Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1188603 - [RFE] Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces and should only be bound to localhost
Summary: [RFE] Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces ...
Keywords:
Status: CLOSED DUPLICATE of bug 1501499
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.0.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-03 11:07 UTC by Rich Jerrido
Modified: 2020-02-14 17:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-09 20:16:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 15896 0 Normal New Tomcat configuration should only be bound to localhost 2020-09-29 12:13:29 UTC
Red Hat Bugzilla 1188300 0 unspecified CLOSED Section 1.5 - Prerequisites - Instructions are given to open port 8080, although it is not needed externally to the Sate... 2021-02-22 00:41:40 UTC

Internal Links: 1188300

Description Rich Jerrido 2015-02-03 11:07:23 UTC 
Description of problem:
On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users. 

It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case. 

Version-Release number of selected component (if applicable):
candlepin-tomcat6-0.9.23.1-1.el6.noarch
tomcat6-6.0.24-80.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Install Satellite 6
2. run lsof to see the open ports


Actual results:

[root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    4840 tomcat   37u  IPv4  31798      0t0  TCP *:8080 (LISTEN)
java    4840 tomcat   43u  IPv4  31801      0t0  TCP *:8443 (LISTEN)
java    4840 tomcat   49u  IPv4  31817      0t0  TCP *:8009 (LISTEN)

3.

Expected results:

Tomcat should be bound only on localhost

Additional info:

Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below:

<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

    <Connector port="8443" address="127.0.0.1" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="want" SSLProtocol="TLS"
               keystoreFile="conf/keystore"
               truststoreFile="conf/keystore"
               keystorePass="<REDACTED>"
               keystoreType="PKCS12"
               ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
               truststorePass="<REDACTED>" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />
Comment 1 RHEL Program Management 2015-02-03 11:23:30 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Stephen Benjamin 2016-07-29 14:19:34 UTC 
Created redmine issue http://projects.theforeman.org/issues/15896 from this bug
Comment 4 Bryan Kearney 2017-09-14 17:52:09 UTC 
This is more of an RFE. Relcassifying.
Comment 5 Chris Roberts 2017-11-09 20:16:51 UTC 

*** This bug has been marked as a duplicate of bug 1501499 ***
Note You need to log in before you can comment on or make changes to this bug.