Docs: Restrict Payara HTTP listener to localhost for security#11743
Closed
ofahimIQSS wants to merge 7 commits intodevelopfrom
Closed
Docs: Restrict Payara HTTP listener to localhost for security#11743ofahimIQSS wants to merge 7 commits intodevelopfrom
ofahimIQSS wants to merge 7 commits intodevelopfrom
Conversation
removed numbers for bullets
Added new subsection “Restricting Payara’s HTTP Listener to Localhost” under Additional Recommendations in Securing Your Installation. Corrected outdated reference to “AJP listener” in the Network Ports section to “HTTP listener” and updated the command to the correct modern form:
ofahimIQSS
commented
Aug 13, 2025
extend underline
pdurbin
reviewed
Aug 18, 2025
Member
pdurbin
left a comment
pdurbin
left a comment
There was a problem hiding this comment.
@ofahimIQSS this PR has the quickstart guide in it. It might be easiest for you to make a fresh PR off develop.
Contributor
Author
|
Closing - will open new PR |
This was referenced Aug 20, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR improves the “Securing Your Installation” section by adding explicit instructions for binding Payara’s HTTP listener (http-listener-1, port 8080 by default) to 127.0.0.1 when Apache or Nginx is running on the same host.
This ensures port 8080 is only accessible locally and not exposed to the public internet.
Changes include:
Added note about optionally removing port 8080 from firewall or cloud security group rules for extra protection.
Why:
8080 was recently found to be exposed on a production server. Binding it to localhost prevents unintended public access while still allowing Apache/Nginx to proxy to Payara internally.
Testing:
Verified commands work on Payara 6.x.
Confirmed ss -lntp output changes from *:8080 to 127.0.0.1:8080.
Confirmed public access to 8080 is refused while local access works.
https://dataverse-guide--11743.org.readthedocs.build/en/11743/installation/config.html#restricting-payara-s-http-listener-to-localhost