You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jaikit Savla <ja...@yahoo.com> on 2012/09/23 00:04:12 UTC
Authenticate requests from localhost using tomcat RemoteAddrFilter
Hello Users,
I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
For that I am using tomcat's RemoteAddrfilter
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</filter>
Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
Any clue on how to resolve this use case ?
-bash-4.1$ curl -v http://localhost/ws/local/info
* About to connect() to localhost port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /ws/local/vip/info HTTP/1.1
> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost
> Accept: */*
>
< HTTP/1.1 403 Forbidden
Appreciate any help.
Thanks
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/9/23 Martin Gainty <mg...@hotmail.com>:
>
> Jaikit
>
> You can ask Catalina to check the IP address, or host name, on every incoming request directed to the surrounding elements
> <a href="engine.html">Engine</a>,
> <a href="host.html">Host</a>, or
> <a href="context.html">Context</a> element.
> The remote address or name will be checked against a configured list of "allow" and/or "deny" filters, which are defined using the Regular Expression syntax supported by the
> <a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> regular expression library.
> Requests that come from locations that are not accepted will be rejected with an HTTP "Forbidden" error.
> Example filter declarations:.
>
> e.g
>
> <Host name="localhost" ...>
> ...
> <Valve className="org.apache.catalina.valves.RemoteHostValve"
> allow="*.mycompany.com,www.yourcompany.com"/>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> deny="192.168.1.*"/>
> ...
> </Host>
>
> HTH,
> Martin
>
Martin,
what crap of outdated documentation are you citing?
1. RemoteHostValve uses Java regexp implementation, not Jakarta one
2. Comma (,) is not a valid separator between values there in Tomcat 7.
>
>
>> Date: Sat, 22 Sep 2012 23:36:33 -0700
>> From: jaikit.savla@yahoo.com
>> Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
>> To: users@tomcat.apache.org
>>
>> I have not yet tried playing with firewall.
>> I was thinking in the lines of adding capability in filter to find if the request originated from localhost. Right now it just does string comparison.
>>
>> Jaikit
>>
>>
>> ----- Original Message -----
>> From: Ralph Plawetzki <ra...@purejava.org>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Cc:
>> Sent: Saturday, September 22, 2012 10:41 PM
>> Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
>>
>> Jaikit,
>>
>> Am 23.09.2012 00:04, schrieb Jaikit Savla:
>> > Hello Users,
>> >
>> > I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
>> > For that I am using tomcat's RemoteAddrfilter
>> what exactly do you mean with admin api's?
>>
>> > <filter>
>> > <filter-name>Remote Address Filter</filter-name>
>> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
>> > <init-param>
>> > <param-name>allow</param-name>
>> > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
>> > </init-param>
>> > </filter>
>> > <filter-mapping>
>> > <filter-name>Remote Address Filter</filter-name>
>> > <url-pattern>/*</url-pattern>
>> > </filter-mapping>
>> > </filter>
>> see http://www.oracle.com/technetwork/java/filters-137243.html
>> „A filter dynamically intercepts requests and responses to transform or
>> use the information contained in the requests or responses.” So this Is
>> something that is part of a web application which is running on tomcat.
>>
>> > Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
>> > Any clue on how to resolve this use case ?
>> >
>> >
>> >
>> >
>> > -bash-4.1$ curl -v http://localhost/ws/local/info
>> > * About to connect() to localhost port 80 (#0)
>> > * Trying 127.0.0.1... connected
>> > * Connected to localhost (127.0.0.1) port 80 (#0)
>> >> GET /ws/local/vip/info HTTP/1.1
>> >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> >> Host: localhost
>> >> Accept: */*
>> >>
>> > < HTTP/1.1 403 Forbidden
>>
>> I am guessing here: if you want to restrict access to your tomcat server
>> to certain clients, you could solve this by configuring your firewall
>> accordingly.
>>
>> Ralph
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authenticate requests from localhost using tomcat
RemoteAddrFilter
Posted by Martin Gainty <mg...@hotmail.com>.
Jaikit
You can ask Catalina to check the IP address, or host name, on every incoming request directed to the surrounding elements
<a href="engine.html">Engine</a>,
<a href="host.html">Host</a>, or
<a href="context.html">Context</a> element.
The remote address or name will be checked against a configured list of "allow" and/or "deny" filters, which are defined using the Regular Expression syntax supported by the
<a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> regular expression library.
