18

I have an application running on Tomcat and listening on port 8080. I made the redirect changes on the Apache level (httpd) to provide my users with the ability to only type http://app instead of http://app:8080.

Now I want to block access completely to http://app:8080, so users won't be able to reach http://app:8080.

How do I do that?

kapa
  • 77,694
  • 21
  • 158
  • 175
nav.jdwdw
  • 921
  • 2
  • 9
  • 15
  • This sounds contradictory to me, if 8080 is indeed the public-facing port. Do you mean to have the users connect to your application via normal port (80), while redirecting 80 to 8080 internally? – prusswan Jul 25 '11 at 01:09
  • Yes. I don't want 8080 to be exposed at all. – nav.jdwdw Jul 25 '11 at 03:30
  • ok, this is probably a serverfault question then, similar to something like: http://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables – prusswan Jul 25 '11 at 03:41

2 Answers2

40

You can block a port using iptables, which is quite secure considering it's on OS level:

iptables -A INPUT/ -p tcp --dport 8080 -j DROP

Or you can comment the 8080 connector in tomcat’s configuration (in server.xml):

<!--
<Connector port="8080" …
    />
-->

Or you can just limit access to localhost (in case you want to use the manager app, etc.): 

<Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192" />

(don’t forget to restart tomcat afterwards).

Skippy le Grand Gourou
  • 6,976
  • 4
  • 60
  • 76
Will
  • 900
  • 10
  • 20
  • 1
    Thank you Will, that attribute to the tomcat Connector did the trick. Together with Apache's ProxyPass directive that gives a decent solution. – nav.jdwdw Jul 26 '11 at 06:46
1

Just for completeness you might want to configure the AJP Connector in a similar way or disable it in server.xml

Heiner
  • 131
  • 1
  • 8