xml 文件中以下行的注释:
<!--
Remove the comment markers from around the Valve below to limit access to
the manager application to clients connecting from localhost
-->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
但是当我尝试从本地主机访问这些上下文时,它总是显示错误 403 页面。
我没有得到d+事情在允许属性所以我也尝试过允许="127\.0\.0\.1|::1|0:0:0:0:0:0:0:1"也没有运气。
我的 context.xml 配置有问题吗?
当连接首先通过 apache 的 mod_proxy 进行过滤时,其行为是否有所不同(ProxyPass ajp://localhost:8009)?
谢谢
答案1
这里有两种不同的机制:限制对上下文的访问(使用 完成RemoteAddrValve
)和 中的内置 RBAC server.xml
:
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
下列内容已使用 进行测试tomcat-8.0.23
:
仅修改了库存配置以通过修改文件来删除localhost
对阀门的注释,从而限制对上下文的访问:manager
apache-tomcat-8.0.23/webapps/manager/META-INF/context.xml
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
如果没有进一步的修改,尝试访问上下文将失败,并出现 401 HTTP 错误:
$ curl -v -L localhost:8080/manager/
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /manager/ HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=F3F2A25463ED1CD49E154FA5428B853A; Path=/manager/; HttpOnly
< Location: http://localhost:8080/manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 0
< Date: Sun, 14 Jun 2015 08:47:27 GMT
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550'
* Found bundle for host localhost: 0x256e460
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
> GET /manager/html;jsessionid=F3F2A25463ED1CD49E154FA5428B853A?org.apache.catalina.filters.CSRF_NONCE=B5CB272DF379F59A8158583826850550 HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 01:00:00 GMT
< WWW-Authenticate: Basic realm="Tomcat Manager Application"
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 2474
< Date: Sun, 14 Jun 2015 08:47:27 GMT
修改apache-tomcat-8.0.23/conf/tomcat-users.xml
文件后添加以下内容:
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="manager-gui"/>
并尝试访问上下文,这次使用身份验证,成功:
$ curl -v -L -utomcat:tomcat localhost:8080/manager/
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> GET /manager/ HTTP/1.1
> Authorization: Basic dG9tY2F0OnRvbWNhdA==
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=7890CA71EC221A152BDB4F04B66BE49E; Path=/manager/; HttpOnly
< Location: http://localhost:8080/manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 0
< Date: Sun, 14 Jun 2015 08:48:09 GMT
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84'
* Found bundle for host localhost: 0x69e4c0
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> GET /manager/html;jsessionid=7890CA71EC221A152BDB4F04B66BE49E?org.apache.catalina.filters.CSRF_NONCE=92DAD506CB8E9E24E8454BBA94567F84 HTTP/1.1
> Authorization: Basic dG9tY2F0OnRvbWNhdA==
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 01:00:00 GMT
< Set-Cookie: JSESSIONID=42B0B26688726A802B665B0B33D1690B; Path=/manager/; HttpOnly
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Date: Sun, 14 Jun 2015 08:48:09 GMT
现在,如果您尝试使用不同的接口来执行请求(即不是localhost
),您将遇到 403 HTTP 错误,无论您是否使用身份验证:
$ curl --interface wlp6s0 -v -L -utomcat:tomcat localhost:8080/manager/
* Trying ::1...
* Trying 127.0.0.1...
* Local Interface wlp6s0 is ip 192.168.1.187 using address family 2
* SO_BINDTODEVICE wlp6s0 failed with errno 1: Operation not permitted; will do regular bind
* Local port: 0
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> GET /manager/ HTTP/1.1
> Authorization: Basic dG9tY2F0OnRvbWNhdA==
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=2F3ADE627300D4D264478927D1F0BBFC; Path=/manager/; HttpOnly
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 3196
< Date: Sun, 14 Jun 2015 09:06:52 GMT
<
这是意料之中的,因为我们仅限制访问localhost
。
简而言之,如果您收到 403 错误响应,请检查 tomcat 正在监听的接口:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
$ ss -tulpan | grep LISTEN.*8080
以及您用于请求的接口。
tcp LISTEN 0 100 :::8080 :::* users:(("java",pid=32490,fd=48))
答案2
因此,知道我的请求是从我的服务器的公共 IP 发送的,我将 context.xml 更改为:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="xxx\.xxx\.xxx\.xxx|127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
在哪里xxx.xxx.xxx.xxx是服务器的公网 IP。现在已开始运行。
谢谢你的帮助