You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/12/07 09:16:18 UTC

[GitHub] [tomcat] martin-g commented on a change in pull request #385: Add peerAddress to coyote request

martin-g commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537343964



##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
         Especially add support for connector specific configuration
         using <code>addConnectorPort</code>. (rjung)
       </add>
+      <add>
+        Add <code>peerAddress</code> to coyote request, which contains
+        the IP address of the direct connection peer. If a reverse proxy
+        sits in front of Tomcat and the protocol used is AJP or HTTP
+        in combination with the <code>RemoteIp(Valve|Filter)</code>,
+        the peer address might differ from the <code>remoteAddress</code>.
+        The latter then contains the address of the client in front of the
+        reverse proxy, not the address of the proxy itself.
+        Support for the peer address has been added to the
+        RemoteAddrValve and RemoteCIDRValve with the new attribute
+        <code>usePeerAddress</code>. This can be used to restrict access
+        to Tomcat bsed on the reverse proxy IP address, which is especially

Review comment:
       s/bsed/based/

##########
File path: java/org/apache/catalina/valves/AbstractAccessLogValve.java
##########
@@ -861,19 +868,50 @@ public void addElement(CharArrayWriter buf, Date date, Request request,
      * write remote IP address - %a
      */
     protected class RemoteAddrElement implements AccessLogElement, CachedElement {
+        /**
+         * Type of address to log
+         */
+        private static final String remoteAddress = "remote";

Review comment:
       s/remoteAddress/REMOTE_ADDRESS/, to follow Java conventions ?! Same for `peerAddress` below.

##########
File path: java/org/apache/coyote/Request.java
##########
@@ -95,6 +95,7 @@ public Request() {
 
     // remote address/host
     private final MessageBytes remoteAddrMB = MessageBytes.newInstance();
+    private final MessageBytes peerAddrMB = MessageBytes.newInstance();

Review comment:
       Do we care that it is either `remote` or `peer`? So one of them wastes memory. Or it is negligible ?

##########
File path: java/org/apache/coyote/Constants.java
##########
@@ -96,4 +96,11 @@
      * the X-Forwarded-For HTTP header.
      */
     public static final String REMOTE_ADDR_ATTRIBUTE = "org.apache.tomcat.remoteAddr";
+
+    /**
+     * The request attribute set by the RemoteIpFilter, RemoteIpValve (and may
+     * be set by other similar components) that identifies for the connector the
+     * conection peer IP address.

Review comment:
       con`n`ection

##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
         Especially add support for connector specific configuration
         using <code>addConnectorPort</code>. (rjung)
       </add>
+      <add>
+        Add <code>peerAddress</code> to coyote request, which contains
+        the IP address of the direct connection peer. If a reverse proxy
+        sits in front of Tomcat and the protocol used is AJP or HTTP
+        in combination with the <code>RemoteIp(Valve|Filter)</code>,
+        the peer address might differ from the <code>remoteAddress</code>.
+        The latter then contains the address of the client in front of the
+        reverse proxy, not the address of the proxy itself.
+        Support for the peer address has been added to the
+        RemoteAddrValve and RemoteCIDRValve with the new attribute
+        <code>usePeerAddress</code>. This can be used to restrict access
+        to Tomcat bsed on the reverse proxy IP address, which is especially
+        useful to harden access to AJP connecrtors. The peer address can also

Review comment:
       s/connecrtors/connectors/




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org