Configuring jetty: restricting service from certain IP addresses

Thread view:

Mika - 26 Sep 2007 19:44 GMT

How can I restrict access to Jetty from certain IP addresses (or allow
only from specific subnet)?

Anoter issue I have is how to enable Jetty to work as http server?

Thanks,
Mika

Reply to this Message

Steve Sobol - 26 Sep 2007 19:34 GMT

> How can I restrict access to Jetty from certain IP addresses (or allow
> only from specific subnet)?

I haven't done this. You may want to ask on the Jetty-support mailing list
as I'm not sure exactly how to do it

> Anoter issue I have is how to enable Jetty to work as http server?

http://docs.codehaus.org/display/JETTY/Newbie+Guide+to+Jetty

The jetty XML config files are pretty cool. Each chunk of XML represents a
call to a Jetty API function. They way they set it up is quite slick. :)

Subscribe to the mailing list, it's a good resource. I'd offer more help
but I'm at work right now and don't have a ton of time... if I can, I'll post
more on the subject later.

Signature

Steve Sobol, Victorville, California PGP:0xE3AE35ED
"Drench yourself in words unspoken / Live your life with arms wide open
Today is where your book begins / The rest is still unwritten"
- Natasha Beddingfield

Reply to this Message

nebulous99@gmail.com - 28 Sep 2007 04:02 GMT

> How can I restrict access to Jetty from certain IP addresses (or allow
> only from specific subnet)?
>
> Anoter issue I have is how to enable Jetty to work as http server?

First, ask yourself why you want to selectively refuse service to
people. If it's spambots posting linkspam to dynamic pages, consider a
captcha rather than anything more drastic such as IP-level blackholing
of people; spambots are usually running on zombie PCs with a
legitimate user and on a dynamic IP shared with a whole ISP full of
other legitimate users.

If you decide to go ahead with it, the firewall is probably the best
place to do this rather than at the protocol layer.

Reply to this Message

Mika - 28 Sep 2007 07:15 GMT

I think the reason is obvious. My server (running Jetty) is offering
different services for different groups of people. Some services need
to be restricted to, say institutional subnets or similar. And for
this, the firewall is definetely not a good solution.

-Mika

> > How can I restrict access to Jetty from certain IP addresses (or allow
> > only from specific subnet)?
[quoted text clipped - 10 lines]
> If you decide to go ahead with it, the firewall is probably the best
> place to do this rather than at the protocol layer.

Reply to this Message

Lew - 28 Sep 2007 07:31 GMT

(Top-posting corrected. You're welcome.)

>>> How can I restrict access to Jetty from certain IP addresses (or allow
>>> only from specific subnet)?
>>> Anoter issue I have is how to enable Jetty to work as http server?

...

>> ... My server (running Jetty) is offering
>> different services for different groups of people. Some services need
>> to be restricted to, say institutional subnets or similar. And for
>> this, the firewall is definetely not a good solution.

Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does
(typically via the AJP connector)?

Apache HTTP Server has directives for that sort of thing.
<http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow>
<http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny>

Signature

Lew

Reply to this Message

Steve Sobol - 28 Sep 2007 07:46 GMT

> Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does

Yes, it does.

Signature

Reply to this Message

nebulous99@gmail.com - 28 Sep 2007 08:20 GMT

> > Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does
>
> Yes, it does.

In that case, .htaccess (GIYF) can do the IP-based blocking you
originally requested. Still, consider the possible costs versus
benefits of either a) loosened or no restrictions (within your
corporate LAN or whatever other private network) and/or b) access
control by username/password accounts, i.e. by person rather than by
chunk of hardware.

Reply to this Message

nebulous99@gmail.com - 28 Sep 2007 08:17 GMT

> I think the reason is obvious. My server (running Jetty) is offering
> different services for different groups of people. Some services need
> to be restricted to, say institutional subnets or similar. And for
> this, the firewall is definetely not a good solution.

For this, a suitable user login and authentication mechanism is a good
solution. I assume this is for your LAN or a VPN-tunnel-based WAN, in
which case, stick it behind the corporate firewall and use password-
based authentication. What if an authorized person wants to access
this service from other than his usual location for whatever reason --
or an unauthorized person gets physical access to one of the machines
you'd be whitelisting?

Also ask what the purpose of the access restrictions is. If it's for
crass commercial reasons then I won't be very sympathetic, although if
it's to keep confidential information confidential, like patient
records or financial data or credit-card numbers or what-have-you,
then it's another story. It may be the case that the restrictions are
gratuitous or unnecessary to carrying out your primary purpose and
will just inconvenience or cost people needlessly (e.g. if it costs
very little in resources per access and organization-wide access would
do no harm and might benefit some people, but it's going to be
restricted to a subset of the organization, or people will have to pay
for access). If the restrictions are absolutely necessary,
particularly for security of confidential data or trade secrets or
something, though, figure out who needs access and set up a system
with user or group accounts and passwords.

Reply to this Message

Joshua Cranmer - 28 Sep 2007 22:07 GMT

> If it's spambots posting linkspam to dynamic pages, consider a
> captcha rather than anything more drastic [ ... ]

Perhaps you missed the W3C note on CAPTCHAs:
http://www.w3.org/TR/turingtest/ ?

Or maybe the fact that the only CAPTCHAs really capable of preventing
spambots have < 70% success rates on humans?

Signature

Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth

Reply to this Message

nebulous99@gmail.com - 29 Sep 2007 21:12 GMT

> nebulou...@gmail.com wrote:
> > If it's spambots posting linkspam to dynamic pages, consider a
> > captcha rather than anything more drastic [ ... ]
>
> Perhaps you missed the W3C note...[snip remainder of gratuitously-snarky response]

My, my, with this newsgroup's regulars the fun and sarcasm never
stops!

I never said anything about using bitmapped image based captchas.
There are other kinds, such as verbal math problem captchas, that
avoid the accessibility problems. Also there's the target-audience
factor. If the page is meant to be used by, say, a bunch of US Marines
sharpshooters, or fighter pilots, I doubt they'll have problems with
bitmap captchas. :)

Reply to this Message

Configuring jetty: restricting service from certain IP addresses

Free Magazines