Restrict access to Tomcat URL to select IP addresses

One of our customer applications has been plagued by massive amounts of requests from external IP adresses that really shouldn’t be using the URL’s. The connections caused the connection pool in the Tomcat instance behind Apache to deplete and hence no connections were available to legitimate users. Since the URL cannot be password protected we needed another way to restrict the access.

The solution is quite simple and only involved a couple of lines in the VirtualHost section of httpd.conf. The below RewriteRules restrict the access to the /search URL to the XX.YYY.ZZ.WW1, XX.YYY.ZZ.WW2 and XX.YYY.ZZ.WW3 addresses. All other URLs are available as normal. If you try to access the URL from another IP address than the ones specified you’ll get a 403 Forbidden HTTP response code back.

RewriteEngine    on
RewriteLog       /usr/local/apache2/logs/rewrite.log
RewriteLogLevel  0

# allow access to search only from select addresses
RewriteCond   %{REMOTE_ADDR}  XX.YYY.ZZ.WW1                        [OR]
RewriteCond   %{REMOTE_ADDR}  XX.YYY.ZZ.WW2                        [OR]
RewriteCond   %{REMOTE_ADDR}  XX.YYY.ZZ.WW3
RewriteRule   ^(/search.*)    $1                                   [PT,L]

# deny access to search from all other addresses
RewriteRule   ^/search.*      -                                    [F]

The real beautiful thing is that Tomcat is totally oblivious to the change and not a single line of code needed to be changed hence no need for software tests.

4 thoughts on “Restrict access to Tomcat URL to select IP addresses”

  1. “no connections were available to legitimate users”

    Are you identifying legitimate users soley based on the IP address and there is no authentication at any point in the whole system? Just curious, if there are authentication mechanisms will it not be easier to use the security-constraint in DD to restrict access to the resources based on Roles?

  2. Well the mod_rewrite solution is more of a way to restrict access than to protect content. Furthermore adding login wasn’t an option due to integration requirements.

  3. I installed tomcat in a server and a confidential application is running on it.
    I have a login page but i want only 2 ip addresses to connect to it when they access the url.Remaining should not even get the login page.

Comments are closed.