How to Configure Tomcat 6 to Bind Only to Localhost (127.0.0.1) for Secure Apache Proxy Integration on Ubuntu


1 views

When running Tomcat behind an Apache HTTP Server with mod_proxy, exposing Tomcat's connector to external network interfaces creates unnecessary security risks. By binding Tomcat to 127.0.0.1, we ensure:

  • No direct external access to Tomcat management interfaces
  • Reduced attack surface by eliminating public exposure
  • Proper enforcement of access control through Apache

Edit the main connector configuration in /etc/tomcat6/server.xml:

<Connector port="8080" protocol="HTTP/1.1"
    address="127.0.0.1"
    connectionTimeout="20000"
    redirectPort="8443" />

After restarting Tomcat (sudo service tomcat6 restart), verify the binding:

netstat -tulpn | grep java
# Should show:
# tcp   0   0 127.0.0.1:8080   0.0.0.0:*   LISTEN   1234/java

For AJP connectors (when using mod_jk):

<Connector port="8009" protocol="AJP/1.3"
    address="127.0.0.1"
    redirectPort="8443" />

For HTTPS connectors:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    address="127.0.0.1"
    scheme="https" secure="true"
    keystoreFile="/path/to/keystore"
    keystorePass="changeit" />

If you encounter connection problems after making these changes:

  1. Verify Apache's proxy configuration points to 127.0.0.1
  2. Check Ubuntu's firewall rules (sudo ufw status)
  3. Inspect Tomcat logs at /var/log/tomcat6/catalina.out

When using localhost binding, Linux uses the loopback interface which provides:

  • Lower latency (no physical network stack involved)
  • Higher throughput (packets stay in kernel space)
  • No network congestion affecting proxy communication

When running Tomcat behind an Apache HTTP Server as a reverse proxy, it's often necessary to restrict Tomcat's access to localhost (127.0.0.1) for security reasons. This prevents direct external access to Tomcat while still allowing Apache to forward requests.

The key configuration is in Tomcat's server.xml file. For Tomcat 6 on Ubuntu, this is typically located at:

/etc/tomcat6/server.xml

Find the HTTP Connector section (usually around line 60-70) and modify it as follows:

<Connector port="8080" protocol="HTTP/1.1"
           address="127.0.0.1"
           connectionTimeout="20000"
           redirectPort="8443" />

After making changes, restart Tomcat:

sudo service tomcat6 restart

Check if Tomcat is only listening on localhost:

netstat -tulpn | grep java

You should see output similar to:

tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      1234/java

Consider these extra security steps:

# Configure IPTables to block external access
sudo iptables -A INPUT -p tcp --dport 8080 ! -s 127.0.0.1 -j DROP

# Make the rule persistent
sudo iptables-save | sudo tee /etc/iptables.rules

If Apache can't connect to Tomcat after these changes:

  1. Verify Tomcat is running: sudo service tomcat6 status
  2. Check Apache's proxy configuration points to 127.0.0.1:8080
  3. Review Tomcat's logs: tail -f /var/log/tomcat6/catalina.out

If you need additional connectors for different purposes, you can configure them separately:

<Connector port="8080" address="127.0.0.1" ... />
<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" ... />