> -----Original Message----- > From: Mark Murphy [mailto:jmarkmur...@gmail.com] > Sent: Wednesday, April 16, 2014 12:42 PM > To: Tomcat Users List > Subject: Configuration question > > How do I prevent Tomcat 6 from responding to a request to an IP > address, that is I only want my Tomcat server to respond to requests to > www.mydomain.com vs. 10.1.1.1. > > Is this possible? > To address the question asked: The easiest way may be to create a dummy <Host> entry with an <Alias> entry for the IP Address. Do not allocate any contexts to the host, or perhaps one that points to an empty directory. Haven't tested it, just a thought. However read rest of answer.
> The problem is that our web security scanner is reporting "Web Server > Uses Basic Authentication Without HTTPS", and the infrastructure guys > think it is because Tomcat allows connection to the IP address. > > Does this make sense? No this does not make sense. If the IP isn't returning HTTPS, then your DNS name probably isn't either. Tomcat doesn't care about the supplied name, except to match it to the <Host> entry in server.xml. You didn't post your config, but I'm assuming that the default host is set to www.mydomain.com, and the IP address isn't aliased. If it is not that way, you should either correctly set your default host, or add an <Alias> entry for the IP address to you <Host> config. You'd definitely get this response if your default host was still set at the default of "localhost", instead of your <Host> entry's name value, there was no <Alias> entry for the IP, and the security tester was testing against IP as well as name (though one would expect the report to indicate this).
