Restrict access to Tomcat manager by IP

In [tomcat]/conf/Catalina/[hostname] create a file manager.xml.

So if your hostname is www.yourdomainname.com and tomcat is in opt/tomcat7/ that would be:

/opt/tomcat7/conf/Catalina/www.yourdomainname.com/manager.xml

In this newly created manager.xml you put the RemoteAddrValve in the Context:

<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">

   <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
    allow="127\.0\.0\.1|11\.22\.33\.44" denyStatus="404" />

</Context>  

Separate multiple ip adresses by a pipe character.

I choose denyStatus=404 so possible trespassers wont have a clue there even exists a manager.

Restart Tomcat.

---

UPDATE 3/2020

If Tomcat sits behind a proxy server, requests will all be coming from that proxy server, so you need to tell the proxy server to forward remote addresses to Tomcat (in Nginx you would include a line proxy_set_header x-forwarded-for $remote_addr;).

In addition you need to tell Tomcat to watch for that forwarded header by including a RemoteIpValve in either an Engine or a Host block:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="X-Forwarded-For" 
        requestAttributesEnabled="true" />

In Tomcat8 I found the RemoteAddrValve already in C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\manager\META-INF\context.xml, and I just needed to uncomment it...

<Context antiResourceLocking="false" privileged="true" >
  <!--
    Remove the comment markers from around the Valve below to limit access to
    the manager application to clients connecting from localhost
  -->

  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->

</Context>

I added @acdhirr's suggestion to the valve to deny the status denyStatus="404", and that worked also.