Skip to content

Docs: Restrict Payara HTTP listener to localhost for security#11743

Closed
ofahimIQSS wants to merge 7 commits intodevelopfrom
DocsPayara
Closed

Docs: Restrict Payara HTTP listener to localhost for security#11743
ofahimIQSS wants to merge 7 commits intodevelopfrom
DocsPayara

Conversation

@ofahimIQSS
Copy link
Contributor

@ofahimIQSS ofahimIQSS commented Aug 13, 2025

Description:
This PR improves the “Securing Your Installation” section by adding explicit instructions for binding Payara’s HTTP listener (http-listener-1, port 8080 by default) to 127.0.0.1 when Apache or Nginx is running on the same host.
This ensures port 8080 is only accessible locally and not exposed to the public internet.

Changes include:

  1. Added new subsection “Restricting Payara’s HTTP Listener to Localhost” under Additional Recommendations in Securing Your Installation.
  2. Corrected outdated reference to “AJP listener” in the Network Ports section to “HTTP listener” and updated the command to the correct modern form:
asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.address=127.0.0.1
asadmin restart-domain

Added note about optionally removing port 8080 from firewall or cloud security group rules for extra protection.

Why:
8080 was recently found to be exposed on a production server. Binding it to localhost prevents unintended public access while still allowing Apache/Nginx to proxy to Payara internally.

Testing:
Verified commands work on Payara 6.x.
Confirmed ss -lntp output changes from *:8080 to 127.0.0.1:8080.
Confirmed public access to 8080 is refused while local access works.

https://dataverse-guide--11743.org.readthedocs.build/en/11743/installation/config.html#restricting-payara-s-http-listener-to-localhost

pdurbin and others added 6 commits July 18, 2025 10:56
removed numbers for bullets
Added new subsection “Restricting Payara’s HTTP Listener to Localhost” under Additional Recommendations in Securing Your Installation.

Corrected outdated reference to “AJP listener” in the Network Ports section to “HTTP listener” and updated the command to the correct modern form:
@pdurbin pdurbin self-assigned this Aug 13, 2025
@pdurbin pdurbin moved this to In Review 🔎 in IQSS Dataverse Project Aug 13, 2025
@cmbz cmbz added the FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27) label Aug 16, 2025
@pdurbin pdurbin changed the base branch from 11652-quickstart-publish to develop August 18, 2025 20:31
Copy link
Member

@pdurbin pdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ofahimIQSS this PR has the quickstart guide in it. It might be easiest for you to make a fresh PR off develop.

@pdurbin pdurbin moved this from In Review 🔎 to In Progress 💻 in IQSS Dataverse Project Aug 18, 2025
@pdurbin pdurbin removed their assignment Aug 18, 2025
@ofahimIQSS
Copy link
Contributor Author

Closing - will open new PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27)

Projects

Status: Done 🧹

Development

Successfully merging this pull request may close these issues.

3 participants