Symptom
After updating Tomcat 8.5.27, Tomcat mamager, host-manager app cannot be accessed except localhost, 127.0.0.1
How to fix
comment out org.apache.catalina.valves.RemoteAddValve
- before
${catalina.base}/conf/Catalina/localhost/manager.xml
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
${catalina.base}/conf/Catalina/localhost/host-manager.xml
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
- after
${catalina.base}/conf/Catalina/localhost/manager.xml
<Context antiResourceLocking="false" privileged="true" >
<!--
Remove the comment markers from around the Valve below to limit access to
the manager application to clients connecting from localhost
-->
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
${catalina.base}/conf/Catalina/localhost/host-manager.xml
<Context antiResourceLocking="false" privileged="true" >
<!--
Remove the comment markers from around the Valve below to limit access to
the host-manager application to clients connecting from localhost
-->
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
References
59672: Update the security considerations page of the documentation web application to take account of the fact that the Manager and HostManager applications now have a RemoteAddrValve configured by default.
cf. https://stackoverflow.com/questions/36703856/access-tomcat-manager-app-from-different-host