You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eric Fetzer <er...@gmail.com> on 2024/04/04 17:43:46 UTC
org.apache.catalina.valves.RemoteAddrValve
Hi All,
When I originally set up my tomcat instance, I added the following to allow
manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
That worked wonderfully. Now I'm trying to add another IP range by
changing it to:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" />
This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
work either. I've verified I can get to port 8080 from the IP locations.
Any idea what I'm doing wrong or do you have a means to troubleshoot this?
Thanks,
Eric
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Posted by Eric Fetzer <er...@gmail.com>.
LOL, I'm decent at regex Robert. I got the \d+ from what ships in the
context.xml:
127\.\d+\.\d+\.\d+
It looks like an attempt at saying localhost can get in as long as the
localhost IP starts with 127. I assumed it wasn't actually regex but some
"tomcat language"... Thanks for the education! I'll jump back on here if
things don't work on the other side of the firewall...
On Thu, Apr 4, 2024 at 12:11 PM Robert Egan <ro...@vsolvit.com> wrote:
> You need to read up on "regular expressions" (or "regex").
>
> In a regular expression, a lowercase "d" is a single decimal digit. A "+"
> means one or more of them. A period means ANY character (which is why you
> have to escape it when you mean "period"). A backward slash means to treat
> the character immediately after it normally and not as a special character.
> So "\d" would mean the literal letter "d".
>
> There's more rules, but they're well documented all over the internet, so I
> won't elaborate.
>
> Robert Egan
>
>
> On Thu, Apr 4, 2024 at 2:01 PM Eric Fetzer <er...@gmail.com> wrote:
>
> > Thanks for the quick response Robert! So I tried escaping the periods
> and
> > putting the \d+ for the * but it didn't work. Is the \d+ incorrect in
> > substitution for *?
> >
> > On Thu, Apr 4, 2024 at 11:53 AM Robert Egan <ro...@vsolvit.com>
> > wrote:
> >
> > > It looks like you need to escape your periods, like you did for 127\.
> > > etc...
> > > 1\.3\.5
> > > Robert Egan
> > >
> > > On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer <er...@gmail.com>
> > wrote:
> > >
> > > > Hi All,
> > > >
> > > > When I originally set up my tomcat instance, I added the following to
> > > allow
> > > > manager access under
> /opt/tomcat/webapps/manager/META-INF/context.xml:
> > > >
> > > > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
> > > >
> > > > That worked wonderfully. Now I'm trying to add another IP range by
> > > > changing it to:
> > > >
> > > > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > > >
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*"
> > > />
> > > >
> > > > This is not working. I tried to use 2\.4\.6\.\d+ as well but that
> > didn't
> > > > work either. I've verified I can get to port 8080 from the IP
> > locations.
> > > > Any idea what I'm doing wrong or do you have a means to troubleshoot
> > > this?
> > > >
> > > > Thanks,
> > > > Eric
> > > >
> > >
> >
>
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Posted by Robert Egan <ro...@vsolvit.com>.
You need to read up on "regular expressions" (or "regex").
In a regular expression, a lowercase "d" is a single decimal digit. A "+"
means one or more of them. A period means ANY character (which is why you
have to escape it when you mean "period"). A backward slash means to treat
the character immediately after it normally and not as a special character.
So "\d" would mean the literal letter "d".
There's more rules, but they're well documented all over the internet, so I
won't elaborate.
Robert Egan
On Thu, Apr 4, 2024 at 2:01 PM Eric Fetzer <er...@gmail.com> wrote:
> Thanks for the quick response Robert! So I tried escaping the periods and
> putting the \d+ for the * but it didn't work. Is the \d+ incorrect in
> substitution for *?
>
> On Thu, Apr 4, 2024 at 11:53 AM Robert Egan <ro...@vsolvit.com>
> wrote:
>
> > It looks like you need to escape your periods, like you did for 127\.
> > etc...
> > 1\.3\.5
> > Robert Egan
> >
> > On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer <er...@gmail.com>
> wrote:
> >
> > > Hi All,
> > >
> > > When I originally set up my tomcat instance, I added the following to
> > allow
> > > manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
> > >
> > > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
> > >
> > > That worked wonderfully. Now I'm trying to add another IP range by
> > > changing it to:
> > >
> > > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*"
> > />
> > >
> > > This is not working. I tried to use 2\.4\.6\.\d+ as well but that
> didn't
> > > work either. I've verified I can get to port 8080 from the IP
> locations.
> > > Any idea what I'm doing wrong or do you have a means to troubleshoot
> > this?
> > >
> > > Thanks,
> > > Eric
> > >
> >
>
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Posted by Eric Fetzer <er...@gmail.com>.
Sorry folks (Robert), but upon further testing, it looks like port 8080
isn't open on these IP's. I was mistaking the attempt to connect from my
curl command with a response. I withdrawal my question for now. I'll
reply to this thread if it doesn't work once the hole in the firewall is
carved properly. Thanks!
On Thu, Apr 4, 2024 at 11:58 AM Eric Fetzer <er...@gmail.com> wrote:
> Thanks for the quick response Robert! So I tried escaping the periods and
> putting the \d+ for the * but it didn't work. Is the \d+ incorrect in
> substitution for *?
>
> On Thu, Apr 4, 2024 at 11:53 AM Robert Egan <ro...@vsolvit.com>
> wrote:
>
>> It looks like you need to escape your periods, like you did for 127\.