Requests that come from locations that are not accepted will be rejected with an HTTP "Forbidden" error.
Example filter declarations:.
e.g
<Host name="localhost" ...>
...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow="*.mycompany.com,www.yourcompany.com"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
deny="192.168.1.*"/>
...
</Host>
HTH,
Martin
> Date: Sat, 22 Sep 2012 23:36:33 -0700
> From: jaikit.savla@yahoo.com
> Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
> To: users@tomcat.apache.org
>
> I have not yet tried playing with firewall.
> I was thinking in the lines of adding capability in filter to find if the request originated from localhost. Right now it just does string comparison.
>
> Jaikit
>
>
> ----- Original Message -----
> From: Ralph Plawetzki <ra...@purejava.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Saturday, September 22, 2012 10:41 PM
> Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
>
> Jaikit,
>
> Am 23.09.2012 00:04, schrieb Jaikit Savla:
> > Hello Users,
> >
> > I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
> > For that I am using tomcat's RemoteAddrfilter
> what exactly do you mean with admin api's?
>
> > <filter>
> > <filter-name>Remote Address Filter</filter-name>
> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> > <init-param>
> > <param-name>allow</param-name>
> > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> > </init-param>
> > </filter>
> > <filter-mapping>
> > <filter-name>Remote Address Filter</filter-name>
> > <url-pattern>/*</url-pattern>
> > </filter-mapping>
> > </filter>
> see http://www.oracle.com/technetwork/java/filters-137243.html
> „A filter dynamically intercepts requests and responses to transform or
> use the information contained in the requests or responses.” So this Is
> something that is part of a web application which is running on tomcat.
>
> > Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
> > Any clue on how to resolve this use case ?
> >
> >
> >
> >
> > -bash-4.1$ curl -v http://localhost/ws/local/info
> > * About to connect() to localhost port 80 (#0)
> > * Trying 127.0.0.1... connected
> > * Connected to localhost (127.0.0.1) port 80 (#0)
> >> GET /ws/local/vip/info HTTP/1.1
> >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> >> Host: localhost
> >> Accept: */*
> >>
> > < HTTP/1.1 403 Forbidden
>
> I am guessing here: if you want to restrict access to your tomcat server
> to certain clients, you could solve this by configuring your firewall
> accordingly.
>
> Ralph
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Jaikit Savla <ja...@yahoo.com>.
I have not yet tried playing with firewall.
I was thinking in the lines of adding capability in filter to find if the request originated from localhost. Right now it just does string comparison.
Jaikit
----- Original Message -----
From: Ralph Plawetzki <ra...@purejava.org>
To: Tomcat Users List <us...@tomcat.apache.org>
Cc:
Sent: Saturday, September 22, 2012 10:41 PM
Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Jaikit,
Am 23.09.2012 00:04, schrieb Jaikit Savla:
> Hello Users,
>
> I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
> For that I am using tomcat's RemoteAddrfilter
what exactly do you mean with admin api's?
> <filter>
> <filter-name>Remote Address Filter</filter-name>
> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> <init-param>
> <param-name>allow</param-name>
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>Remote Address Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </filter>
see http://www.oracle.com/technetwork/java/filters-137243.html
„A filter dynamically intercepts requests and responses to transform or
use the information contained in the requests or responses.” So this Is
something that is part of a web application which is running on tomcat.
> Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
> Any clue on how to resolve this use case ?
>
>
>
>
> -bash-4.1$ curl -v http://localhost/ws/local/info
> * About to connect() to localhost port 80 (#0)
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 80 (#0)
>> GET /ws/local/vip/info HTTP/1.1
>> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 403 Forbidden
I am guessing here: if you want to restrict access to your tomcat server
to certain clients, you could solve this by configuring your firewall
accordingly.
Ralph
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Ralph Plawetzki <ra...@purejava.org>.
Jaikit,
Am 23.09.2012 00:04, schrieb Jaikit Savla:
> Hello Users,
>
> I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
> For that I am using tomcat's RemoteAddrfilter
what exactly do you mean with admin api's?
> <filter>
> <filter-name>Remote Address Filter</filter-name>
> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> <init-param>
> <param-name>allow</param-name>
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>Remote Address Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </filter>
see http://www.oracle.com/technetwork/java/filters-137243.html
„A filter dynamically intercepts requests and responses to transform or
use the information contained in the requests or responses.” So this Is
something that is part of a web application which is running on tomcat.
> Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
> Any clue on how to resolve this use case ?
>
>
>
>
> -bash-4.1$ curl -v http://localhost/ws/local/info
> * About to connect() to localhost port 80 (#0)
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 80 (#0)
>> GET /ws/local/vip/info HTTP/1.1
>> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 403 Forbidden
I am guessing here: if you want to restrict access to your tomcat server
to certain clients, you could solve this by configuring your firewall
accordingly.
Ralph
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by jaikit <ja...@yahoo.com>.
One of the platform team's filter was overriding the remote address with
actual ip :( I removed their filter and verified.
Apologies and thanks everyone for their time.
Thanks
On 9/24/12 11:58 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jaikit,
>
> On 9/22/12 6:04 PM, Jaikit Savla wrote:
>> I have some admin api's which I want to have restricted access
> I think you mean APIs. "admin api's which" is a possessive even a
> native English speaker can't figure out.
>
>> - such that only if the request originates from localhost - it will
>> execute. For that I am using tomcat's RemoteAddrfilter
>>
>> <filter> <filter-name>Remote Address Filter</filter-name> ...
>> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
>> ... </filter>
>>
>> Now when I execute the request from localhost - request fails with
>> 403. Reason being "REMOTE_ADDR" is set with actual ip of the
>> machine and filter does string comparison of ip. Hence it fails.
> How do you do the request? If it's like this:
>
>> -bash-4.1$ curl -v http://localhost/ws/local/info * About to
>> connect() to localhost port 80 (#0) * Trying 127.0.0.1...
>> connected * Connected to localhost (127.0.0.1) port 80 (#0)
>>> GET /ws/local/vip/info HTTP/1.1 User-Agent: curl/7.21.7
>>> (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o
>>> zlib/1.2.3 libidn/1.18 libssh2/1.2.2 Host: localhost Accept: */*
>>>
>> < HTTP/1.1 403 Forbidden
> ...then I don't understand why you aren't getting 127.0.0.1 as the
> REMOTE_ADDR. Do you have anything weird in /etc/hosts like 'localhost
> 108.13.226.208' or any folishness with the routing table which makes
> localhost take the long route through ethX?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBgrU4ACgkQ9CaO5/Lv0PALmgCgwlIRgtaGRhsM03gvfDguTGJ8
> VpEAoKNpwD+zNmvBBsIqxv2/IngmAt1T
> =ExFV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jaikit,
On 9/22/12 6:04 PM, Jaikit Savla wrote:
> I have some admin api's which I want to have restricted access
I think you mean APIs. "admin api's which" is a possessive even a
native English speaker can't figure out.
> - such that only if the request originates from localhost - it will
> execute. For that I am using tomcat's RemoteAddrfilter
>
> <filter> <filter-name>Remote Address Filter</filter-name> ...
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> ... </filter>
>
> Now when I execute the request from localhost - request fails with
> 403. Reason being "REMOTE_ADDR" is set with actual ip of the
> machine and filter does string comparison of ip. Hence it fails.
How do you do the request? If it's like this:
> -bash-4.1$ curl -v http://localhost/ws/local/info * About to
> connect() to localhost port 80 (#0) * Trying 127.0.0.1...
> connected * Connected to localhost (127.0.0.1) port 80 (#0)
>> GET /ws/local/vip/info HTTP/1.1 User-Agent: curl/7.21.7
>> (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o
>> zlib/1.2.3 libidn/1.18 libssh2/1.2.2 Host: localhost Accept: */*
>>
> < HTTP/1.1 403 Forbidden
...then I don't understand why you aren't getting 127.0.0.1 as the
REMOTE_ADDR. Do you have anything weird in /etc/hosts like 'localhost
108.13.226.208' or any folishness with the routing table which makes
localhost take the long route through ethX?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBgrU4ACgkQ9CaO5/Lv0PALmgCgwlIRgtaGRhsM03gvfDguTGJ8
VpEAoKNpwD+zNmvBBsIqxv2/IngmAt1T
=ExFV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/24/12 3:58 AM, André Warnier wrote:
> 1) curl http://localhost/something
>
> Result in log :
>
> ::1 - - [24/Sep/2012:09:22:51 +0200] "GET /something HTTP/1.1" 404
> 282 "-" "curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0
> OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6"
Ooh, I hadn't thought of IPv6, though the tcpdump info clearly shows
the use of IPv4 and, for some reason, requests to a non-localhost IP
address being routed through the loopback (that's 'lo' in Linux-speak)
device.
