On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: > > If it is, what is the recommended mitigation? We consider using the > "secret" feature (the filtering by request attributes is infeasible > for us), but that would be a bit of effort and we are in a hurry. >
We're in the same position as you. External web servers talking to Tomcat servers on other boxes via AJP. We've looked at a few options, none of which seemed great: * The current stable version of Apache doesn't support the 'secret' attribute for AJP connectors in mod_proxy. * Valves can be used to secure Tomcat from listening to certain IPs Hostnames or subnets/vlans. But.... * The RemoteCIDRValve affects every protocol/port. * The RemoteHostValve and RemoteAddrValve only allow a single allow or deny rule, which needs a regexp to match every required combinations of port and address/names for the whole of the desired context. In ours case, we'd want to permit a different set of hosts on AJP to those who can read the manager app, for instance. As this is being managed by puppet at our end, we decided the required regexp would be too complex and breakable and are probably going to isolate the AJP traffic using a firewall rule via iptables instead of relying on any intrinsic Tomcat feature. Dave
