You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/12/06 15:20:14 UTC

[GitHub] [tomcat] rainerjung opened a new pull request #385: Add peerAddress to coyote request

rainerjung opened a new pull request #385:
URL: https://github.com/apache/tomcat/pull/385


   It contains the IP address of the direct connection peer.
   If a reverse proxy sits in front of Tomcat and the protocol
   used is AJP or HTTP in combination with the RemoteIp(Valve|Filter),
   the peer address might differ from the remoteAddress.
   The latter then contains the address of the client in front of the
   reverse proxy, not the address of the proxy itself.
   
   Support for the peer address has been added to the
   RemoteAddrValve and RemoteCIDRValve with the new attribute
   "usePeerAddress". This can be used to restrict access
   to Tomcat bsed on the reverse proxy IP address, which is especially
   useful to harden access to AJP connecrtors.
   
   The peer address can also be logged in the access log
   using the new %{peer}a syntax.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rainerjung merged pull request #385: Add peerAddress to coyote request

Posted by GitBox <gi...@apache.org>.

rainerjung merged pull request #385:
URL: https://github.com/apache/tomcat/pull/385


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] martin-g commented on a change in pull request #385: Add peerAddress to coyote request

Posted by GitBox <gi...@apache.org>.

martin-g commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537343964



##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
         Especially add support for connector specific configuration
         using <code>addConnectorPort</code>. (rjung)
       </add>
+      <add>
+        Add <code>peerAddress</code> to coyote request, which contains
+        the IP address of the direct connection peer. If a reverse proxy
+        sits in front of Tomcat and the protocol used is AJP or HTTP
+        in combination with the <code>RemoteIp(Valve|Filter)</code>,
+        the peer address might differ from the <code>remoteAddress</code>.
+        The latter then contains the address of the client in front of the
+        reverse proxy, not the address of the proxy itself.
+        Support for the peer address has been added to the
+        RemoteAddrValve and RemoteCIDRValve with the new attribute
+        <code>usePeerAddress</code>. This can be used to restrict access
+        to Tomcat bsed on the reverse proxy IP address, which is especially

Review comment:
       s/bsed/based/

##########
File path: java/org/apache/catalina/valves/AbstractAccessLogValve.java
##########
@@ -861,19 +868,50 @@ public void addElement(CharArrayWriter buf, Date date, Request request,
      * write remote IP address - %a
      */
     protected class RemoteAddrElement implements AccessLogElement, CachedElement {
+        /**
+         * Type of address to log
+         */
+        private static final String remoteAddress = "remote";

Review comment:
       s/remoteAddress/REMOTE_ADDRESS/, to follow Java conventions ?! Same for `peerAddress` below.

##########
File path: java/org/apache/coyote/Request.java
##########
@@ -95,6 +95,7 @@ public Request() {
 
     // remote address/host
     private final MessageBytes remoteAddrMB = MessageBytes.newInstance();
+    private final MessageBytes peerAddrMB = MessageBytes.newInstance();

Review comment:
       Do we care that it is either `remote` or `peer`? So one of them wastes memory. Or it is negligible ?

##########
File path: java/org/apache/coyote/Constants.java
##########
@@ -96,4 +96,11 @@
      * the X-Forwarded-For HTTP header.
      */
     public static final String REMOTE_ADDR_ATTRIBUTE = "org.apache.tomcat.remoteAddr";
+
+    /**
+     * The request attribute set by the RemoteIpFilter, RemoteIpValve (and may
+     * be set by other similar components) that identifies for the connector the
+     * conection peer IP address.

Review comment:
       con`n`ection

##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
         Especially add support for connector specific configuration
         using <code>addConnectorPort</code>. (rjung)
       </add>
+      <add>
+        Add <code>peerAddress</code> to coyote request, which contains
+        the IP address of the direct connection peer. If a reverse proxy
+        sits in front of Tomcat and the protocol used is AJP or HTTP
+        in combination with the <code>RemoteIp(Valve|Filter)</code>,
+        the peer address might differ from the <code>remoteAddress</code>.
+        The latter then contains the address of the client in front of the
+        reverse proxy, not the address of the proxy itself.
+        Support for the peer address has been added to the
+        RemoteAddrValve and RemoteCIDRValve with the new attribute
+        <code>usePeerAddress</code>. This can be used to restrict access
+        to Tomcat bsed on the reverse proxy IP address, which is especially
+        useful to harden access to AJP connecrtors. The peer address can also

Review comment:
       s/connecrtors/connectors/




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rainerjung commented on a change in pull request #385: Add peerAddress to coyote request

Posted by GitBox <gi...@apache.org>.

rainerjung commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537434611



##########
File path: java/org/apache/coyote/Constants.java
##########
@@ -96,4 +96,11 @@
      * the X-Forwarded-For HTTP header.
      */
     public static final String REMOTE_ADDR_ATTRIBUTE = "org.apache.tomcat.remoteAddr";
+
+    /**
+     * The request attribute set by the RemoteIpFilter, RemoteIpValve (and may
+     * be set by other similar components) that identifies for the connector the
+     * conection peer IP address.

Review comment:
       Thanks.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rainerjung commented on a change in pull request #385: Add peerAddress to coyote request

Posted by GitBox <gi...@apache.org>.

rainerjung commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537434443



##########
File path: java/org/apache/catalina/valves/AbstractAccessLogValve.java
##########
@@ -861,19 +868,50 @@ public void addElement(CharArrayWriter buf, Date date, Request request,
      * write remote IP address - %a
      */
     protected class RemoteAddrElement implements AccessLogElement, CachedElement {
+        /**
+         * Type of address to log
+         */
+        private static final String remoteAddress = "remote";

Review comment:
       AbstractAccessLogValve consistently uses camel case for static Strings. I sticked to the local concentions in ther file. I would prefer to change the static string nameing conventions in an independent commit.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [GitHub] [tomcat] rainerjung opened a new pull request #385: Add peerAddress to coyote request

Posted by Rainer Jung <ra...@kippdata.de>.

Hi all,

I plan to integrate this PR. I adressed the comments of Martin except 
for the constants name casing, which I wanted to keep conskistent in the 
file for now.

If anyone needs more time to review, please let me know. Any feedback 
highly welcome.

Since IMHO it is useful for all branches, I would also backport it.

Thanks and regards,

Rainer

Am 06.12.2020 um 16:20 schrieb GitBox:
> 
> rainerjung opened a new pull request #385:
> URL: https://github.com/apache/tomcat/pull/385
> 
> 
>     It contains the IP address of the direct connection peer.
>     If a reverse proxy sits in front of Tomcat and the protocol
>     used is AJP or HTTP in combination with the RemoteIp(Valve|Filter),
>     the peer address might differ from the remoteAddress.
>     The latter then contains the address of the client in front of the
>     reverse proxy, not the address of the proxy itself.
>     
>     Support for the peer address has been added to the
>     RemoteAddrValve and RemoteCIDRValve with the new attribute
>     "usePeerAddress". This can be used to restrict access
>     to Tomcat bsed on the reverse proxy IP address, which is especially
>     useful to harden access to AJP connecrtors.
>     
>     The peer address can also be logged in the access log
>     using the new %{peer}a syntax.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org