DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=31594>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31594 Change server.xml default Connector address to localhost + AJP docs tweak Summary: Change server.xml default Connector address to localhost + AJP docs tweak Product: Tomcat 5 Version: 5.0.29 Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Connector:Coyote AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] My company (an application security services firm) was recently asked by a very large institution to review Tomcat's code base and deployment defaults, in preparation for broader use by the client. One of our recommendations was to change the address of AJP connectors from * to 127.0.0.1. This got me thinking... I'd like to suggest that ALL of Tomcat's Connectors be set to listen on loopback by default. This would be perfect for development and testing purposes on a single machine, but if customers wanted to use it in production, all that would be needed is a one-line change. I have submitted patches for server.xml, server-minimal.xml, and to the docs (http.xml and ajp.xml) explaining the defaults. I have also, for good measure, added a note about minProcessors/ maxProcessors in the AJP docs because they were missing and really ought to be there. In my view default configurations are a safety issue; default-deny seems prudent. If folks feel this is too aggressive for the HTTP Connector, could we at least consider locking down AJP? In 90% of the cases I see, customers put Apache and Tomcat on the same box. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
