Restrict access to Tomcat URL to select IP addresses
One of our customer applications has been plagued by massive amounts of requests from external IP adresses that really shouldn't be using the URL's. The connections caused the connection pool in the Tomcat instance behind Apache to deplete and hence no connections were available to legitimate users. Since the URL cannot be password protected we needed another way to restrict the access.
The solution is quite simple and only involved a couple of lines in the VirtualHost section of httpd.conf. The below RewriteRules restrict the access to the /search URL to the XX.YYY.ZZ.WW1, XX.YYY.ZZ.WW2 and XX.YYY.ZZ.WW3 addresses. All other URLs are available as normal. If you try to access the URL from another IP address than the ones specified you'll get a 403 Forbidden HTTP response code back.
RewriteEngine on
RewriteLog /usr/local/apache2/logs/rewrite.log
RewriteLogLevel 0
# allow access to search only from select addresses
RewriteCond %{REMOTE_ADDR} XX.YYY.ZZ.WW1 [OR]
RewriteCond %{REMOTE_ADDR} XX.YYY.ZZ.WW2 [OR]
RewriteCond %{REMOTE_ADDR} XX.YYY.ZZ.WW3
RewriteRule ^(/search.*) $1 [PT,L]
# deny access to search from all other addresses
RewriteRule ^/search.* - [F]
The real beautiful thing is that Tomcat is totally oblivious to the change and not a single line of code needed to be changed hence no need for software tests.
