You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Martin B. Smith" <sm...@ufl.edu> on 2009/12/16 21:37:50 UTC
Using RemoteAddressValve with an Apache mod_proxy_balancer
Howdy!
I'm trying to ensure that only specific instances of Apache are allowed
to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
looks like Tomcat is seeing the actual client IP making the original
request to Apache. Does anyone have a configuration that only allows
specific Apache (mod_)proxies to be serviced by Tomcat?
I will be using other ways to protect Tomcat, but I'd like something
inside Tomcat filtering these AJP requests too, and RemoteAddressValve
sounds like it should work :)
Here's what I'm using now --
Apache:
ProxyPass / balancer://foo/ stickysession=JSESSIONID nofailover=On
<Proxy balancer://foo>
BalancerMember ajp://host1:1234 route=foo
BalancerMember ajp://host2:1235 route=foo
</Proxy>
Tomcat:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,apache-front-end-ip"/>
Additionally, I'm noticing 403s returned from Tomcat via AJP are showing
up as empty pages in Apache, instead of showing a default 403 page like
Apache usually does.
Thanks for any insight!
--
Martin B. Smith
smithmb@ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 12/19/2009 4:22 PM, Mark Thomas wrote:
> On 19/12/2009 10:45, André Warnier wrote:
>> If this is too vast as a question, just let me know and point me where
>> to get started maybe ?
>
> Not at all, although this is heading off topic. I'd start another thread
> if you have trouble with the build process.
...at which point, you'll get a bunch of smart-asses asking you why you
want to compile your own Tomcat from source :p
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksvzXUACgkQ9CaO5/Lv0PAphQCgon+p8/D25GgcMXIFXXkFwkxQ
9e4AniAJPItgnSRNRrTtxOWwSF4fjm/A
=R2cI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.12.2009 21:00, André Warnier wrote:
> Mark Thomas wrote:
> ...
>>
>> This is one of those times where the solution will depend on the
>> protocol you are using.
>>
>> The AJP connectors will report the client's IP address so you need an
>> alternative solution. Using the "request.secret" attribute is probably
>> the simplest fix although keep in mind that AJP is clear text so the
>> secret might not be that secret.
>>
> The problem being that Apache's mod_proxy_ajp does not seem to allow
> setting the secret.
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
>
> (mod_jk does)
Use a custom http header?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
...
>
> This is one of those times where the solution will depend on the
> protocol you are using.
>
> The AJP connectors will report the client's IP address so you need an
> alternative solution. Using the "request.secret" attribute is probably
> the simplest fix although keep in mind that AJP is clear text so the
> secret might not be that secret.
>
The problem being that Apache's mod_proxy_ajp does not seem to allow
setting the secret.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
(mod_jk does)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Bill Barker wrote:
...
>
> Which gives a third option to the OP, which is to use the useIPVHosts="true"
> option on the <Connector ... />, and only configure <Host .../>s for the
> ones that he wants to allow to connect (and the default Host just returns
> 404 to every request).
Yes, that possibility was kind of nagging at me since the beginning.
This would also be valid for all protocols and all Connectors, wouldn't it ?
<Host name="defaultHost" ........>
... always returns 404
</Host>
<Host name="allowedHosts" ....>
<Alias>name-of-allowed-proxy-1</Alias>
<Alias>name-of-allowed-proxy-2</Alias>
<Alias>name-of-allowed-proxy-3</Alias)
...
</Host>
It is not really secure yet, but incrementally harder to fake than a
secret or a header. And it does not require any change of configuration
at the proxy server level.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Bill Barker <bi...@verizon.net>.
"Mark Thomas" <ma...@apache.org> wrote in message
news:4B2E4E77.3000100@apache.org...
> On 20/12/2009 16:04, Andr� Warnier wrote:
>> In other words : it seems that quite early in the request process, a
>> decision is taken to *replace* the remote IP address as obtained from
>> the socket, by the ultimate IP of the client for which this proxy
>> request is being processed. This casts a doubt on the ability of even a
>> servlet filter to obtain the IP address of the proxy server which has
>> the real connection with Tomcat.
>>
>>
>> All a bit beyond my dabbling capabilities, I'm afraid.
>
> This is one of those times where the solution will depend on the
> protocol you are using.
>
Exactly. The AJP/1.3 protocol doesn't consider itself to be a proxy (and
anyone old enough to remember it's predecessor mod_jserv will see why), but
rather an integration of Tomcat with the native server (more like
mod_fcgid). This means that last hop is considered to be the native
server. The protocol itself is even transport agnostic, and in the past it
has been possible to run Tomcat inside of IIS/Apache or even to use Unix
Sockets.
> The AJP connectors will report the client's IP address so you need an
> alternative solution. Using the "request.secret" attribute is probably
> the simplest fix although keep in mind that AJP is clear text so the
> secret might not be that secret.
>
Yes, AJP/1.3 assumes that the connection between the native server and the
Tomcat server is secured, so that if someone can sniff AJP/1.3 packets it
means that the system is already badly compromised.
If using mod_jk, then yes, the 'secret' is the simplest way to go. If using
mod_proxy_ajp, then you need to head on over to submit a patch for httpd to
add this configuration option (most of the active developers of
mod_proxy_ajp lurk on this list if you need help, but dev@httpd.a.o is the
official list for this).
The table of 'names' for the two supported protocols is:
Name HTTP/1.1
AJP/1.3
serverName Host header
Host header
remoteName last proxy server (or client if no proxies)
last proxy server before native server (or client)
localName The name the connector is bound to name
of native server (i.e. the ServerName)
Which gives a third option to the OP, which is to use the useIPVHosts="true"
option on the <Connector ... />, and only configure <Host .../>s for the
ones that he wants to allow to connect (and the default Host just returns
404 to every request).
> The HTTP connectors will report the proxy's IP address so the
> RemoteAddressValve can be used.
> Note in Tomcat 7:
> - where the RemoteIpValve is available you would need to make sure that
> the RemoteAddressVlave was earlier in the pipeline than the RemoteIpValve
> - you have the option of using Valves or Filters for this functionality
>
> HTH,
>
> Mark
>
>
>
>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Mark Thomas <ma...@apache.org>.
On 20/12/2009 16:04, André Warnier wrote:
> In other words : it seems that quite early in the request process, a
> decision is taken to *replace* the remote IP address as obtained from
> the socket, by the ultimate IP of the client for which this proxy
> request is being processed. This casts a doubt on the ability of even a
> servlet filter to obtain the IP address of the proxy server which has
> the real connection with Tomcat.
>
>
> All a bit beyond my dabbling capabilities, I'm afraid.
This is one of those times where the solution will depend on the
protocol you are using.
The AJP connectors will report the client's IP address so you need an
alternative solution. Using the "request.secret" attribute is probably
the simplest fix although keep in mind that AJP is clear text so the
secret might not be that secret.
The HTTP connectors will report the proxy's IP address so the
RemoteAddressValve can be used.
Note in Tomcat 7:
- where the RemoteIpValve is available you would need to make sure that
the RemoteAddressVlave was earlier in the pipeline than the RemoteIpValve
- you have the option of using Valves or Filters for this functionality
HTH,
Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 19/12/2009 10:45, André Warnier wrote:
...
>>
>> To get back to the main issue, as long as I anway get the hang of this
>> stuff, and have checked out the SVN of Tomcat anyway,
>> where in the /valves stuff do I find where it actually checks the
>> "remote IP" against which RemoteAddressValve operates ?
>
> public void invoke(Request request, Response response)
> throws IOException, ServletException {
>
> process(request.getRequest().getRemoteAddr(), request, response);
>
> }
>
> It is the request.getRequest().getRemoteAddr() call.
>
Right.
So, to summarise the original concern :
The point was to see if it was possible to "upgrade" the
RemoteAddressValve so that it would offer a choice, when filtering the
"remote" IP address (for a request which came in through a proxy),
between the original client's address, and the IP address of the proxy
itself (the one connected directly to the Tomcat Connector socket).
The idea being, to stop some unwanted proxy server to use our services
if we don't want to, independently of the real proxy-ed remote client.
It would seem that currently in such a case, the RemoteAddressValve
always considers the original client's address.
The above getRemoteAddr() call refers to "request", which seems to be a
Request as defined in connector/Request.java :
/**
* Return the remote IP address making this Request.
*/
public String getRemoteAddr() {
if (remoteAddr == null) {
coyoteRequest.action
(ActionCode.ACTION_REQ_HOST_ADDR_ATTRIBUTE, coyoteRequest);
remoteAddr = coyoteRequest.remoteAddr().toString();
}
return remoteAddr;
}
This seems to check if Request.remoteAddr has already been set, if not
to call something to set it, and then return the address as a string.
This looks rather bad, because wherever that action above is carried
out, it seems that it must have its own logic for determining the remote
address. Somewhere along the line, considering that this is a proxied
call, it must decide to pick up the remote address from a
"X-forwarded-for" HTTP header instead of the real IP address of the
proxy itself.
So changing something there would probably mean quite a few cascading
changes in multiple areas, to avoid unwanted side-effects.
One would probably have to add at least some new fields in the
coyoteRequest, like
/**
* Remote address of the closest proxy.
*/
protected String proxyRemoteAddr = null;
/**
* Remote host of the closest proxy.
*/
protected String proxyRemoteHost = null;
/**
* Remote port of the closest proxy
*/
protected int proxyRemotePort = -1;
then the "action codes" to fill these, and so on.
I see some very suspicious comment for instance in
coyote/ajp/AjpAprProcessor.java :
/*
* AJP13 misses to forward the remotePort.
* Allow the AJP connector to add this info via
* a private request attribute.
* We will accept the forwarded data as the remote port,
* and remove it from the public list of request
attributes.
*/
which does not sound very auspicious.
In other words : it seems that quite early in the request process, a
decision is taken to *replace* the remote IP address as obtained from
the socket, by the ultimate IP of the client for which this proxy
request is being processed. This casts a doubt on the ability of even a
servlet filter to obtain the IP address of the proxy server which has
the real connection with Tomcat.
All a bit beyond my dabbling capabilities, I'm afraid.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Mark Thomas <ma...@apache.org>.
On 19/12/2009 10:45, André Warnier wrote:
> Bill Barker wrote:
> ...
>> If you have a svn checkout, then the command:
>> svn diff LocalStrings_fr.properties > LocalStrings_fr.properties.patch
>> will do it. Alternatively, Cygwin has a Unix/Linux like diff utility.
>>
>> Also, for a translation, it's probably not too bad if you just attach
>> the fixed file. The developer who grabs this can then run the "svn
>> diff" command to review it. But if it is either Mark or myself, then
>> we probably won't really be questioning the translation ;).
> I tried to submit a patch file.
> I actually have an SVN client on my pc and it has a "generate patch"
> option. Neat.
Patch format looks good. No idea about the French though ;)
> Bugzilla : Bug 48413 has been added to the database
>
>
> To get back to the main issue, as long as I anway get the hang of this
> stuff, and have checked out the SVN of Tomcat anyway,
> where in the /valves stuff do I find where it actually checks the
> "remote IP" against which RemoteAddressValve operates ?
public void invoke(Request request, Response response)
throws IOException, ServletException {
process(request.getRequest().getRemoteAddr(), request, response);
}
It is the request.getRequest().getRemoteAddr() call.
> And, supposing I were to tweak one or the other module, how do I create
> a local version of Tomcat to test my changes on ?
> This is exciting stuff... ;-)
http://tomcat.apache.org/tomcat-6.0-doc/building.html should get you
started. Ask if you get stuck.
> If this is too vast as a question, just let me know and point me where
> to get started maybe ?
Not at all, although this is heading off topic. I'd start another thread
if you have trouble with the build process.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Bill Barker <bi...@verizon.net>.
"Andr� Warnier" <aw...@ice-sa.com> wrote in message
news:4B2CAEDE.6070709@ice-sa.com...
> Bill Barker wrote:
> ...
>> If you have a svn checkout, then the command:
>> svn diff LocalStrings_fr.properties > LocalStrings_fr.properties.patch
>> will do it. Alternatively, Cygwin has a Unix/Linux like diff utility.
>>
>> Also, for a translation, it's probably not too bad if you just attach the
>> fixed file. The developer who grabs this can then run the "svn diff"
>> command to review it. But if it is either Mark or myself, then we
>> probably won't really be questioning the translation ;).
> I tried to submit a patch file.
> I actually have an SVN client on my pc and it has a "generate patch"
> option. Neat.
>
> Bugzilla : Bug 48413 has been added to the database
>
>
> To get back to the main issue, as long as I anway get the hang of this
> stuff, and have checked out the SVN of Tomcat anyway,
> where in the /valves stuff do I find where it actually checks the "remote
> IP" against which RemoteAddressValve operates ?
>
> And, supposing I were to tweak one or the other module, how do I create a
> local version of Tomcat to test my changes on ?
> This is exciting stuff... ;-)
>
Look at the BUILDING.txt file in the top level Tomcat directory. The only
thing that it omits seems to be that the local Tomcat will be in the
${tomcat.source}/output/build directory.
> If this is too vast as a question, just let me know and point me where to
> get started maybe ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Bill Barker wrote:
...
> If you have a svn checkout, then the command:
> svn diff LocalStrings_fr.properties > LocalStrings_fr.properties.patch
> will do it. Alternatively, Cygwin has a Unix/Linux like diff utility.
>
> Also, for a translation, it's probably not too bad if you just attach the
> fixed file. The developer who grabs this can then run the "svn diff"
> command to review it. But if it is either Mark or myself, then we probably
> won't really be questioning the translation ;).
>
I tried to submit a patch file.
I actually have an SVN client on my pc and it has a "generate patch"
option. Neat.
Bugzilla : Bug 48413 has been added to the database
To get back to the main issue, as long as I anway get the hang of this
stuff, and have checked out the SVN of Tomcat anyway,
where in the /valves stuff do I find where it actually checks the
"remote IP" against which RemoteAddressValve operates ?
And, supposing I were to tweak one or the other module, how do I create
a local version of Tomcat to test my changes on ?
This is exciting stuff... ;-)
If this is too vast as a question, just let me know and point me where
to get started maybe ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Bill Barker <bi...@verizon.net>.
"Andr� Warnier" <aw...@ice-sa.com> wrote in message
news:4B2BDC92.9050303@ice-sa.com...
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Mark,
>>
>> On 12/18/2009 11:42 AM, Mark Thomas wrote:
>>> On 18/12/2009 16:21, Andr� Warnier wrote:
>>>> or do I need some
>>>> special editor or setting, or do I just convert these codes to their
>>>> UTF-8 equivalents and submit it as such ?
>>> You can use:
>>> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/native2ascii.html
>>> to convert the file. You can then edit it and then convert it back
>>> before submission.
>>
>> We use "Attesoro" for our projects:
>> http://attesoro.org/
>>
>> You'll need both the LocalStrings_fr.properties and
>> LocalStrings.properties files in order to use it effectively.
>>
> I got it converted fine to something usable with the native2ascii.exe
> utility, part of the Sun JDK 1.6 on my pc.
> I have the fixed version.
> Now I just need to figure out how to create the diff that Mark wants.
> I know under Unix/Linux it's easy. On my WinXP workstation it requires a
> bit more research..
If you have a svn checkout, then the command:
svn diff LocalStrings_fr.properties > LocalStrings_fr.properties.patch
will do it. Alternatively, Cygwin has a Unix/Linux like diff utility.
Also, for a translation, it's probably not too bad if you just attach the
fixed file. The developer who grabs this can then run the "svn diff"
command to review it. But if it is either Mark or myself, then we probably
won't really be questioning the translation ;).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 12/18/2009 11:42 AM, Mark Thomas wrote:
>> On 18/12/2009 16:21, André Warnier wrote:
>>> or do I need some
>>> special editor or setting, or do I just convert these codes to their
>>> UTF-8 equivalents and submit it as such ?
>> You can use:
>> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/native2ascii.html
>> to convert the file. You can then edit it and then convert it back
>> before submission.
>
> We use "Attesoro" for our projects:
> http://attesoro.org/
>
> You'll need both the LocalStrings_fr.properties and
> LocalStrings.properties files in order to use it effectively.
>
I got it converted fine to something usable with the native2ascii.exe
utility, part of the Sun JDK 1.6 on my pc.
I have the fixed version.
Now I just need to figure out how to create the diff that Mark wants.
I know under Unix/Linux it's easy. On my WinXP workstation it requires
a bit more research..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 12/18/2009 11:42 AM, Mark Thomas wrote:
> On 18/12/2009 16:21, André Warnier wrote:
>> or do I need some
>> special editor or setting, or do I just convert these codes to their
>> UTF-8 equivalents and submit it as such ?
>
> You can use:
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/native2ascii.html
> to convert the file. You can then edit it and then convert it back
> before submission.
We use "Attesoro" for our projects:
http://attesoro.org/
You'll need both the LocalStrings_fr.properties and
LocalStrings.properties files in order to use it effectively.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksryagACgkQ9CaO5/Lv0PDJNgCgm+RKSQN8Drzny1LbVnCMYUDW
HMkAn28SuYUtGVgMKfm3pN+lVCw08yQx
=QF6n
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Mark Thomas <ma...@apache.org>.
On 18/12/2009 16:21, André Warnier wrote:
> Mark Thomas wrote:
>> On 18/12/2009 15:20, André Warnier wrote:
>>> By the way, in the file LocalStrings_fr.properties that is in that same
>>> directory, there are quite a few typos. That's more my level, me being
>>> a native French speaker and all.
>>> How do I submit a corrected version, with a minimum of fuss ?
>>
>> Get the latest version from here:
>> http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/valves/LocalStrings_fr.properties
>>
>>
>> Fix it, create a bugzilla issue and attach the changes (ideally in diff
>> -u format) to the bugzilla issue.
>>
> Ok, I got the file above.
> But, it seems that the "accented" characters are in some kind of
> Unicode-encoding scheme which looks like :
>
> accessLogValve.alreadyStarted=Le traceur d''acc\u00e8s a d\u00e9j\u00e0
> \u00e9t\u00e9 d\u00e9marr\u00e9
>
> I understand well that these codes represent the corresponding Unicode
> codepoint, but I don't seem to have at the moment a text editor which
> can show this in a very usable way (although I have quite a few here).
> If this format an artefact of how I downloaded it,
It isn't. It is an intentional implementation choice to ensure the files
don't get mangled during the build process.
> or do I need some
> special editor or setting, or do I just convert these codes to their
> UTF-8 equivalents and submit it as such ?
You can use:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/native2ascii.html
to convert the file. You can then edit it and then convert it back
before submission.
Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 18/12/2009 15:20, André Warnier wrote:
>> By the way, in the file LocalStrings_fr.properties that is in that same
>> directory, there are quite a few typos. That's more my level, me being
>> a native French speaker and all.
