How to Restrict Access to Jira with Tomcat
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Atlassian provides limited support with Tomcat configurations. You'll want to ensure to test any suggestions before implementing into a production environment.
Purpose
Increased security, ensuring that Tomcat/Jira can only be reached by the appropriate addresses
Environment
Jira Data Center
Solution
Tomcat provides multiple methods to allow control access, here are two of the possible options:
- Restricting which IP addresses that a defined connector port will listen on. http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation
- Example: only allowing the host's loopback address (127.0.0.1) to connect to port 8080:
Modify the
Connectorwithinserver.xml:<Connector port="8080" protocol="HTTP/1.1" ... /> to <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1" ... />- Restart Tomcat
- Setting remote IP filters for addresses that will be allowed or denied: http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve
- Example: only allowing requests from the local address and from address with IP 192.168.1.1:
Modify
server.xmland add:<Engine name="Catalina" defaultHost="localhost"> ... <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|192\.168\.1\.1"/> ... </Engine>Restart Tomcat