Bug 1188603
| Summary: | [RFE] Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces and should only be bound to localhost | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Rich Jerrido <rjerrido> |
| Component: | Installation | Assignee: | Chris Roberts <chrobert> |
| Status: | CLOSED DUPLICATE | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.7 | CC: | bbuckingham, bkearney, chrobert, stbenjam |
| Target Milestone: | Unspecified | Keywords: | FutureFeature |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-09 20:16:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Created redmine issue http://projects.theforeman.org/issues/15896 from this bug This is more of an RFE. Relcassifying. *** This bug has been marked as a duplicate of bug 1501499 *** |
Description of problem: On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users. It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case. Version-Release number of selected component (if applicable): candlepin-tomcat6-0.9.23.1-1.el6.noarch tomcat6-6.0.24-80.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install Satellite 6 2. run lsof to see the open ports Actual results: [root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 4840 tomcat 37u IPv4 31798 0t0 TCP *:8080 (LISTEN) java 4840 tomcat 43u IPv4 31801 0t0 TCP *:8443 (LISTEN) java 4840 tomcat 49u IPv4 31817 0t0 TCP *:8009 (LISTEN) 3. Expected results: Tomcat should be bound only on localhost Additional info: Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below: <Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" address="127.0.0.1" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="<REDACTED>" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="<REDACTED>" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />