1

I have a server that hosts Tomcat for apps and Apache2 for it's frontend. They communicate to each other through ajp protocol over mod_moxy and proxy_ajp modules.

Am I really safe using apache virtualhosts in this form:

... ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from 192.168.0.100 </Proxy> ProxyPass / ajp://srv.local:8009/ ProxyPassReverse / http://srv.local ...

0.100 is the server's IP address and behind port 8009 is the Tomcat AJP connector. I want Apache to cut any proxy requests from outside and allow only itself to use it for communicating with Tomcat.

Improve this question
2
  • Can you clarify what you're trying to accomplish? That configuration will block all access through Apache to the Tomcat service, except for 192.168.0.100 - is that what you're going for? Or are you trying to make sure that any communication with Tomcat happens via the Apache service? Commented Jan 5, 2013 at 8:25
  • I want to serve Tomcat application(s) to WWW through Apache. Tomcat is backend and therefore unacessible directly. Since Apache and Tomcat are paired through proxy_ajp, I want to make sure that nothing from WWW can abuse my proxy. So my question would be, is this correct to block all access to proxy except the server itself? This setting is currently on our dev server and we can access Tomcat webapps. Commented Jan 5, 2013 at 9:03

1 Answer 1

Reset to default
1

The access controls in a <Proxy> block apply to where the request comes from, rather than where a request is going. As long as ProxyRequests is disabled, requests through the proxy will never be sent to a destination that you didn't configure.

So, your <Proxy *> block can be removed with no risk.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.