How can I restrict IP addresses for incoming connections in JBoss EAP?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)

Issue

  • Only certain IP address or range of IP addresses should be allowed to connect to JBoss / Tomcat.
  • Is it possible to restrict the IP address in JBoss so only IPs from specific virtual hosts are allowed access?
  • Is there any filtering mechanism in remoting subsystem where certain range of IPs are allowed to make remoting connection.
  • Is it possible to limit the access to a webapp to localhost? tried using valve-mechanism, that applies to all webapps. Can this be done on a per-webapp basis?
  • We are trying to restrict the admin console on the production box including local host and would like to provide the Admin console through a remote machine/s ip . How is this possible?
  • How to write Rewrite Pattern/rule in JBoss EAP 7.x ?

Resolution

EAP 7/Undertow

See this knowledge article for details.

EAP 6

To restrict connections for a specific application, configure the valve in your applications WEB-INF/jboss-web.xml, for example:

<jboss-web>
    <valve>
       <class-name>org.apache.catalina.valves.RemoteAddrValve</class-name>
       <param>
           <param-name>allow</param-name>
           <param-value>127.0.0.1,127.0.0.2</param-value>
       </param>
    </valve>
</jboss-web>

If you can't or don't want to modify your application but still want to limit connections allowed to that application, you can consider configuring a rewrite rule instead in your web subsystem's virtual-server(s):

        <virtual-server name="default-host" enable-welcome-root="true">
            <alias name="localhost"/>
            <alias name="example.com"/>
            <rewrite pattern="^/context.*$" substitution="-" flags="F">
                <condition test="%{REMOTE_ADDR}" pattern="!^(127\.0\.0\.1)" flags="NC" />
            </rewrite>
        </virtual-server>

That rewrite block would allow /context and everything under /context to be accessed only by client 127.0.0.1. Access from any other ip address would be forbidden.

To restrict connections globally, you can define these valves globally on EAP 6.1.0 or later. Define the valve in the web subsystem in your standalone or domain xml:

    <subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
        <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
        <virtual-server name="default-host" enable-welcome-root="true">
            <alias name="localhost"/>
            <alias name="example.com"/>
        </virtual-server>
        <valve name="myvalve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteAddrValve">  <==add this line
            <param param-name="allow" param-value="127.0.0.1,127.0.0.2"/>  <==add this line
        </valve>  <==add this line
    </subsystem>

The equivalent cli commands are:

    $ /opt/eap610/bin/jboss-cli.sh -c 
    [standalone@localhost:9999 /] cd /subsystem=web
    [standalone@localhost:9999 subsystem=web] ./valve=myvalve:add(class-name=org.apache.catalina.valves.RemoteAddrValve,module=org.jboss.as.web, enabled=true)
    [standalone@localhost:9999 subsystem=web] ./valve=myvalve:add-param(param-name=allow, param-value=127.0.0.1)
    [standalone@localhost:9999 subsystem=web] /:reload()

NOTE: In some situations like ejb remoting firewall/iptables are only the option to restrict the IP addresses.
NOTE: Rewrite conditions do not work on EAP 6.1.0

EAP 4/5

To restrict connections globally for all applications, open $JBOSS_HOME/server/$PROFILE/deploy/$JBOSSWEB/server.xml and as a child of the Host element :

<Host name="localhost"
           autoDeploy="false" deployOnStartup="false" deployXML="false"
           configClass="org.jboss.web.tomcat.security.config.JBossContextConfig">

Add:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.0.1" />

The allow attribute is a comma-delimited series of regular expressions, so:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.0\..*,192\.168\.1\..*" />

Would allow access to all computers in that range.  The list can also contain additional IP addresses and ranges via comma separated values.

One can also specify a deny attribute to deny port ranges and also use the RemoteHostValve instead of RemoteAddrValve like so:

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.mydomain.com" />

would allow connections from all virtual hosts in *.mydomain.com.

To restrict connections for a specific application, configure the valve in your application's WEB-INF/context.xml:

<Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1" />
</Context>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Hi on Jboss How can I restrict the access to a specific url? thanks

You have an example on the article:

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.mydomain.com" />