Idea Details

RFE - Restricting access to the SPS ProxyUI Admin Console

Last activity 12-17-2016 09:36 AM
pkitson2's profile image
12-17-2014 03:42 AM

Out of the box, access to the SPS ProxyUI Admin Console is via a Tomcat application instance on port 8080, which is a non-secure service. In the SPS server.conf file, there is mention of an option to enable SSL on port 8543, but this is in addition to the non-secure service port.

We don't want users to be able to connect directly to this ProxyUI service, let alone send their credentials over a non-secure connection, so rather we
use a separate Apache reverse proxy instance (port 443) to manage connections to the ProxyUI via the loopback interface, i.e. 127.0.0.1:8080. This works
well.

However, unlike a generic Tomcat, where we have a server.xml file, there doesn't appear to be an option in the server.conf file to restrict the interface for this port 8080 service connection, which is evidently listening on all interfaces.

$ netstat -an | grep LISTEN | grep 8080
tcp        0      0 :::8080                     :::*
LISTEN

We've tried changing the local.host entry in the server.conf file as follows, but this has no effect.

local.host="127.0.0.1"

On Linux platforms, we could consider configuring iptables to restrict this connection, but on Solaris we don't have this option.

So for future releases, could we please have an option added to the SPS server.conf file, to restrict the Tomcat listener to named interfaces, including the loopback, rather and all interfaces.