Limit management port to local only

Habeeb Balfagi

unread,

Apr 10, 2025, 2:51:16 AMApr 10

to WildFly

Hi,

Novice here. How do I stop console access from other machines and explicitly limit access from the host machine? My Wildfly's management is accessible from machines on the same subnet.

I think the following is where this is controlled.

<management-interfaces>
            <http-interface http-authentication-factory="management-http-authentication">
                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>

<interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        <interface name="public">
            <inet-address value="0.0.0.0"/>
        </interface>
    </interfaces>

However, I can access console from machines on the same subnet. Also, I have the below entries

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="management-http" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
        </outbound-socket-binding>

</socket-binding-group>

Thanks,

Habeeb

Darran Lofthouse

unread,

Apr 10, 2025, 5:06:53 AMApr 10

to WildFly

Can you clarify what you mean by:

"My Wildfly's management is accessible from machines on the same subnet."

Have you been able to load the management console and configure the server or something else?

Your configuration looks as though it should only be listening on the loopback address only - but do you have anything else being passed in when starting the server that may be setting the "jboss.bind.address.management" system property?

Joerg Baesner

unread,

Apr 10, 2025, 5:56:22 AMApr 10

to WildFly

The socket-binding for the 'management-http' port is using the 'default-interface' which is 'public' and defined to use '0.0.0.0'. As the management-interface is using this socket-binding (and not 'managment-https' which is using the dedicated 'management' interface), it is expected that the management console is accessible from other machines...

Habeeb Balfagi

unread,

Apr 11, 2025, 9:38:26 PMApr 11

to WildFly

Thanks Joerg,

That was it! I was missing interface="management' in my statement.

Thank you appreciate your help!

Also, apologies if you received more than one response, I am not familiar with google groups.