How to Restrict Access to Jira with Tomcat
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Atlassian provides limited support with Tomcat configurations. You'll want to ensure to test any suggestions before implementing into a production environment.
Increased security, ensuring that Tomcat/Jira can only be reached by the appropriate addresses
Environment
Jira Data Center
Solution
Tomcat provides multiple methods to allow control access, here are two of the possible options:
Restricting which IP addresses that a defined connector port will listen on. http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation
Example: only allowing the host's loopback address (127.0.0.1) to connect to port 8080:
Modify the
Connectorwithinserver.xml:1 2 3 4 5<Connector port="8080" protocol="HTTP/1.1" ... /> to <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1" ... />Restart Tomcat
Setting remote IP filters for addresses that will be allowed or denied: http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve
Example: only allowing requests from the local address and from address with IP 192.168.1.1:
Modify
server.xmland add:1 2 3 4 5 6<Engine name="Catalina" defaultHost="localhost"> ... <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|192\.168\.1\.1"/> ... </Engine>Restart Tomcat
Was this helpful?