>> How do I submit a corrected version, with a minimum of fuss ?
>
> Get the latest version from here:
> http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/valves/LocalStrings_fr.properties
>
> Fix it, create a bugzilla issue and attach the changes (ideally in diff
> -u format) to the bugzilla issue.
>
Ok, I got the file above.
But, it seems that the "accented" characters are in some kind of
Unicode-encoding scheme which looks like :
accessLogValve.alreadyStarted=Le traceur d''acc\u00e8s a d\u00e9j\u00e0
\u00e9t\u00e9 d\u00e9marr\u00e9
I understand well that these codes represent the corresponding Unicode
codepoint, but I don't seem to have at the moment a text editor which
can show this in a very usable way (although I have quite a few here).
If this format an artefact of how I downloaded it, or do I need some
special editor or setting, or do I just convert these codes to their
UTF-8 equivalents and submit it as such ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Mark Thomas <ma...@apache.org>.
On 18/12/2009 15:20, André Warnier wrote:
> By the way, in the file LocalStrings_fr.properties that is in that same
> directory, there are quite a few typos. That's more my level, me being
> a native French speaker and all.
> How do I submit a corrected version, with a minimum of fuss ?
Get the latest version from here:
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/valves/LocalStrings_fr.properties
Fix it, create a bugzilla issue and attach the changes (ideally in diff
-u format) to the bugzilla issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
>>
>> If anyone points me to where the code of the RemoteAddrValve can be
>> found, I'd like to have a look.
>
> Download the source package, and look in:
>
> apache-tomcat-6.0.20-src/java/org/apache/catalina/valves
>
Done that, been there.
Looked at ValveBase.java, RequestFilterValve.java and RemoteAddrValve.java.
It seems that java is not my thing after all.
I couldn't find a line in there that even remotely looks like it is
getting a remote IP address or a hostname from anywhere.
I get that same impression each time I look at java code.
And this, I guess, is good java code. I wonder what bad java code looks
like.
Probably you guys are using tools which recursively open all these
things for you, but I'm not and my personal mental recursive capability
stops at about level 5 or so.
In the meantime, methinks I'll stick to perl and to simple configuration
questions then.
By the way, in the file LocalStrings_fr.properties that is in that same
directory, there are quite a few typos. That's more my level, me being
a native French speaker and all.
How do I submit a corrected version, with a minimum of fuss ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
>
> If anyone points me to where the code of the RemoteAddrValve can be
> found, I'd like to have a look.
Download the source package, and look in:
apache-tomcat-6.0.20-src/java/org/apache/catalina/valves
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Rainer Jung wrote:
> On 17.12.2009 10:02, André Warnier wrote:
>> Martin B. Smith wrote:
>>> On 12/16/2009 11:01 PM, Bill Barker wrote:
>>>> "André Warnier" <aw...@ice-sa.com> wrote in message
>>>> news:4B294EB6.4090109@ice-sa.com...
>>>>> Martin B. Smith wrote:
>>>>>> Howdy!
>>>>>>
>>>>>> I'm trying to ensure that only specific instances of Apache are
>>>>>> allowed to proxy requests into my Tomcat 5.5.28 instances.
>> ...
>>>> Yes, but if the OP wants to block all access to Tomcat, it is even
>>>> easier to just not have the worker configured on those Apaches that
>>>> shouldn't contact it.
>>
>> That assumes that the OP has access to the Apache webservers he wants to
>> block. And it does not block an Apache webserver, controlled by someone
>> else, to insert the proxying statements to use the Tomcat.
>>
>> That's why I was thinking of the "secret". This way, only the webservers
>> to which Bill gives the secret would be able to connect.
>>
>> As a result, I'm guessing that the OP wants to restrict access to
>>>> certain webapps.
>>>>
>>>> The good news is that with the AJP connector, request.getLocalName()
>>>> returns the name of the Apache server (as specified by the ServerName
>>>> directive), not the Tomcat server. And request.getLocalAddr() returns
>>>> the IP address of request.getLocalName() as it resolves on the Tomcat
>>>> machine. With that information it isn't hard to write a Filter that
>>>> does what you want. For the truely lazy, it would also be trivial to
>>>> copy RemoteAddrValve to LocalAddrValve and have it check localAddr
>>>> instead of remoteAddr.
>> Right. But this makes another couple of assumptions : 1) that the OP is
>> a Java programmer and 2) that he can insert a filter or a Valve into
>> Tomcat (as opposed to just being someone who can change some
>> configuration elements).
>> ...
>>>
>>> André, thank you for the suggestions. I had considered them, but wanted
>>> some additional, more specific protections without going to mod_jk.
>>
>> In the meantime, I checked on the Apache forum.
