How can I restrict IP addresses for incoming connections in JBoss EAP?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)

Issue

  • Only certain IP address or range of IP addresses should be allowed to connect to JBoss / Tomcat.
  • Is it possible to restrict the IP address in JBoss so only IPs from specific virtual hosts are allowed access?
  • Is there any filtering mechanism in remoting subsystem where certain range of IPs are allowed to make remoting connection.
  • Is it possible to limit the access to a webapp to localhost? tried using valve-mechanism, that applies to all webapps. Can this be done on a per-webapp basis?
  • We are trying to restrict the admin console on the production box including localhost and would like to provide the Admin console through a remote machine/s IP. How is this possible?
  • How to write Rewrite Pattern/rule in JBoss EAP 7.x?

Resolution

EAP 7/Undertow

See How to restrict IP addresses for incoming connections for web applications which are deployed on JBoss EAP 7.

EAP 6

To restrict connections for a specific application, configure the valve in the applications WEB-INF/jboss-web.xml, for example:

<jboss-web>
   <valve>
      <class-name>org.apache.catalina.valves.RemoteAddrValve</class-name>
      <param>
          <param-name>allow</param-name>
          <param-value>127.0.0.1,127.0.0.2</param-value>
      </param>
   </valve>
</jboss-web>

If the application can't be modified but still want to limit connections allowed to that application, configuring a rewrite rule instead in the web subsystem's virtual-server(s) can be considered:

<virtual-server name="default-host" enable-welcome-root="true">
    <alias name="localhost"/>
    <alias name="example.com"/>
    <rewrite pattern="^/context.*$" substitution="-" flags="F">
        <condition test="%{REMOTE_ADDR}" pattern="!^(127\.0\.0\.1)" flags="NC" />
    </rewrite>
</virtual-server>

That rewrite block would allow /context and everything under /context to be accessed only by client 127.0.0.1. Access from any other IP address would be forbidden.

To restrict connections globally, define these valves globally on EAP 6.1.0 or later. Define the valve in the web subsystem in the standalone or domain xml:

<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">                             
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>                                          
    <virtual-server name="default-host" enable-welcome-root="true">                                                           
        <alias name="localhost"/>                                                                                             
        <alias name="example.com"/>                                                                                           
    </virtual-server>                                                                                                         
    <valve name="myvalve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteAddrValve">  <==add this line
        <param param-name="allow" param-value="127.0.0.1,127.0.0.2"/>  <==add this line                                       
    </valve>  <==add this line                                                                                                
</subsystem>

The equivalent CLI commands are:

$ /opt/eap610/bin/jboss-cli.sh -c                                                                                                                         
[standalone@localhost:9999 /] cd /subsystem=web
[standalone@localhost:9999 subsystem=web] ./valve=myvalve:add(class-name=org.apache.catalina.valves.RemoteAddrValve,module=org.jboss.as.web, enabled=true)
[standalone@localhost:9999 subsystem=web] ./valve=myvalve:add-param(param-name=allow, param-value=127.0.0.1)
[standalone@localhost:9999 subsystem=web] /:reload()

NOTE: In some situations like ejb remoting firewall/iptables are only the option to restrict the IP addresses.
NOTE: Rewrite conditions do not work on EAP 6.1.0

EAP 4/5

To restrict connections globally for all applications, open $JBOSS_HOME/server/$PROFILE/deploy/$JBOSSWEB/server.xml and as a child of the Host element :

<Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false" configClass="org.jboss.web.tomcat.security.config.JBossContextConfig">

Add:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.0.1" />

The allow attribute is a comma-delimited series of regular expressions, so:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.0\..*,192\.168\.1\..*" />

Would allow access to all computers in that range.  The list can also contain additional IP addresses and ranges via comma separated values.

One can also specify a deny attribute to deny port ranges and also use the RemoteHostValve instead of RemoteAddrValve like so:

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.mydomain.com" />

would allow connections from all virtual hosts in *.mydomain.com.

To restrict connections for a specific application, configure the valve in the application's WEB-INF/context.xml:

<Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1" />
</Context>

Apache Tomcat

How can I restrict IP or host addresses for incoming connections in Apache Tomcat?.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments