DigitalOcean

Report this

What is the reason for this report?
Question

How to access Tomcat 8 admin gui from different host?

Posted on August 15, 2016
Ubuntu 16.04
Apache
Applications
adminbbd0b80780

By adminbbd0b80780

I followed this excellent article about putting Apache in front of Tomcat, acting as a reverse proxy:

https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-ubuntu-16-04

How can you access the admin gui from a remote machine, though? Since we closed port 8080 as part of the setup, I can’t get to tomcat anymore. For example, going to:

/manager/html

gives me a 403 page:

“By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you’ll need to edit the Host Manager’s context.xml file.”

I do have a user set up in there as directed (from the setting up tomcat 8 tutorial), but this doesn’t change anything. Restarted tomcat, still nothing.

How do you access the gui? Or is there a different way to deploy my web app war files?

Thanks



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Andrew SB
Andrew SBDigitalOcean Employee badge
December 12, 2016

As covered in How To Install Apache Tomcat 8 on Ubuntu 16.04

By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.

If you followed that installation tutorial, those file can be found at:

  • /opt/tomcat/webapps/manager/META-INF/context.xml

  • sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

To allow remote access, edit the files and comment out the part of the configuration file specifying the IP address restriction or replace them with a list of IP addresses that you would like to whitelist.

context.xml files for Tomcat webapps
<Context antiResourceLocking="false" privileged="true" >
  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>

Restart Tomcat for the changes to take effect:

sudo systemctl restart tomcat

Remember, since Apache mod_jk makes a local connection to Tomcat on port 8080 and proxies it to port 443 over HTTPS (or port 80 if you are not setting up SSL), you will access it at https://your_ip_address/manager/html

0
KFSys
KFSys
September 27, 2023

Heya,

When you’re securing your Tomcat deployment with Apache or Nginx as a reverse proxy, you typically also want to secure access to the management GUIs provided by Tomcat, such as the Manager App and the Host Manager App.

1. Update Tomcat’s context.xml

Tomcat’s Manager and Host Manager apps are by default configured to be accessible only from the localhost. To allow access from remote machines, you have to modify the context.xml files for these apps. Here’s how to do it:

Open the Manager App’s context.xml

sudo nano /var/lib/tomcat8/webapps/manager/META-INF/context.xml

Comment out or Remove the IP Restriction

You’ll find a line similar to the following:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

Comment out this line by wrapping it in tags, like so:

<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->

Repeat for the Host Manager’s context.xml

sudo nano /var/lib/tomcat8/webapps/host-manager/META-INF/context.xml

Then restart Tomcat

sudo systemctl restart tomcat8

2. Configure Apache to Proxy Requests to Tomcat Manager

Even after updating context.xml, you still can’t access the Tomcat Manager App if port 8080 is closed and only Apache is serving requests. You will need to create a reverse proxy rule for Apache to forward requests to the Manager App.

  1. Edit Apache Configuration
sudo nano /etc/apache2/sites-available/your-tomcat-site.conf
  1. Add ProxyPass Directives

For the Manager App, add something like this:

<Location /manager>
    ProxyPass ajp://localhost:8009/manager
    ProxyPassReverse ajp://localhost:8009/manager
</Location>
  1. Restart Apache
sudo systemctl restart apache2

Now, try accessing the Tomcat Manager by going to:

http://your-domain-or-ip/manager

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.