如何配置 Jetty 服务器以禁止 Web 应用程序开发服务器外部的连接?
我正在开发一个 Java Web 应用程序,使用 Jetty 作为 Windows 7 计算机上的应用程序服务器,并在 localhost:8080 上运行它。
出于安全目的 - 确保我的应用程序对其他人不可见 - 我想确保它绑定到 localhost:8080 (即 127.0.0.1),并非所有接口(据我所知可能是默认接口)。
我读过,如果您仅绑定到 127.0.0.1,则该端口将不会对扫描您的外部 IP 地址的人开放,并且 因此该应用程序基本上是不可见的,除了我之外,当我正在开发(例如,在咖啡店使用笔记本电脑工作时)。
我不知道如何在 Jetty 中执行此操作。
我听说服务器程序通常有一个选项来指定要绑定哪些 IP 地址。
因此,我尝试将以下 jetty-web.xml 添加到我的网络应用程序的 WEB-INF 目录中,但我无法判断它是否有效。在添加此内容之前和之后,netstat -an 均表示它正在 8080 上LISTENING:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.servlet.WebApplicationContext">
<!-- Uncomment to restrict context by real host -->
<Set name="Hosts">
<Array type="java.lang.String">
<Item>127.0.0.1</Item>
</Array>
</Set>
<!-- uncomment to map context by virtual host.
<Set name="virtualHosts">
<Array type="java.lang.String">
<Item></Item>
<Item>127.0.0.1</Item>
<Item>localhost</Item>
<Item>www.acme.com</Item>
</Array>
</Set>
-->
</Configure>
I'm developing a Java web application using Jetty as the application server on a Windows 7 machine and running it on localhost:8080.
For security purposes - to make sure my app is not visible to others - I want to be sure that it is binding to localhost:8080 (i.e., 127.0.0.1), not all interfaces (which I'm told is probably the default).
I've read that if you only bind to 127.0.0.1, the port will not be open for people scanning your external IP address and so the app will essentially be invisible except to me while I'm developing (while working on a laptop in a coffee shop, for example).
What I don't know is how to do this in Jetty.
I've heard that server programs usually have an option to say which IP addresses to bind.
So I tried adding the following jetty-web.xml to my web app's WEB-INF directory but I can't tell if it had an effect or not. Both before and after adding this, netstat -an says that it is LISTENING on 8080:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.servlet.WebApplicationContext">
<!-- Uncomment to restrict context by real host -->
<Set name="Hosts">
<Array type="java.lang.String">
<Item>127.0.0.1</Item>
</Array>
</Set>
<!-- uncomment to map context by virtual host.
<Set name="virtualHosts">
<Array type="java.lang.String">
<Item></Item>
<Item>127.0.0.1</Item>
<Item>localhost</Item>
<Item>www.acme.com</Item>
</Array>
</Set>
-->
</Configure>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
解决此问题的更好方法是在操作系统中使用防火墙。如果您不希望人们从外部连接到端口 8080,请在防火墙中阻止它。如果您在笔记本电脑上运行服务并在不受信任的网络中使用它,我希望您使用防火墙来阻止您不想要的访问。通过这种方式,您可以在一个位置阻止访问,而不是在配置中阻止侦听端口的每个应用程序。
A better way to address this is with a firewall in your OS. If you don't want people connecting from externally to port 8080, then block it in the firewall. If you are running services on your laptop and using it in an untrusted network anyway, I hope you would be using a firewall to prevent access you don't intend. This way you can block access in one place rather than in the configuration for each and every application that listens on a port.