It looks like something is wildly misconfigured somewhere.
> Yet, you seem to experience different results with Tomcat.
>
> So something else is amiss. If, from the same host, you issue a
> request to "localhost", Tomcat should see this request as coming
> from either the IPv4 address "127.0.0.1" or the IPv6 address "::1".
> If Tomcat does not see it that way, then something is wrong.
(I know this isn't IPv6, but it occurs to me that Tomcat always uses
the long-form of theIPv6 address while Apache httpd is a bit smarter
about it (e.g. httpd reports ::1 while Tomcat would report either
0000:0000:0000:0000:0000:0000:0000:0001 or 0:0:0:0:0:0:0:1). Be aware
of that when setting up regular expressions to handle IPv6 localhost)
> Separately, and without taking anything away from the above : Your
> technique of using the Remote Address Filter seems correct to me,
> and your settings also. What I suspect however, is that there is
> something peculiar with your /etc/hosts file (or your requests),
> that makes the requests "go out" through an interface other than
> the one you expect.
+1
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBgrosACgkQ9CaO5/Lv0PCs5QCgmxZlB3ATAe7ckdlaqZLmK7Au
aBYAnReA6qVVjl0wxIc8WybnOk9uj+2y
=HFhd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by André Warnier <aw...@ice-sa.com>.
Jaikit Savla wrote:
> Hi,
>
> You are right it does regrex matching. I wanted to say that it does not do any kind of dnslookup in filter.
> @configuration: I do not have any particular configuration or firewall set up. I have mentioned below output from tcpdump (listening on loopback interface) and as you can see it get ip address from eth1 interface. Since I have my hosts where this code will be deployed - adding ip to filter will be lot of work.
>
>
> ===============================
>
> tcpdump -i lo
>
>
> No. Time Source Destination Protocol Length Info
> 46 0.822296 108.13.226.208 108.13.226.208 HTTP 270 GET /ws/local/vip/info HTTP/1.1
>
> Frame 46: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits)
> Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
> Internet Protocol Version 4, Src: 108.13.226.208 (108.13.226.208), Dst: 108.13.226.208 (108.13.226.208)
> Transmission Control Protocol, Src Port: 16217 (16217), Dst Port: http (80), Seq: 1, Ack: 1, Len: 204
> Hypertext Transfer Protocol
>
> =================================
>
> -bash-4.1$ ifconfig
> eth1 Link encap:Ethernet HWaddr xx
> inet addr:108.13.226.208 Bcast:108.13.226.208 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:xx errors:0 dropped:91 overruns:0 frame:379
> TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:5000
> RX bytes:xx (8.5 GiB) TX bytes:xx (6.2 GiB)
> Interrupt:17
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:xx errors:0 dropped:0 overruns:0 frame:0
> TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:xx (102.4 GiB) TX bytes:xx (102.4 GiB)
>
There is something which I do not get, in all this.
On one of my own Linux hosts (which has the following interfaces :
eth0 Link encap:Ethernet HWaddr 00:19:66:c1:0c:c4
inet addr:192.168.245.20 Bcast:192.168.245.255 Mask:255.255.255.0
inet6 addr: fe80::219:66ff:fec1:cc4/64 Scope:Link
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
...
)
I am issuing various curl commands, and looking at the access log of *Apache httpd*
(because I have configured it to log the client's IP, and it is convenient).
The results I get are these :
1) curl http://localhost/something
Result in log :
::1 - - [24/Sep/2012:09:22:51 +0200] "GET /something HTTP/1.1" 404 282 "-" "curl/7.21.0
(i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6"
2) curl http://127.0.0.1/something
Result in log :
127.0.0.1 - - [24/Sep/2012:09:24:30 +0200] "GET /something HTTP/1.1" 404 282 "-"
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15
libssh2/1.2.6"
3) curl http://192.168.245.20/something
Result in log :
192.168.245.20 - - [24/Sep/2012:09:27:35 +0200] "GET /something HTTP/1.1" 404 287 "-"
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15
libssh2/1.2.6"
In other words, the client IP address as seen from the Apache httpd server looks totally
consistent with how the request was issued.
- if the request was issue to "localhost", then curl (through the OS) first resolves that
name to the IPv6 address "::1", and the request "goes out" through the corresponding
interface (lo), thus with the source address "::1", and that is also how it is seen by the
server.
