How to secure Jetty to only allow access from loopback(localhost)
I found the answer to my question myself after a little bit more googling.
The answer is (Tested on jetty-distribution-7.0.1.v20091125):
- Locate jetty.xml (etc/jetty.xml)
- Search for
<Call name="addConnector"> - Set
<Set name="Host"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set>before line<Set name="port"><SystemProperty name="jetty.port"/></Set> - That's it. Restart jetty server (
java -jar start.jar). The server should output something like:
2009-12-23 23:02:09.291:INFO::Started [email protected]:8080
The import thing is that it should say 127.0.0.1 instead of 0.0.0.0, 0.0.0.0 means listen on all ips on the machine.
P.S: I wanted to secure apache solr (which is using jetty) which can be achieved in the same way.
You can also bind to localhost programmatically(embed jetty) by:
Server server = new Server();
Connector connector = new SelectChannelConnector();
connector.setHost("localhost");
connector.setPort(80);
server.addConnector(connector);
For Jetty 9 embedded, this code works.
Server server = new Server();
ServerConnector connector=new ServerConnector(server);
connector.setPort(80);
connector.setHost("localhost");
server.setConnectors(new Connector[]{connector});
I have not tried this but the usual method is to bind server to localhost (i.e. to IP 127.0.0.1). That means that Jetty server will listen to only connections that have localhost as their destination address.
A quick googling revealed this http://old.nabble.com/How-to-make-Jetty-bind-to-specific-IP-address---to11667378.html#a11669524 :
add this entry to SelectChannelConnector for example:
<Set name="Host">127.0.0.1</Set>