Project

General

Profile

Actions
Copy link

Bug #15896

closed

Tomcat configuration should only be bound to localhost

Added by Stephen Benjamin over 8 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
-
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
1188603
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1188603
Description of problem:
On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users.

It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case.

Version-Release number of selected component (if applicable):
candlepin-tomcat6-0.9.23.1-1.el6.noarch
tomcat6-6.0.24-80.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install Satellite 6
2. run lsof to see the open ports

Actual results:

[root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 4840 tomcat 37u IPv4 31798 0t0 TCP *:8080 (LISTEN)
java 4840 tomcat 43u IPv4 31801 0t0 TCP *:8443 (LISTEN)
java 4840 tomcat 49u IPv4 31817 0t0 TCP *:8009 (LISTEN)

3.

Expected results:

Tomcat should be bound only on localhost

Additional info:

Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below:

<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />


&lt;Connector port=&quot;8443&quot; address=&quot;127.0.0.1&quot; protocol=&quot;HTTP/1.1&quot; SSLEnabled=&quot;true&quot; 
               maxThreads="150" scheme="https" secure="true" 
               clientAuth="want" SSLProtocol="TLS" 
               keystoreFile="conf/keystore" 
               truststoreFile="conf/keystore" 
               keystorePass="&lt;REDACTED&gt;" 
               keystoreType="PKCS12" 
               ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" 
               truststorePass="&lt;REDACTED&gt;" />

    &lt;Connector port=&quot;8009&quot; address=&quot;127.0.0.1&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8443&quot; /&gt;

Related issues 1 (0 open1 closed)

Related to Installer - Feature #28922: Switch Candlepin to listen on localhost and Katello to communicate via localhostClosedEric HelmsActions
Actions
Copy link

Also available in: Atom PDF