RE: java/tomcat & libwrap
>J> I hope this is not TOO stupid of a question but.... Tomcat uses
>J> port 8007 for communications with apache. Is there a way, or does
>J> it already exist, to tcp wrap this port? I have noticed that MANY
>J> other daemon or daemon like apckages support this function. Java on
>J> the other hand seems to behave differently in this regard.
>
>The Tomcat documentation suggests to use ipchains/iptables for that.
Yes, you could do that. You must know that ajp12 is somewhat deprecated
and has been replaced by ajp13 for web-server / tomcat communication.
It's only used now to send the command to shutdown Tomcat, command
which should came from localhost for security purposes.
May I suggest you try Tomcat 3.3 (this is the Reference Implementation
now for Serlvet 2.2/JSP 1.1) since it's default connector is now ajp13
with ajp12 configured by default to listen only on localhost :
from TC 3.3 server.xml
<Ajp12Connector address="127.0.0.1" port="8007"
AjpidFile="/var/spool/tomcat/ajp12.id" />
<!-- Apache AJP13 support (mod_jk)
Parameter "address" defines network interface this Interceptor
"binds" to. Add it if you want to "bind" to just "127.0.0.1".
address="127.0.0.1"
Parameter "tomcatAuthentication", controls if Tomcat honors
( and uses ) auth done in HTTP Server or not, when true Tomcat
does
not use in any way auth information provided by the HTTP
Server.
true is the default.
tomcatAuthentication="false"
-->
<Ajp13Connector port="8009" />
>An even better solution would be: only listen to requests from
>localhost.
Sure, take a look upper at part of server.xml
Nota, that ajp12/ajp13 have no support for authentification of
both end, but the new ajp14 add this functionnality, together
with more advanced features like autoconfiguration :=)
ajp14 is present on subproject, jakarta-tomcat-connectors, which
is available via CVS....
-
Henri Gomez ___[_]____
EMAIL : hgomez@slib.fr (. .)
PGP KEY : 697ECEDD ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
Reply to: