You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Vasantharaju Trichy <va...@gmail.com> on 2018/02/27 08:29:02 UTC
No reliable way to know if the request emerged from localhost
Tomcat version 7.0.82 | Windows
We have a requirement such that admins(tomcat users) need to login remotely
to the machine where Tomcat is hosted and access tomcat webapp to perform
certain action or see certain pages . These pages or actions are not
permitted if users login remotely
Initially thought *request.getRemoteAddr* can be used determine actual
client ip is local or not but looks like based *X-Forwarded-For* header it
is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
from trusted internal proxies
So thought *request.getServerName* is reliable than *request.getRemoteAddr*
But *HOST* header can be spoofed to reflect *request.getServerName*
Strangely Tomcat honors HOST header to update request. getServerName .
I strongly feel this is a tomcat issue or let us know how can we reliably
determine if the request is originated from local or this is something not
possible
Thanks in advance,
Vasanth
Re: No reliable way to know if the request emerged from localhost
Posted by Mark Thomas <ma...@apache.org>.
On 27/02/18 12:06, Alex O'Ree wrote:
> I think this means, no remote http access, but allow admins remote desktop
> access. Once in a local desktop sessions, allow the http access since the
> request comes from local host
Possibly. That is one possible reading of "need to login remotely" vs
"not permitted if users login remotely". My guess was that the first
phrase was missing a "not" or should have said "locally".
Who knows which, if either, of our guesses is correct. Hence my request
for clarification.
> This issue is get remote address usually returns a non loop back ip
> address, even if the url was to localhost.
I read the issue the other way around - that the loopback address could
be spoofed.
Anyway...
Olaf has made a number of valid points. I await the answers to those
with interest.
Mark
>
> On Feb 27, 2018 6:27 AM, "Mark Thomas" <ma...@apache.org> wrote:
>
>> On 27/02/18 08:29, Vasantharaju Trichy wrote:
>>> Tomcat version 7.0.82 | Windows
>>>
>>>
>>>
>>> We have a requirement such that admins(tomcat users) need to login
>> remotely
>>> to the machine where Tomcat is hosted and access tomcat webapp to perform
>>> certain action or see certain pages . These pages or actions are not
>>> permitted if users login remotely
>>
>> This requirement makes no sense.
>>
>> "...need to login remotely..."
>> and
>> "...are not permitted if users login remotely..."
>>
>> are mutually exclusive.
>>
>> The logical answer to your question is unplug the box and your
>> requirements are guaranteed to be met.
>>
>> I suspect, however, that you have not correctly stated your
>> requirements. What did you really mean?
>>
>>
>> Mark
>>
>>
>>>
>>>
>>>
>>> Initially thought *request.getRemoteAddr* can be used determine actual
>>> client ip is local or not but looks like based *X-Forwarded-For* header
>> it
>>> is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
>>> from trusted internal proxies
>>>
>>>
>>>
>>> So thought *request.getServerName* is reliable than
>> *request.getRemoteAddr*
>>>
>>>
>>>
>>> But *HOST* header can be spoofed to reflect *request.getServerName*
>>>
>>>
>>>
>>> Strangely Tomcat honors HOST header to update request. getServerName .
>>>
>>>
>>>
>>> I strongly feel this is a tomcat issue or let us know how can we
>> reliably
>>> determine if the request is originated from local or this is something
>> not
>>> possible
>>>
>>>
>>>
>>>
>>>
>>> Thanks in advance,
>>>
>>> Vasanth
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: No reliable way to know if the request emerged from localhost
Posted by Alex O'Ree <al...@apache.org>.
I think this means, no remote http access, but allow admins remote desktop
access. Once in a local desktop sessions, allow the http access since the
request comes from local host
This issue is get remote address usually returns a non loop back ip
address, even if the url was to localhost
On Feb 27, 2018 6:27 AM, "Mark Thomas" <ma...@apache.org> wrote:
> On 27/02/18 08:29, Vasantharaju Trichy wrote:
> > Tomcat version 7.0.82 | Windows
> >
> >
> >
> > We have a requirement such that admins(tomcat users) need to login
> remotely
> > to the machine where Tomcat is hosted and access tomcat webapp to perform
> > certain action or see certain pages . These pages or actions are not
> > permitted if users login remotely
>
> This requirement makes no sense.
>
> "...need to login remotely..."
> and
> "...are not permitted if users login remotely..."
>
> are mutually exclusive.
>
> The logical answer to your question is unplug the box and your
> requirements are guaranteed to be met.
>
> I suspect, however, that you have not correctly stated your
> requirements. What did you really mean?
>
>
> Mark
>
>
> >
> >
> >
> > Initially thought *request.getRemoteAddr* can be used determine actual
> > client ip is local or not but looks like based *X-Forwarded-For* header
> it
> > is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
> > from trusted internal proxies
> >
> >
> >
> > So thought *request.getServerName* is reliable than
> *request.getRemoteAddr*
> >
> >
> >
> > But *HOST* header can be spoofed to reflect *request.getServerName*
> >
> >
> >
> > Strangely Tomcat honors HOST header to update request. getServerName .
> >
> >
> >
> > I strongly feel this is a tomcat issue or let us know how can we
> reliably
> > determine if the request is originated from local or this is something
> not
> > possible
> >
> >
> >
> >
> >
> > Thanks in advance,
> >
> > Vasanth
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: No reliable way to know if the request emerged from localhost
Posted by Mark Thomas <ma...@apache.org>.
