Restrict access to Tomcat manager by IP

Question

I'm trying to restrict all the requests to my Tomcat manager which don't come from my IP.

So far, I found that adding a Valve to the server.xml like this:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="IP"/>

will block all requests except the ones coming from "IP" to the whole Tomcat (including the webapps). Does anyone know how to do the same but applying only to the Tomcat manager?

By the way, I'm using Tomcat7.

Answer 1

In [tomcat]/conf/Catalina/[hostname] create a file manager.xml.

So if your hostname is www.yourdomainname.com and tomcat is in opt/tomcat7/ that would be:

/opt/tomcat7/conf/Catalina/www.yourdomainname.com/manager.xml

In this newly created manager.xml you put the RemoteAddrValve in the Context:

<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">

   <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
    allow="127\.0\.0\.1|11\.22\.33\.44" denyStatus="404" />

</Context>  

Separate multiple ip adresses by a pipe character.

I choose denyStatus=404 so possible trespassers wont have a clue there even exists a manager.

Restart Tomcat.

---

UPDATE 3/2020

If Tomcat sits behind a proxy server, requests will all be coming from that proxy server, so you need to tell the proxy server to forward remote addresses to Tomcat (in Nginx you would include a line proxy_set_header x-forwarded-for $remote_addr;).

In addition you need to tell Tomcat to watch for that forwarded header by including a RemoteIpValve in either an Engine or a Host block:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="X-Forwarded-For" 
        requestAttributesEnabled="true" />

Answer 2

In Tomcat8 I found the RemoteAddrValve already in C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\manager\META-INF\context.xml, and I just needed to uncomment it...

<Context antiResourceLocking="false" privileged="true" >
  <!--
    Remove the comment markers from around the Valve below to limit access to
    the manager application to clients connecting from localhost
  -->

  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->

</Context>

I added @acdhirr's suggestion to the valve to deny the status denyStatus="404", and that worked also.