Project

General

Profile

Bug #15896

Tomcat configuration should only be bound to localhost

Added by Stephen Benjamin almost 3 years ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1188603
Description of problem:
On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users.

It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case.

Version-Release number of selected component (if applicable):
candlepin-tomcat6-0.9.23.1-1.el6.noarch
tomcat6-6.0.24-80.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install Satellite 6
2. run lsof to see the open ports

Actual results:

[root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 4840 tomcat 37u IPv4 31798 0t0 TCP *:8080 (LISTEN)
java 4840 tomcat 43u IPv4 31801 0t0 TCP *:8443 (LISTEN)
java 4840 tomcat 49u IPv4 31817 0t0 TCP *:8009 (LISTEN)

3.

Expected results:

Tomcat should be bound only on localhost

Additional info:

Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below:

<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->

&lt;Connector port="8443" address="127.0.0.1" protocol="HTTP/1.1" SSLEnabled="true" 
maxThreads="150" scheme="https" secure="true"
clientAuth="want" SSLProtocol="TLS"
keystoreFile="conf/keystore"
truststoreFile="conf/keystore"
keystorePass="&lt;REDACTED&gt;"
keystoreType="PKCS12"
ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
truststorePass="&lt;REDACTED&gt;" />
&lt;!-- Define an AJP 1.3 Connector on port 8009 --&gt;
&lt;Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" /&gt;

History

#1 Updated by Stephen Benjamin almost 3 years ago

  • Subject changed from Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces and should only be bound to localhost to Tomcat configuration should only be bound to localhost

#2 Updated by Justin Sherrill almost 3 years ago

  • Legacy Backlogs Release (now unused) set to 114
  • Difficulty set to medium

#3 Updated by Justin Sherrill almost 3 years ago

  • Difficulty changed from medium to easy

#4 Updated by Chris Roberts over 1 year ago

  • Assignee set to Chris Roberts

#5 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/puppet-candlepin/pull/88 added

#6 Updated by Chris Roberts 12 months ago

  • Difficulty changed from easy to medium
  • Assignee deleted (Chris Roberts)
  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/Katello/puppet-candlepin/pull/88)

Also available in: Atom PDF