Bug #15896
closed
Tomcat configuration should only be bound to localhost
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1188603
Description of problem:
On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users.
It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case.
Version-Release number of selected component (if applicable):
candlepin-tomcat6-0.9.23.1-1.el6.noarch
tomcat6-6.0.24-80.el6.x86_64
How reproducible:
100%
Steps to Reproduce:
1. Install Satellite 6
2. run lsof to see the open ports
Actual results:
[root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 4840 tomcat 37u IPv4 31798 0t0 TCP *:8080 (LISTEN)
java 4840 tomcat 43u IPv4 31801 0t0 TCP *:8443 (LISTEN)
java 4840 tomcat 49u IPv4 31817 0t0 TCP *:8009 (LISTEN)
3.
Expected results:
Tomcat should be bound only on localhost
Additional info:
Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below:
<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" address="127.0.0.1" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" SSLProtocol="TLS"
keystoreFile="conf/keystore"
truststoreFile="conf/keystore"
keystorePass="<REDACTED>"
keystoreType="PKCS12"
ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
truststorePass="<REDACTED>" />
<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />
Updated by Stephen Benjamin over 7 years ago
- Subject changed from Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces and should only be bound to localhost to Tomcat configuration should only be bound to localhost
Updated by Justin Sherrill over 7 years ago
- translation missing: en.field_release set to 114
- Difficulty set to medium
Updated by Justin Sherrill over 7 years ago
- Difficulty changed from medium to easy
Updated by The Foreman Bot over 6 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/puppet-candlepin/pull/88 added
Updated by Chris Roberts almost 6 years ago
- Status changed from Ready For Testing to New
- Assignee deleted (
Chris Roberts) - Difficulty changed from easy to medium
- Pull request deleted (
https://github.com/Katello/puppet-candlepin/pull/88)
Updated by Ewoud Kohl van Wijngaarden 8 months ago
- Status changed from New to Closed
- Triaged set to No
This is done in #28922.
Updated by Ewoud Kohl van Wijngaarden 8 months ago
- Related to Feature #28922: Switch Candlepin to listen on localhost and Katello to communicate via localhost added
Updated by Partha Aji 8 months ago
- Status changed from Closed to Resolved
- Target version deleted (
Katello Backlog) - Triaged changed from No to Yes