1

I have a server that hosts Tomcat for apps and Apache2 for it's frontend. They communicate to each other through ajp protocol over mod_moxy and proxy_ajp modules.

Am I really safe using apache virtualhosts in this form:

...
        ProxyRequests Off

        <Proxy *>
                Order deny,allow
                Deny from all
                Allow from 192.168.0.100
        </Proxy>

        ProxyPass / ajp://srv.local:8009/
        ProxyPassReverse / http://srv.local
...

0.100 is the server's IP address and behind port 8009 is the Tomcat AJP connector. I want Apache to cut any proxy requests from outside and allow only itself to use it for communicating with Tomcat.

user1492810
  • 31
  • 1
  • 6
  • Can you clarify what you're trying to accomplish? That configuration will block all access through Apache to the Tomcat service, except for `192.168.0.100` - is that what you're going for? Or are you trying to make sure that any communication with Tomcat happens via the Apache service? – Shane Madden Jan 05 '13 at 08:25
  • I want to serve Tomcat application(s) to WWW through Apache. Tomcat is backend and therefore unacessible directly. Since Apache and Tomcat are paired through proxy_ajp, I want to make sure that nothing from WWW can abuse my proxy. So my question would be, is this correct to block all access to proxy except the server itself? This setting is currently on our dev server and we can access Tomcat webapps. – user1492810 Jan 05 '13 at 09:03

1 Answers1

1

The access controls in a <Proxy> block apply to where the request comes from, rather than where a request is going. As long as ProxyRequests is disabled, requests through the proxy will never be sent to a destination that you didn't configure.

So, your <Proxy *> block can be removed with no risk.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251