My apologies if I missed any conclusion here. >From the description of address attribute on HTTP connector:
"For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, the connector will listen all local addresses. Unless the JVM is configured otherwise using system properties, the Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or ::. The APR/native connector will only listen on IPv4 addresses if configured with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses depending on the setting of ipv6v6only) if configured with ::." Is it possible to update the behavior to listen to loopback address only like was done for AJP connectors. On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default unless we define address as "127.0.0.1" : tcp 0 0 0.0.0.0:39054 0.0.0.0:* LISTEN 28539/java Also, is it right that we will need to have two connectors for IPv4 and IPv6 with address "127.0.0.1" and "::1" respectively to enable binding only on loopback addresses? If we configure two connectors (IPv4 and IPv6 loopback), if one isn't available, we see: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) Caused by: java.net.SocketException: Protocol family unavailable at sun.nio.ch.Net.bind0(Native Method) which has caused confusion/concerns. What would be a better way to bind on "all available loopback addresses? Thanks, Amit -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Monday, November 28, 2022 5:21 PM To: users@tomcat.apache.org Subject: [External] Re: listening all local addresses by default is not security best practice To whom it may concern, On 11/23/22 14:31, tommydu1...@outlook.com wrote: > Hi there, > > Product:<https://nam12.safelinks.protection.outlook.com/?url=https%3A% > 2F%2Fbz.apache.org%2Fbugzilla%2Fdescribecomponents.cgi&data=05%7C0 > 1%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e > 13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7C > TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC > I6Mn0%3D%7C3000%7C%7C%7C&sdata=o%2FwWU7LgTdFLS3L5njjEruLLho9JnSw2O > LV0%2BO%2BnR5c%3D&reserved=0> > > [snip] > The default behaviour of http connector is listenning all interfaces. False. > It is found in the description of "address" in attributes section. > (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftom > cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support& > ;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad19 > 78243%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347% > 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik > 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p3R8MryiKpauAppYJLbrGLP > FzIUJpONDxvQj%2BlYepnI%3D&reserved=0) It's listed in another section, and does not say all interfaces. > In terms of security default, it could be not best practice. In case of > unexpected mistakes made by people, default behaviour of exposing the server > to every possible network may pose a potential threat on security. Good thing Tomcat does not default to that configuration. > CWE-1327: Binding to an Unrestricted IP Address: > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe. > mitre.org%2Fdata%2Fdefinitions%2F1327.html&data=05%7C01%7CAmit.Pan > de%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e13c0422c4c55 > b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7CTWFpbGZsb3d8 > eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3 > 000%7C%7C%7C&sdata=pZzdfOpc0Cw5kVThNxWZLBZIoW4xXQSoSldTtMn6OEM%3D& > amp;reserved=0 > > The issue should be a security enhancement. I recommend changing default > behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and > adding configuration option with default value OFF for 0.0.0.0 or : :. Sounds great. So what exactly needs to be changed? You want us to pick only IPv4 or IPv6? If not, what you describe is exactly the default configuration that you will get. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org