On Thu, Feb 13, 2020 at 1:04 PM Olivier Jaquemet <
olivier.jaque...@jalios.com> wrote:

>
> On 13/02/2020 12:41, Mark Thomas wrote:
> > On 13/02/2020 09:57, Olivier Jaquemet wrote:
> >> I understand the need to introduce a "secured by default" AJP
> >> configuration.
> >> However, I question one choice that was made for this change : the
> >> default behavior of the AJP connector to listen only on the loopback
> >> address.
> >>
> >> [...]
> > You can specify "0.0.0.0" (IPv4) or "::" (IPv6) to restore the behaviour
> > of listening on any address.
> >
> > Mark
>
> Thank you Mark. This should address this use case.
>
> Would you consider adding this binding information to the documentation
> (in the documentation of the address attribute) ?
>

I would say no. These special address values are not specific to Tomcat,
it's like documenting 127.0.0.1 is the IPv4 loopback address [I guess it's
more well known ? hopefully ?].
The address specified on the Connector element goes through
InetAddress.getByName so it's very flexible, it allows more than simple IP
addresses.

Rémy


>
>
> To sum up :
> When migrating to Tomcat 8.5.51, 9.0.31 (and probably the next 7.0.x as
> I saw you had also backported this change to the 7.0.x branch),
> if your server architecture is to expose tomcat with an AJP connector,
> to a remote distant front server, you can :
>
> either, *secure your installation* (obviously the recommended way on
> untrusted network) :
>
> - by specifying the valid IP address on which the connector must bind;
> This is done with address attribute of the AJP connector.
>
> - by specifying a shared secret between the front server and the
> connector ; This is done with the secret attribute of the AJP connector
>
>
> or else, if you want your server.xml to be agnostic to the running host
> and remote front server, change your configuration back to the previous
> behavior, *BUT ONLY IF AND ONLY IF you are on trusted network* :
>
> - by removing explicit bind of AJP connector, by specifying "0.0.0.0"
> (IPv4) or "::" (IPv6) in the address attribute of the AJP connector
>
> - by removing need for shared secret between front and tomcat ; This is
> done with the secretRequired="false" attribute of the AJP connector.
>
> Olivier
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to