https://bz.apache.org/bugzilla/show_bug.cgi?id=66429
Bug ID: 66429
Summary: Limit access to Examples and Documentation by
localhost only
Product: Tomcat 11
Version: unspecified
Hardware: PC
Status: NEW
Severity: enhancement
Priority: P2
Component: Examples
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
Target Milestone: -------
I propose to limit access to Examples and Documentation that are bundled with
Tomcat, so that they are accessible only from the loopback ip address.
I mean, to configure an RemoteAddrValve, in the same way as has already been
done for the Manager and Host-Manager web applications.
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
Justification:
1. According to the Apache Tomcat security considerations [1], it is
recommended to remove these web applications, so that they are not exposed to
the public.
2. Duplicate copies of documentation are indexed by search engines.
Alternatively, this could be fought either with "<link rel="canonical">" [2],
or by blocking indexing either with a robots.txt file (but ROOT is a separate
web application, which makes such solution fragile), or with "<meta
name="robots" content="noindex, nofollow">" (but the same HTML pages are
published to tomcat.apache.org).
[1]
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications
[2]
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#attr-canonical
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
