Restrict access to Tomcat manager by IP

muilpp picture muilpp · Nov 3, 2015 · Viewed 23k times · Source

I'm trying to restrict all the requests to my Tomcat manager which don't come from my IP.

So far, I found that adding a Valve to the server.xml like this:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="IP"/>

will block all requests except the ones coming from "IP" to the whole Tomcat (including the webapps). Does anyone know how to do the same but applying only to the Tomcat manager?

By the way, I'm using Tomcat7.

Answer

Richard Osseweyer picture Richard Osseweyer · Nov 3, 2015

In [tomcat]/conf/Catalina/[hostname] create a file manager.xml.

So if your hostname is www.yourdomainname.com and tomcat is in opt/tomcat7/ that would be:

/opt/tomcat7/conf/Catalina/www.yourdomainname.com/manager.xml

In this newly created manager.xml you put the RemoteAddrValve in the Context:

<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">

   <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
    allow="127\.0\.0\.1|11\.22\.33\.44" denyStatus="404" />

</Context>  

Separate multiple ip adresses by a pipe character.

I choose denyStatus=404 so possible trespassers wont have a clue there even exists a manager.

Restart Tomcat.


UPDATE 3/2020

If Tomcat sits behind a proxy server, requests will all be coming from that proxy server, so you need to tell the proxy server to forward remote addresses to Tomcat (in Nginx you would include a line proxy_set_header x-forwarded-for $remote_addr;).

In addition you need to tell Tomcat to watch for that forwarded header by including a RemoteIpValve in either an Engine or a Host block:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="X-Forwarded-For" 
        requestAttributesEnabled="true" />