- if the request was issued to "127.0.0.1", then there is no name resolving, the request
"goes out" through the IPv4 channel of the lo interface, thus with a aource address of
127.0.0.1, and that is also how it is seen by the server.
- if the request was to "192.168.245.20" (the IP address of the eth0 interface), then it
goes out through the eth0 interface, with a source address of "192.168.245.20", and that
is also how it is seen by the server.
etc..
Yet, you seem to experience different results with Tomcat.
So something else is amiss. If, from the same host, you issue a request to "localhost",
Tomcat should see this request as coming from either the IPv4 address "127.0.0.1" or the
IPv6 address "::1". If Tomcat does not see it that way, then something is wrong.
-----
Separately, and without taking anything away from the above :
Your technique of using the Remote Address Filter seems correct to me, and your settings
also. What I suspect however, is that there is something peculiar with your /etc/hosts
file (or your requests), that makes the requests "go out" through an interface other than
the one you expect.
You can configure Tomcat's access log so that it will trace which client IP it thinks the
request is coming from.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Jaikit Savla <ja...@yahoo.com>.
Hi,
You are right it does regrex matching. I wanted to say that it does not do any kind of dnslookup in filter.
@configuration: I do not have any particular configuration or firewall set up. I have mentioned below output from tcpdump (listening on loopback interface) and as you can see it get ip address from eth1 interface. Since I have my hosts where this code will be deployed - adding ip to filter will be lot of work.
===============================
tcpdump -i lo
No. Time Source Destination Protocol Length Info
46 0.822296 108.13.226.208 108.13.226.208 HTTP 270 GET /ws/local/vip/info HTTP/1.1
Frame 46: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 108.13.226.208 (108.13.226.208), Dst: 108.13.226.208 (108.13.226.208)
Transmission Control Protocol, Src Port: 16217 (16217), Dst Port: http (80), Seq: 1, Ack: 1, Len: 204
Hypertext Transfer Protocol
=================================
-bash-4.1$ ifconfig
eth1 Link encap:Ethernet HWaddr xx
inet addr:108.13.226.208 Bcast:108.13.226.208 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:xx errors:0 dropped:91 overruns:0 frame:379
TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:5000
RX bytes:xx (8.5 GiB) TX bytes:xx (6.2 GiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:xx errors:0 dropped:0 overruns:0 frame:0
TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:xx (102.4 GiB) TX bytes:xx (102.4 GiB)
Thanks
________________________________
From: Konstantin Kolinko <kn...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sunday, September 23, 2012 6:52 AM
Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
2012/9/23 Jaikit Savla <ja...@yahoo.com>:
> Hello Users,
>
> I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
> For that I am using tomcat's RemoteAddrfilter
>
> <filter>
> <filter-name>Remote Address Filter</filter-name>
> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> <init-param>
> <param-name>allow</param-name>
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>Remote Address Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </filter>
>
> Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
> Any clue on how to resolve this use case ?
>
1. There must be some reason why "REMOTE_ADDR" has that value in your
configuration. Your description is lacking. What is your
configuration?
2. The filter does not do string comparison, but does regexp matching.
Nothing prevents you from adding that additional value to the regular
expression.
>
>
>
> -bash-4.1$ curl -v http://localhost/ws/local/info
> * About to connect() to localhost port 80 (#0)
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 80 (#0)
>> GET /ws/local/vip/info HTTP/1.1
>> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 403 Forbidden
>
> Appreciate any help.
>
> Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/9/23 Jaikit Savla <ja...@yahoo.com>:
> Hello Users,
>
> I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute.
> For that I am using tomcat's RemoteAddrfilter
>
> <filter>
> <filter-name>Remote Address Filter</filter-name>
> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> <init-param>
> <param-name>allow</param-name>
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>Remote Address Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </filter>
>
> Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails.
> Any clue on how to resolve this use case ?
>
1. There must be some reason why "REMOTE_ADDR" has that value in your
configuration. Your description is lacking. What is your
configuration?
2. The filter does not do string comparison, but does regexp matching.
Nothing prevents you from adding that additional value to the regular
expression.
>
>
>
> -bash-4.1$ curl -v http://localhost/ws/local/info
> * About to connect() to localhost port 80 (#0)
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 80 (#0)
>> GET /ws/local/vip/info HTTP/1.1
>> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 403 Forbidden
>
> Appreciate any help.
>
> Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org