>> Unfortunately, as it stands now, some AJP parameters can be set in
>> Apache via the "key=value" elements of ProxyPass and ProxySet, but
>> unfortunately it seems that "secret" is not amongst them.
>>
>>>
>>> Bill, your post is a gem. Indeed, I can always use network ACLs and
>>> iptables and mod_jk, but I was really hoping to do mod_proxy_balancer.
>>> While there's some administrative separations between the programmers
>>> and the system administrators that prevent me from writing servlets on
>>> top of Tomcat, this is a nice tip.
>>>
>> All in all, I personally like Bill's "lazy" suggestion the best : create
>> another Address Valve that checks the local instead of the client
>> address.
>
> It will be hard to find a workaround, that cannot be forged. If it is
> more about administrative control and not so much about security, then
> the getLocal* stuff might suffice, or you can add a request header via
> mod_headers in Apache and check for that header in your Tomcat filter.
>
> Using the real IP address were the connection came from of course would
> make it much harder to manipulate. I don't know how to do that at the
> moment.
This is an interesting discussion, which maybe also ties into the other
thread about detecting early that a client as gone away.
Just as a suggestion/question by someone who has no idea how the code is
structured : how flexible is the <Connector> with respect to the Java
Servlet Spec ? How about doing this at the Connector level ?
After all, that one should be the first in line to know
a) where this connection is coming from
b) if the connection to the client is still alive
On the face of it (to me anyway), it just looks like moving some code
from a Valve to the Connector, and maybe save the overhead of a Valve in
the process. Which Valve is Tomcat-specific anyway.
>
> mod_proxy_ajp doesn't support the "secure" attribute, not only per
> documentation, but I also checked the source code.
Nice confirmation. Thanks.
Of course "secure" is
> only secure as long as you can't read the config files or sniff the
> traffic. The same would be true for adding and checking a custom request
> header.
>
Right. But I believe that in this case, we can reasonable suppose that
these Apache/Tomcat connections are over a relatively private channel,
not over the Internet. Otherwise, there is always the iptables/firewall
solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Rainer Jung <ra...@kippdata.de>.
On 17.12.2009 10:02, André Warnier wrote:
> Martin B. Smith wrote:
>> On 12/16/2009 11:01 PM, Bill Barker wrote:
>>> "André Warnier" <aw...@ice-sa.com> wrote in message
>>> news:4B294EB6.4090109@ice-sa.com...
>>>> Martin B. Smith wrote:
>>>>> Howdy!
>>>>>
>>>>> I'm trying to ensure that only specific instances of Apache are
>>>>> allowed to proxy requests into my Tomcat 5.5.28 instances.
> ...
>>> Yes, but if the OP wants to block all access to Tomcat, it is even
>>> easier to just not have the worker configured on those Apaches that
>>> shouldn't contact it.
>
> That assumes that the OP has access to the Apache webservers he wants to
> block. And it does not block an Apache webserver, controlled by someone
> else, to insert the proxying statements to use the Tomcat.
>
> That's why I was thinking of the "secret". This way, only the webservers
> to which Bill gives the secret would be able to connect.
>
> As a result, I'm guessing that the OP wants to restrict access to
>>> certain webapps.
>>>
>>> The good news is that with the AJP connector, request.getLocalName()
>>> returns the name of the Apache server (as specified by the ServerName
>>> directive), not the Tomcat server. And request.getLocalAddr() returns
>>> the IP address of request.getLocalName() as it resolves on the Tomcat
>>> machine. With that information it isn't hard to write a Filter that
>>> does what you want. For the truely lazy, it would also be trivial to
>>> copy RemoteAddrValve to LocalAddrValve and have it check localAddr
>>> instead of remoteAddr.
> Right. But this makes another couple of assumptions : 1) that the OP is
> a Java programmer and 2) that he can insert a filter or a Valve into
> Tomcat (as opposed to just being someone who can change some
> configuration elements).
> ...
>>
>> André, thank you for the suggestions. I had considered them, but wanted
>> some additional, more specific protections without going to mod_jk.
>
> In the meantime, I checked on the Apache forum.
> Unfortunately, as it stands now, some AJP parameters can be set in
> Apache via the "key=value" elements of ProxyPass and ProxySet, but
> unfortunately it seems that "secret" is not amongst them.
>
>>
>> Bill, your post is a gem. Indeed, I can always use network ACLs and
>> iptables and mod_jk, but I was really hoping to do mod_proxy_balancer.
>> While there's some administrative separations between the programmers
>> and the system administrators that prevent me from writing servlets on
>> top of Tomcat, this is a nice tip.
>>
> All in all, I personally like Bill's "lazy" suggestion the best : create
> another Address Valve that checks the local instead of the client address.
It will be hard to find a workaround, that cannot be forged. If it is
more about administrative control and not so much about security, then
the getLocal* stuff might suffice, or you can add a request header via
mod_headers in Apache and check for that header in your Tomcat filter.
