You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/02/08 10:41:23 UTC
[Bug 66470] New: Tomcat missing ip range for internalProxies
https://bz.apache.org/bugzilla/show_bug.cgi?id=66470
Bug ID: 66470
Summary: Tomcat missing ip range for internalProxies
Product: Tomcat 11
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: simon.gloxhuber@n4.de
Target Milestone: -------
SETUP:
We implemented a solution in Spring Boot to allow additional origins for
requests to handle CORS correctly.
Because of that we override a bean in the security config:
```
@Bean
public CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new
UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin(origin);
List header = List.of("*");
config.setAllowedHeaders(header);
config.setAllowedMethods(header);
source.registerCorsConfiguration("/**", config)
}
```
The spring boot application runs in a kubernetes cluster by different
providers.
On many cluster provider we have no problems with the implemenation but on the
provider Scaleway we get for Request a Http Code 403 Forbidden and the message
"Invalid CORS Request" as Reponse.
PROBLEM:
The problem is spring boot internal tomcat. It using the configuration option
server.tomcat.remoteip.internal-proxies in the application properties. The
default is RFC 1918 IP Range of private networks, which used for localhost
(ipv4 and ipv6). But the RFC 6598 as shared address space is not included in
the list.
--> The area 100.64.0.0/10, which is defined as shared address space, is not
included in the list.
However, Scaleway (and almost certainly many other providers) use this area
internally in the cluster, as the area cannot be routed by definition and thus
provides at least as much security as the private IP address areas.
The result is that tomcat blocks the request by this IP.
https://www.rfc-editor.org/rfc/rfc1918
https://www.rfc-editor.org/rfc/rfc6598
SOLUTION:
We fixed the problem temporally by changing the default behaviour of the tomcat
and added the ip range
https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.webserver.use-behind-a-proxy-server.tomcat
```
tomcat:
basedir: /tmp
max-swallow-size: -1
remoteip:
internal-proxies:
"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.[7-9]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.1[0-1]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|0:0:0:0:0:0:0:1|::1"
```
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66470] Tomcat missing ip range for internalProxies
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66470
sgloxhuber <si...@n4.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon.gloxhuber@n4.de
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66470] Tomcat missing ip range for internalProxies
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66470
--- Comment #1 from sgloxhuber <si...@n4.de> ---
https://github.com/apache/tomcat/blob/11.0.0-M2/java/org/apache/catalina/valves/RemoteIpValve.java
in line 399 is the definition of the ip range
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66470] Tomcat missing ip range for internalProxies
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66470
Andy Wilkinson <wi...@vmware.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wilkinsona@vmware.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66470] Tomcat missing ip range for internalProxies
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66470
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- 11.0.x for 11.0.0-M3 onwards
- 10.1.x for 10.1.6 onwards
- 9.0.x for 9.0.72 onwards
- 8.5.x for 8.5.86 onwards
Both Valve and Filter were updated
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org