How can I secure jetty to only allow connections from localhost? This means a connection to server A on System A from Client B on System B has to fail. I know I can do this by configuring my firewall (so please no answers about this). I just want Jetty to only listen on localhost(loopback).
I found the answer to my question myself after a little bit more googling.
The answer is (Tested on jetty-distribution-7.0.1.v20091125):
Locate jetty.xml (etc/jetty.xml)
Search for <Call name="addConnector">
Set <Set name="Host"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set> before line <Set name="port"><SystemProperty name="jetty.port"/></Set>
That's it. Restart jetty server (java -jar start.jar). The server should output something like:
2009-12-23 23:02:09.291:INFO::Started
SelectChannelConnector#127.0.0.1:8080
The import thing is that it should say 127.0.0.1 instead of 0.0.0.0, 0.0.0.0 means listen on all ips on the machine.
P.S: I wanted to secure apache solr (which is
using jetty) which can be achieved in
the same way.
You can also bind to localhost programmatically(embed jetty) by:
Server server = new Server();
Connector connector = new SelectChannelConnector();
connector.setHost("localhost");
connector.setPort(80);
server.addConnector(connector);
For Jetty 9 embedded, this code works.
Server server = new Server();
ServerConnector connector=new ServerConnector(server);
connector.setPort(80);
connector.setHost("localhost");
server.setConnectors(new Connector[]{connector});
I have not tried this but the usual method is to bind server to localhost (i.e. to IP 127.0.0.1). That means that Jetty server will listen to only connections that have localhost as their destination address.
A quick googling revealed this http://old.nabble.com/How-to-make-Jetty-bind-to-specific-IP-address---to11667378.html#a11669524 :
add this entry to SelectChannelConnector for example:
<Set name="Host">127.0.0.1</Set>
You can set the jetty.host property during start of the virtual machine:
java -Djetty.host=127.0.0.1 -jar start.jar
Btw same for jetty.port.
I was able to do this using .htaccess but for some reason the localhost filtering does not work. If you want to allow traffic from a particular external IP and block all others try
http://technologyenablingbusiness.blogspot.com/2011/03/setting-security-in-solr-running-on.html
EDIT: Archived version of page at https://web.archive.org/web/20110429184536/http://technologyenablingbusiness.blogspot.com/2011/03/setting-security-in-solr-running-on.html
As of Jetty 7.1.5 (released in July 2010), you may initialize the Jetty server like this:
Server server = new Server(new InetSocketAddress("127.0.0.1", 8080));
Remember to import java.net.InetSocketAddress;.
Reference: org.eclipse.jetty.server.Server's constructor.
Related
I cannot connect to redis server (ubuntu server 16.04 LTS 64 bits on separate PC) from windows 8.1 64-bits. Redis is well documented, however I found very little information how to connect redis server from separate machine.
I have installed latest version of redis into linux and locally everything works fine. I start server via redis-server and also I start redis-cli and after that I am able to add information into server and retrieve it. The same situation is in windows - everything works locally.
In order to connect from windows into linux redis server I did these changes.
In linux I set the static local IP via sudo nano /etc/network/interfaces
address 192.186.xxx.xxx
netmask 255.255.255.0
network 192.168.xxx.xxx
broadcast 192.168.xxx.xxx
gateway 192.168.xxx.xxx
dns-nameservers 8.8.8.8
In redis.conf file I bind my windows PC IP which is given by my internet service provider. I also opened TCP 6379 port in my router GUI. In windows I modify redis.windows-service.conf and redis.windows.conf files. In both of them I bind my IP address given by my internet service provider. After this I cannot start redis-cli properly (empty black cmd window is visible)
What I am doing wrong? I would be very grateful for any help.
You should modify the redis conf, my redis conf is located at /etc/redis/6379.conf.
And you should comment the line "bind 127.0.0.1" Or change to bind 0.0.0.0.
The bind specify which network interface the redis server should listen to. The default is localhost.
And also Change the protected-mode to no :
Protected mode is a layer of security protection, in order to avoid that
Redis instances left open on the internet are accessed and exploited.
When protected mode is on and if:
1) The server is not binding explicitly to a set of addresses using the
"bind" directive.
2) No password is configured.
The server only accepts connections from clients connecting from the
IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
sockets.
By default protected mode is enabled. You should disable it only if
you are sure you want clients from other hosts to connect to Redis
even if no authentication is configured, nor a specific set of interfaces
are explicitly listed using the "bind" directive.
protected-mode yes
If you don't disable the protected-mode, your redis server will not listen public ip interface. more detail see above.
If you can access the remote server from your machine, your problem is most probably with redis security config, read the Securing Redis section in this document
I found that most of the time people don't change the "bind" directive value in redis config, you can test that by setting bind 0.0.0.0 and restarting redis server, if that's the issue, you can then allow whatever subnets you need to access the server.
I have also experience the same issue trying to connect to Redis (MSOpenTech 3.0.5 and 3.2.1) By default if no binding is stated then redis(according to the comments in the conf file) will listen to all available interfaces. That said, v 3.2.1 does have 'bind 127.0.0.1' already set... in 3.0.5 Setting the binding to 'bind 127.0.0.1' still allows the redis-cli to be used. Binding to 192.168.1.2 renders the redis-cli unusable with both versions - there is no IP and Port prompt, simply a carat and the cli does not accept keyboard input. Binging to an external IP the MSOpenTech fork service will not restart and throws an error(nice). Clearing all bindings and reverting back to original state, the redis-cli becomes usable again. Also, on the MS OpenTech fork there is no 'ProtectedMode' setting in either config file. Not sure whether this can actually be set.