Using the real IP address were the connection came from of course would
make it much harder to manipulate. I don't know how to do that at the
moment.
mod_proxy_ajp doesn't support the "secure" attribute, not only per
documentation, but I also checked the source code. Of course "secure" is
only secure as long as you can't read the config files or sniff the
traffic. The same would be true for adding and checking a custom request
header.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Martin B. Smith wrote:
> On 12/16/2009 11:01 PM, Bill Barker wrote:
>> "André Warnier" <aw...@ice-sa.com> wrote in message
>> news:4B294EB6.4090109@ice-sa.com...
>>> Martin B. Smith wrote:
>>>> Howdy!
>>>>
>>>> I'm trying to ensure that only specific instances of Apache are allowed
>>>> to proxy requests into my Tomcat 5.5.28 instances.
...
>> Yes, but if the OP wants to block all access to Tomcat, it is even easier to
>> just not have the worker configured on those Apaches that shouldn't contact
>> it.
That assumes that the OP has access to the Apache webservers he wants to
block. And it does not block an Apache webserver, controlled by someone
else, to insert the proxying statements to use the Tomcat.
That's why I was thinking of the "secret". This way, only the webservers
to which Bill gives the secret would be able to connect.
As a result, I'm guessing that the OP wants to restrict access to
>> certain webapps.
>>
>> The good news is that with the AJP connector, request.getLocalName() returns
>> the name of the Apache server (as specified by the ServerName directive),
>> not the Tomcat server. And request.getLocalAddr() returns the IP address of
>> request.getLocalName() as it resolves on the Tomcat machine. With that
>> information it isn't hard to write a Filter that does what you want. For
>> the truely lazy, it would also be trivial to copy RemoteAddrValve to
>> LocalAddrValve and have it check localAddr instead of remoteAddr.
>>
Right. But this makes another couple of assumptions : 1) that the OP is
a Java programmer and 2) that he can insert a filter or a Valve into
Tomcat (as opposed to just being someone who can change some
configuration elements).
...
>
> André, thank you for the suggestions. I had considered them, but wanted
> some additional, more specific protections without going to mod_jk.
In the meantime, I checked on the Apache forum.
Unfortunately, as it stands now, some AJP parameters can be set in
Apache via the "key=value" elements of ProxyPass and ProxySet, but
unfortunately it seems that "secret" is not amongst them.
>
> Bill, your post is a gem. Indeed, I can always use network ACLs and
> iptables and mod_jk, but I was really hoping to do mod_proxy_balancer.
> While there's some administrative separations between the programmers
> and the system administrators that prevent me from writing servlets on
> top of Tomcat, this is a nice tip.
>
All in all, I personally like Bill's "lazy" suggestion the best : create
another Address Valve that checks the local instead of the client address.
I would even think that the most elegant solution, since Valves are
something specific to Tomcat anyway, would be to enhance the existing
Valve with an additional attribute, telling it to either use the client
address (the default), or the local address (by adding a new attribute).
Any interest anyone ?
(If anyone points me to where the code of the RemoteAddrValve can be
found, I'd like to have a look. But I really don't even know where to
begin with submitting patches and stuff. I'm only good at talking..).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by "Martin B. Smith" <sm...@ufl.edu>.
On 12/16/2009 11:01 PM, Bill Barker wrote:
> "André Warnier" <aw...@ice-sa.com> wrote in message
> news:4B294EB6.4090109@ice-sa.com...
>> Martin B. Smith wrote:
>>> Howdy!
>>>
>>> I'm trying to ensure that only specific instances of Apache are allowed
>>> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
>>> looks like Tomcat is seeing the actual client IP making the original
>>> request to Apache. Does anyone have a configuration that only allows
>>> specific Apache (mod_)proxies to be serviced by Tomcat?
>>>
>> Of course if your are under Linux, you could use iptables to block
>> requests to port 8009, from hosts you don't like.
>> And if you are under Windows, you could use the Windows firewall or
>> filtering rules.
>> Probably even more efficient than doing this at the Tomcat level.
>
> Yes, but if the OP wants to block all access to Tomcat, it is even easier to
> just not have the worker configured on those Apaches that shouldn't contact
> it. As a result, I'm guessing that the OP wants to restrict access to
> certain webapps.
>
> The good news is that with the AJP connector, request.getLocalName() returns
> the name of the Apache server (as specified by the ServerName directive),
> not the Tomcat server. And request.getLocalAddr() returns the IP address of
> request.getLocalName() as it resolves on the Tomcat machine. With that
> information it isn't hard to write a Filter that does what you want. For
> the truely lazy, it would also be trivial to copy RemoteAddrValve to
> LocalAddrValve and have it check localAddr instead of remoteAddr.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
André, thank you for the suggestions. I had considered them, but wanted
some additional, more specific protections without going to mod_jk.
