We already edit /etc/tomcat7/server.xml after installing the tomcat7 Debian package, to get it to talk AJP instead of HTTP (so we can use libapache2-mod-jk to put it behind an Apache 2 httpd, which also terminates SSL):
We already comment out the block…
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
… and remove the comment chars around the line…
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
… so all we need to do is edit that line to make it look like…
<Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" />
… and we’re all set.
(Your apache2 vhost needs a line
JkMount /?* ajp13_worker
and everything Just Works™ with the default configuration.)
Now, tomcat7 is only accessible from localhost (Legacy IP), and we don’t need to firewall the AJP (or HTTP/8080) port. Do make sure your Apache 2 access configuration works, though ☺