Have raised this as an issue on the MSOpenTech fork via github but expecting silence to be the only reply...
I'm not sure this helps you in any way other than knowing that you are not alone. I am trying to pub from PHP to AS3 subscribers - it works great in the Flash IDE but from the localhost browser, redis appears to go decididly deaf.
I am trying to have multiple tomcat instances on a Linux server and each instance would have an web application ROOT deployed in it.
While accessing the application, the url is formed in the format : whereas I don't want the end users to remember the ip address or the port of the application.
Since more than one instances would be used in the linux server, defaulting to 80 port ( http ) and 443 ( https ) wouldn't help out.
The idea is to expose the DNS name for the application and looks like Apache HTTP server would help me solve the case. Is the approach right ?
I assume the apache server should be one per linux server vs one per tomcat instance. Could this be confirmed ?
The Apache Tomcat version is 8.5.4 and the plan is to go with the apache http server version 2.4
Setting an Apache HTTPD (or any other) as front server is a good approach.
You won't be able to use more than one Apache HTTPD per server, since you don't want to use :port notation in the url's, at least it will not be possible to use standard HTTP/HTTPS ports in more than one HTTPD at once at the same server.
If you plan to use both http and https, you should create at least one virtual host for each of them. There is a limitation on creating virtual hosts for name based virtual host while using SSL 443 port, so if you want to have more than one HTTPS port enabled you will need IP based virtual hosting.
This is the Apache HTTPD 2.4 virtual host documentation.
Then, you could forward requests to each Tomcat using mod_proxy or tomcat connector. I personally choose one or other depending on the current requirements, specially if there is straight correspondence between contexts in Tomcat and Apache HTTPD (in this case I use AJP) or there's the need to rewrite it (mod_rewrite):
httpd://apache.httpd/context1 -> tomcat:XXXX/context1 (ajp tomcat connector)
httpd://apache.httpd/ -> tomcat:XXXX/context2 (mod_rewrite)
httpd://apache.httpd/context3 -> tomcat:XXXX/context4 (mod_rewrite)
After I loaded the couch database and confirmed connecting localhost with port 5984. I want to access this web console in other computer. But It doesn't work. I changed every other ports and checked the firewall. But those didn't have any problems. Is there anybody got same experience?
Thanks in advanced.
Another question,
For changing the web port in local.ini and killed the previous loading application, but why does the previous one alive? Is there any command to unload/stop the application? I can't find the command in bin directory.
Change the parameter bind_address in the config from 127.0.0.1 (accessible from localhost only) to 0.0.0.0.
I have Solr with its default Jetty that came with example directory installed on Linux server which has apache2 as its web server.
Now, within the same private LAN, when I open a browser and type in http://<ip-address>:8983/solr works ONLY when I do port forwarding otherwise it doesn't work. I am not sure what could be the problem? Please note this installation has been done on a remote server in a hosting environment for production deployment and I am a beginner wrt deployment stuff.
You can use the jetty.host parameter during startup to allow direct access to Jetty.
The -D option of the java command can be used with the followin syntax:
java -Djetty.host=0.0.0.0 -jar start.jar
In this way Jetty can be reached from all the hosts.
However this is not the ideal setup IMHO. I prefere to setup Jetty to listen only on localhost, implementing the client with another frontend server which listen on port 80. If you want to implement the frontend on another server you can use iptables to limit the incoming connection, dropping everything on the 8983 port if the IP is different from the one of your frontend server.
This image depicts my preferred setup for a LAMP stack includin SOLR:
I have a VPS where I have hosted a few sites. All based on LAMP stack, so it was no big deal. They provide WHM/cpanel for managing different sites. I decided to try node.js, bought a separate domain for it, and I need some clue how to point that domain to the node.js application.
So here are the questions:
1) What is the best way to host node.js application on a specific domain without hampering the other sites? How will I configure the domain? Yes, I'd like to use default http port (80) for node.
2) As Apache is already listening to the 80 port, is it a good idea to use Apache mod_proxy for the purpose? I mean if I want to use websocket, will apache still use separate threads for maintaining connection to node?
PS. I have already seen this question, but the answers don't seem to be convincing.
Edit:
I forgot to mention, I have an unused dedicated IP for that VPS which I can use for node.js.
Follow these steps
Goto "WHM >> Service Configuration >> Apache Configuration >> Reserved IPs Editor" and then 'Reserved' the IP that you want to use for node.js. This will release the IP from apache.
Create a new DNS entry with a A entry like - example.com A YOUR_IP_ADDRESS
Tell the node.js server to listen to your IP using server.listen(80, "YOUR_IP_ADDRESS");
If Apache is already listening to port 80, then the only thing you can do is proxy to your node instance. And yes, apache will create a new thread for each connection.
As others have mentioned, there's not a whole lot you can do here. Apache is currently driving your server and node.js won't like riding shotgun.
I'd recommend checking out things like nodester, no.de, heroku, and so on.