Bill, your post is a gem. Indeed, I can always use network ACLs and
iptables and mod_jk, but I was really hoping to do mod_proxy_balancer.
While there's some administrative separations between the programmers
and the system administrators that prevent me from writing servlets on
top of Tomcat, this is a nice tip.
Thanks.
--
Martin B. Smith
smithmb@ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by Bill Barker <bi...@verizon.net>.
"Andr� Warnier" <aw...@ice-sa.com> wrote in message
news:4B294EB6.4090109@ice-sa.com...
> Martin B. Smith wrote:
>> Howdy!
>>
>> I'm trying to ensure that only specific instances of Apache are allowed
>> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
>> looks like Tomcat is seeing the actual client IP making the original
>> request to Apache. Does anyone have a configuration that only allows
>> specific Apache (mod_)proxies to be serviced by Tomcat?
>>
> Of course if your are under Linux, you could use iptables to block
> requests to port 8009, from hosts you don't like.
> And if you are under Windows, you could use the Windows firewall or
> filtering rules.
> Probably even more efficient than doing this at the Tomcat level.
Yes, but if the OP wants to block all access to Tomcat, it is even easier to
just not have the worker configured on those Apaches that shouldn't contact
it. As a result, I'm guessing that the OP wants to restrict access to
certain webapps.
The good news is that with the AJP connector, request.getLocalName() returns
the name of the Apache server (as specified by the ServerName directive),
not the Tomcat server. And request.getLocalAddr() returns the IP address of
request.getLocalName() as it resolves on the Tomcat machine. With that
information it isn't hard to write a Filter that does what you want. For
the truely lazy, it would also be trivial to copy RemoteAddrValve to
LocalAddrValve and have it check localAddr instead of remoteAddr.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Martin B. Smith wrote:
> Howdy!
>
> I'm trying to ensure that only specific instances of Apache are allowed
> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
> looks like Tomcat is seeing the actual client IP making the original
> request to Apache. Does anyone have a configuration that only allows
> specific Apache (mod_)proxies to be serviced by Tomcat?
>
Of course if your are under Linux, you could use iptables to block
requests to port 8009, from hosts you don't like.
And if you are under Windows, you could use the Windows firewall or
filtering rules.
Probably even more efficient than doing this at the Tomcat level.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Posted by André Warnier <aw...@ice-sa.com>.
Martin B. Smith wrote:
> Howdy!
>
> I'm trying to ensure that only specific instances of Apache are allowed
> to proxy requests into my Tomcat 5.5.28 instances. Unfortunately, it
> looks like Tomcat is seeing the actual client IP making the original
> request to Apache. Does anyone have a configuration that only allows
> specific Apache (mod_)proxies to be serviced by Tomcat?
>
> I will be using other ways to protect Tomcat, but I'd like something
> inside Tomcat filtering these AJP requests too, and RemoteAddressValve
> sounds like it should work :)
>
Yees, but as you noticed, it does use the IP address of the original client.
> Here's what I'm using now --
>
> Apache:
>
> ProxyPass / balancer://foo/ stickysession=JSESSIONID nofailover=On
>
> <Proxy balancer://foo>
> BalancerMember ajp://host1:1234 route=foo
> BalancerMember ajp://host2:1235 route=foo
> </Proxy>
>
> Tomcat:
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.0.0.1,apache-front-end-ip"/>
>
But this being getting close to Christmas, and me being in the mood for
some reindeers and chocolate, I did a bit of detective work for you.
First, there is the simple case where the Apache you want to allow is on
the same host, and Apache's on other hosts are not allowed.
In that case, there is the following hack :
In your Tomcat AJP connector, set
address="127.0.0.1"
and have your Apache AJP connectors connect to that address only.
The means that this connector will only be listening on the loopback
connector of the machine itself. Since only another process on this same
machine can connect to that IP address.. ( ;-), that's why it is a hack).
Other than that, I found this attribute of the Tomcat AJP Connector :
request.secret
Only requests from workers with this secret keyword will be accepted.
(That's in http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html)
That's pretty neat, because in the workers.properties of the Apache
mod_jk connector, you can set
worker.someworker.secret :
You can set a secret keyword on the Tomcat AJP Connector. Then only
requests from workers with the same secret keyword will be accepted.
Use request.secret="secret key word" in your Tomcat AJP Connector
configuration.
If you set a secret on a load balancer, all its members will inherit
this secret.
This feature has been added in jk 1.2.12.
(That's in http://tomcat.apache.org/connectors-doc/reference/workers.html)
Now comes the bummer however : I don't know mod_proxy_ajp, and I don't
know if you can set such a secret password at the mod_proxy_ajp level.
But you could always switch to mod_jk...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org