>> etc...
>> 1\.3\.5
>> Robert Egan
>>
>> On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer <er...@gmail.com> wrote:
>>
>> > Hi All,
>> >
>> > When I originally set up my tomcat instance, I added the following to
>> allow
>> > manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
>> >
>> > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
>> >
>> > That worked wonderfully. Now I'm trying to add another IP range by
>> > changing it to:
>> >
>> > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*"
>> />
>> >
>> > This is not working. I tried to use 2\.4\.6\.\d+ as well but that
>> didn't
>> > work either. I've verified I can get to port 8080 from the IP
>> locations.
>> > Any idea what I'm doing wrong or do you have a means to troubleshoot
>> this?
>> >
>> > Thanks,
>> > Eric
>> >
>>
>
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Posted by Eric Fetzer <er...@gmail.com>.
Thanks for the quick response Robert! So I tried escaping the periods and
putting the \d+ for the * but it didn't work. Is the \d+ incorrect in
substitution for *?
On Thu, Apr 4, 2024 at 11:53 AM Robert Egan <ro...@vsolvit.com> wrote:
> It looks like you need to escape your periods, like you did for 127\.
> etc...
> 1\.3\.5
> Robert Egan
>
> On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer <er...@gmail.com> wrote:
>
> > Hi All,
> >
> > When I originally set up my tomcat instance, I added the following to
> allow
> > manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
> >
> > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
> >
> > That worked wonderfully. Now I'm trying to add another IP range by
> > changing it to:
> >
> > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*"
> />
> >
> > This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
> > work either. I've verified I can get to port 8080 from the IP locations.
> > Any idea what I'm doing wrong or do you have a means to troubleshoot
> this?
> >
> > Thanks,
> > Eric
> >
>
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Posted by Robert Egan <ro...@vsolvit.com>.
It looks like you need to escape your periods, like you did for 127\. etc...
1\.3\.5
Robert Egan
On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer <er...@gmail.com> wrote:
> Hi All,
>
> When I originally set up my tomcat instance, I added the following to allow
> manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
>
> That worked wonderfully. Now I'm trying to add another IP range by
> changing it to:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" />
>
> This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
> work either. I've verified I can get to port 8080 from the IP locations.
> Any idea what I'm doing wrong or do you have a means to troubleshoot this?
>
> Thanks,
> Eric
>
Re: org.apache.catalina.valves.RemoteAddrValve
Posted by Eric Fetzer <er...@gmail.com>.
Thanks Christopher!
Sent from my iPhone
> On Apr 4, 2024, at 10:20 PM, Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> Eric,
>
>> On 4/4/24 13:43, Eric Fetzer wrote:
>> Hi All,
>> When I originally set up my tomcat instance, I added the following to allow
>> manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
>> That worked wonderfully. Now I'm trying to add another IP range by
>> changing it to:
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" />
>> This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
>> work either. I've verified I can get to port 8080 from the IP locations.
>> Any idea what I'm doing wrong or do you have a means to troubleshoot this?
>
> I'm glad you are reporting that the issue is elsewhere and not a problem with your use of RemoteAddrValve.
>
> But I'd like to point out that since these are regular expressions, your specific use of them can lead to unintended consequences. For example:
>
> 1.3.5.*
>
> This will allow anyone from 1.3.5.1 or 1.3.5.99 or 1.3.5.254. That's probably fine. But it will also allow anybody from 103.50.99.24 as well. That probably wasn't intended.
>
> Changing it to the properly-escaped 1\.3\.5 but also trailing \..* (note there are two periods there) really means 1.3.5.whatever.
>
> Using \d isn't strictly necessary but it does make it clear that you aren't expecting non-digits e.g. hostnames.
>
> As you mentioned elsewhere in this thread, you thought it was "tomcat language". When it comes to security controls, /please read the documentation/ because knowing that it is a regular expression and not a "tomcat language" can mean the difference between configuring a security control properly or improperly.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: org.apache.catalina.valves.RemoteAddrValve
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Eric,
On 4/4/24 13:43, Eric Fetzer wrote:
> Hi All,
>
> When I originally set up my tomcat instance, I added the following to allow
> manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
>
> That worked wonderfully. Now I'm trying to add another IP range by
> changing it to:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" />
>
> This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
> work either. I've verified I can get to port 8080 from the IP locations.
> Any idea what I'm doing wrong or do you have a means to troubleshoot this?
I'm glad you are reporting that the issue is elsewhere and not a problem
with your use of RemoteAddrValve.
But I'd like to point out that since these are regular expressions, your
specific use of them can lead to unintended consequences. For example:
1.3.5.*
This will allow anyone from 1.3.5.1 or 1.3.5.99 or 1.3.5.254. That's
probably fine. But it will also allow anybody from 103.50.99.24 as well.
That probably wasn't intended.
Changing it to the properly-escaped 1\.3\.5 but also trailing \..* (note
there are two periods there) really means 1.3.5.whatever.
Using \d isn't strictly necessary but it does make it clear that you
aren't expecting non-digits e.g. hostnames.
As you mentioned elsewhere in this thread, you thought it was "tomcat
language". When it comes to security controls, /please read the
documentation/ because knowing that it is a regular expression and not a
"tomcat language" can mean the difference between configuring a security
control properly or improperly.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org