On 27/02/18 08:29, Vasantharaju Trichy wrote:
> Tomcat version 7.0.82 | Windows
>
>
>
> We have a requirement such that admins(tomcat users) need to login remotely
> to the machine where Tomcat is hosted and access tomcat webapp to perform
> certain action or see certain pages . These pages or actions are not
> permitted if users login remotely
This requirement makes no sense.
"...need to login remotely..."
and
"...are not permitted if users login remotely..."
are mutually exclusive.
The logical answer to your question is unplug the box and your
requirements are guaranteed to be met.
I suspect, however, that you have not correctly stated your
requirements. What did you really mean?
Mark
>
>
>
> Initially thought *request.getRemoteAddr* can be used determine actual
> client ip is local or not but looks like based *X-Forwarded-For* header it
> is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
> from trusted internal proxies
>
>
>
> So thought *request.getServerName* is reliable than *request.getRemoteAddr*
>
>
>
> But *HOST* header can be spoofed to reflect *request.getServerName*
>
>
>
> Strangely Tomcat honors HOST header to update request. getServerName .
>
>
>
> I strongly feel this is a tomcat issue or let us know how can we reliably
> determine if the request is originated from local or this is something not
> possible
>
>
>
>
>
> Thanks in advance,
>
> Vasanth
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: No reliable way to know if the request emerged from localhost
Posted by Olaf Kock <to...@olafkock.de>.
On 27.02.2018 09:29, Vasantharaju Trichy wrote:
> Tomcat version 7.0.82 | Windows
>
>
>
> We have a requirement such that admins(tomcat users) need to login remotely
> to the machine where Tomcat is hosted and access tomcat webapp to perform
> certain action or see certain pages . These pages or actions are not
> permitted if users login remotely
>
>
>
> Initially thought *request.getRemoteAddr* can be used determine actual
> client ip is local or not but looks like based *X-Forwarded-For* header it
> is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
> from trusted internal proxies
There are two aspects that I don't understand in this paragraph:
* "Spoofing is possible even from trusted internal proxies". Well, you
trust them, do you? Then they probably have a point in spoofing
* What's your problem with getRemoteAddr?
getRemoteAddr will give you the address that this request originates
from. If you have a proxy running on the same machine, using http or
https to proxy your traffic: *That's* your originator, by definition.
Using http/https in forwards indeed requires you to utilize
X-Forwarded-For.
And your proxy should drop any such header that it receives from
outside, replacing it by its own. If you don't trust your proxy: Why are
you running all traffic through it? Stop using it. Add firewall rules,
so that only your proxy can connect to Tomcat.
> So thought *request.getServerName* is reliable than *request.getRemoteAddr*
>
>
>
> But *HOST* header can be spoofed to reflect *request.getServerName*
>
>
>
> Strangely Tomcat honors HOST header to update request. getServerName .
Tomcat needs to. You can connect to an arbitrary address and let it know
in the HOSTS header, which virtual host you're actually aiming at. This
greatly extended the lifetime of IPV4. HOST and getServerName are meant
for Virtual Host resolution, not for implementing what you intend to.
> I strongly feel this is a tomcat issue or let us know how can we reliably
> determine if the request is originated from local or this is something not
> possible
Nope, it's not. Your options are:
* Run your proxy on another machine, and have your admins directly
connect to tomcat
* Stop using your proxy, as you don't trust it
* Change the communication between proxy and tomcat to AJP (which will
forward the originating remoteAddr)
I might have missed one or more other options, but I'm sure that others
will happily add them here.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: No reliable way to know if the request emerged from localhost
Posted by logo <lo...@kreuser.name>.
Hi Vasanth,
Am 27.02.2018 09:29, schrieb Vasantharaju Trichy:
> Tomcat version 7.0.82 | Windows
>
>
>
> We have a requirement such that admins(tomcat users) need to login
> remotely
> to the machine where Tomcat is hosted and access tomcat webapp to
> perform
> certain action or see certain pages . These pages or actions are not
> permitted if users login remotely
>
>
>
> Initially thought *request.getRemoteAddr* can be used determine actual
> client ip is local or not but looks like based *X-Forwarded-For* header
> it
> is easy to spoof *request.getRemoteAddr* . The spoofing is possible
> even
> from trusted internal proxies
>
>
>
> So thought *request.getServerName* is reliable than
> *request.getRemoteAddr*
>
>
>
> But *HOST* header can be spoofed to reflect *request.getServerName*
>
>
>
> Strangely Tomcat honors HOST header to update request. getServerName .
>
>
>
> I strongly feel this is a tomcat issue or let us know how can we
> reliably
> determine if the request is originated from local or this is something
> not
> possible
>
>
>
>
>
> Thanks in advance,
>
> Vasanth
Do you need to protect only single pages or the whole app? Did you check
"Remote Address Filter"
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter?
But: nevertheless request.getRemoteAddr(); can not be spoofed! That is
the origin of the request - that will be your data you need to check for
localhost. If you'd need to identify non-admin-requests from remote and
get the "real" ip, this may be more difficult and may need to handle
X-Forward-headers.
Looking at the code of the Valve you would find the necessary handling
for X-Forward-Header.
request.getServerName does not identify the client! That is the target
host name and is irrelevant for your app.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org