-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Paul,
On 4/30/15 11:27 AM, Paul Klinkenberg wrote: > Hi Christopher, > >> Paul, >> >> On 4/29/15 10:18 PM, l...@bsoft.com.cn wrote: >>> p.s. I asked this question, in other wording, on >>> SackOverflow.com <http://sackoverflow.com/> as well. I hope I >>> have better luck here ;-) >>> http://stackoverflow.com/questions/29858030/where-can-i-find-the-apa ch >> >>> e-httpd-server-ip-from-within-a-tomcat-valve-when-ajp >>> <http://stackoverflow.com/questions/29858030/where-can-i-find-the-ap ac >> >>> he-httpd-server-ip-from-within-a-tomcat-valve-when-ajp> >> >> It's more clear from this post that you just want to make sure >> that the HTTP (or AJP) request is coming from localhost. >> >> If that's all you want, then change the <Connector> configuration >> so that it's only listening on localhost, like this: >> >> <Connector address="127.0.0.1" ... /> >> >> This will prevent any incoming connections from the outside >> world. >> >> Does that solve your problem? >> >> - -chris > > On stackOverflow, I indeed said I (just) wanted to check for > 127.0.0.1/localhost. That was a simplification of the case, to keep > the focus on getting the AJP request's source IP address. In real > life, there will also be setups where the source IP will be > different. Sorry for any confusion this may have caused. > > All in all, the SO question isn't really important anymore, since I > now know that IP restriction wouldn't be the best way to accomplish > the security I am looking for. Personally, I'd still like to know > the answer, but that's only because I have spent multiple hours > trying to find that IP address from inside the valve ;) The only way to do this "properly" would be to set up an HTTPS channel between your trust web servers and your application servers, and require that the trusted web servers use SSL client certificates to successfully connect to your application servers. The client (web server) is configured to provide the client certificate, and the server (app server) is configured to require a recognized certificate. As long as your web servers are not compromised, then only your web servers will provide trusted credentials . - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQlacAAoJEBzwKT+lPKRY5zcQAIEsv79WdddFzAZ9X3hxQSWB Jir0b9hETpNIJ3SrZB3ofiz7MVjsquk0TrWewd3xTSWY7ELguhJLDlRxnDzE6Xsz S5G1q/ViugIlbb/0fpZKt3B9LrJ1qUnxyej6+5tOpqoUco1fLZpMpSW/53xGq4my xu3W+M++7eVRCZCVjAhEJqAIATjaCmoKc8iTRVCKq5eyubbRTND/JFHqNzACcZrd jFiaYVnrOObw/Q1a8Fp/7kYFNFc7a49qcv3yUwTbpmyC3XR2vJmOrikH1bKXo/KB EeQz3MefClE7nP+3dsoCF9n6Y0OR4cASEdAETTRScnAFGfZknPL5Wa6JfGx06RM1 pz9w3mMn3y5oGNuISOmR8td0zsEFpEEemdf00Rv/fL4/dGepKHoQVSMvvcAVePcK sGFJPZGEQdeBe4h89jqvlZniRDVXvOQb0lJykDivnhqY9wgiG4TK28Y+LSrpxZhx Emh3FifqYWpVlrGQ0ii0vbHtR7Y6/kQiC+9Q2jqAlJWADz9TQ8A91CxLa+UH7K/F K0v7iS4yf+aQQvjo61wYHs34PeCvJDZ8DBHeCpmRPQmwkrm9aKW3emqubKrMgt0F 8NRq2gEulYUiI7ojM8gbrLzxKLI1nwCfh6ri0XLcOLiPgGOjvEKv9l3NbfD3A3GT vYR/xSqoOBdaKe2d2mwc =KMPh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org