Here is the configuration, as you can see the default host is set and the
IP is not aliased.
in server.xml
...
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
...
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="xxxxxxx.keystore"
keystorePass="xxxxxxx" keyAlias="xxxxxxx"
clientAuth="false" sslProtocol="TLS" />
...
<Engine name="Catalina" defaultHost="www.torquewrenchrecalibration.com">
...
<Host name="www.torquewrenchrecalibration.com" appBase="webapps"
unpackWARs="true" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>www.torque-wrench-recalibration.com</Alias>
<Alias>www.myerstorquetracker.com</Alias>
</Host>
...
in web.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire App</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
On Thu, Apr 17, 2014 at 9:42 AM, Jeffrey Janner <jeffrey.jan...@polydyne.com
> wrote:
> > -----Original Message-----
> > From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> > Sent: Wednesday, April 16, 2014 12:42 PM
> > To: Tomcat Users List
> > Subject: Configuration question
> >
> > How do I prevent Tomcat 6 from responding to a request to an IP
> > address, that is I only want my Tomcat server to respond to requests to
> > www.mydomain.com vs. 10.1.1.1.
> >
> > Is this possible?
> >
> To address the question asked:
> The easiest way may be to create a dummy <Host> entry with an <Alias>
> entry for the IP Address. Do not allocate any contexts to the host, or
> perhaps one that points to an empty directory. Haven't tested it, just a
> thought.
> However read rest of answer.
>
> > The problem is that our web security scanner is reporting "Web Server
> > Uses Basic Authentication Without HTTPS", and the infrastructure guys
> > think it is because Tomcat allows connection to the IP address.
> >
> > Does this make sense?
> No this does not make sense. If the IP isn't returning HTTPS, then your
> DNS name probably isn't either. Tomcat doesn't care about the supplied
> name, except to match it to the <Host> entry in server.xml. You didn't
> post your config, but I'm assuming that the default host is set to
> www.mydomain.com, and the IP address isn't aliased. If it is not that
> way, you should either correctly set your default host, or add an <Alias>
> entry for the IP address to you <Host> config.
>
> You'd definitely get this response if your default host was still set at
> the default of "localhost", instead of your <Host> entry's name value,
> there was no <Alias> entry for the IP, and the security tester was testing
> against IP as well as name (though one would expect the report to indicate
> this).
>
