I am running Apache 2.0.49 / jk2 2.0.4 / tomcat 4.1.29 I have several ip-based virtual hosts set up through Apache which use jk2 to get to tomcat. My problem is that I can bypass Apache settings for the domain by changing the ipaddress used for those domains with a client.
Example configuration: <VirtualHost 10.1.1.1:80> ServerName www.aaa.com:80 DocumentRoot /www/aaa/ DirectoryIndex index.html <Location / > Order Deny,Allow Allow from all </Location> <LocationMatch "\.jsp$"> JkUriSet worker ajp13:localhost:8009 </Location> </VirtualHost> <VirtualHost 10.2.2.2:80> ServerName www.bbb.com:80 DocumentRoot /www/bbb/ DirectoryIndex index.html <Location / > Order Allow,Deny Deny from all Allow from 10.10.10 </Location> <LocationMatch "/examples/*.jsp"> JkUriSet worker ajp13:localhost:8009 </Location> </VirtualHost> Server.xml: <Host name="www.aaa.com"> ... </Host> <Host name="www.bbb.com"> ... </Host> What I want is that all users can access www.aaa.com, while only specific users can access www.bbb.com. The problem is that I can modify my host file with the following: 10.1.1.1 www.bbb.com The request is received by the first <VirtualHost> because of the ip address, regardless of the host name. This will allow all of the JSP files for the host to be viewed(not just the /examples and by anyone). The LocationMatch allows the request to get to tomcat and once it receives the request, tomcat only looks at the domain name. Can jk2/tomcat prevent this behavior? I see a couple of ways that I can change my configuration, but it wasn't obvious that I needed to do either until I realized the problem. 1. Create a tomcat <service> in server.xml for each hostname(and its ipaddress) that I want to be separate. Therefore each host/ip will have its own jk2 worker. 2. Create an Apache default virtual host for each ipaddress with no JkUriSet. 3. Add the RemoteAddressValve to my tomcat host. But this seems repetitive and people unaware of this problem will probably not use this in addition to the Apache directives. Charlie