You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/12/06 15:20:14 UTC
[GitHub] [tomcat] rainerjung opened a new pull request #385: Add peerAddress to coyote request
rainerjung opened a new pull request #385:
URL: https://github.com/apache/tomcat/pull/385
It contains the IP address of the direct connection peer.
If a reverse proxy sits in front of Tomcat and the protocol
used is AJP or HTTP in combination with the RemoteIp(Valve|Filter),
the peer address might differ from the remoteAddress.
The latter then contains the address of the client in front of the
reverse proxy, not the address of the proxy itself.
Support for the peer address has been added to the
RemoteAddrValve and RemoteCIDRValve with the new attribute
"usePeerAddress". This can be used to restrict access
to Tomcat bsed on the reverse proxy IP address, which is especially
useful to harden access to AJP connecrtors.
The peer address can also be logged in the access log
using the new %{peer}a syntax.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] rainerjung merged pull request #385: Add peerAddress to coyote request
Posted by GitBox <gi...@apache.org>.
rainerjung merged pull request #385:
URL: https://github.com/apache/tomcat/pull/385
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] martin-g commented on a change in pull request #385: Add peerAddress to coyote request
Posted by GitBox <gi...@apache.org>.
martin-g commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537343964
##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
Especially add support for connector specific configuration
using <code>addConnectorPort</code>. (rjung)
</add>
+ <add>
+ Add <code>peerAddress</code> to coyote request, which contains
+ the IP address of the direct connection peer. If a reverse proxy
+ sits in front of Tomcat and the protocol used is AJP or HTTP
+ in combination with the <code>RemoteIp(Valve|Filter)</code>,
+ the peer address might differ from the <code>remoteAddress</code>.
+ The latter then contains the address of the client in front of the
+ reverse proxy, not the address of the proxy itself.
+ Support for the peer address has been added to the
+ RemoteAddrValve and RemoteCIDRValve with the new attribute
+ <code>usePeerAddress</code>. This can be used to restrict access
+ to Tomcat bsed on the reverse proxy IP address, which is especially
Review comment:
s/bsed/based/
##########
File path: java/org/apache/catalina/valves/AbstractAccessLogValve.java
##########
@@ -861,19 +868,50 @@ public void addElement(CharArrayWriter buf, Date date, Request request,
* write remote IP address - %a
*/
protected class RemoteAddrElement implements AccessLogElement, CachedElement {
+ /**
+ * Type of address to log
+ */
+ private static final String remoteAddress = "remote";
Review comment:
s/remoteAddress/REMOTE_ADDRESS/, to follow Java conventions ?! Same for `peerAddress` below.
##########
File path: java/org/apache/coyote/Request.java
##########
@@ -95,6 +95,7 @@ public Request() {
// remote address/host
private final MessageBytes remoteAddrMB = MessageBytes.newInstance();
+ private final MessageBytes peerAddrMB = MessageBytes.newInstance();
Review comment:
Do we care that it is either `remote` or `peer`? So one of them wastes memory. Or it is negligible ?
##########
File path: java/org/apache/coyote/Constants.java
##########
@@ -96,4 +96,11 @@
* the X-Forwarded-For HTTP header.
*/
public static final String REMOTE_ADDR_ATTRIBUTE = "org.apache.tomcat.remoteAddr";
+
+ /**
+ * The request attribute set by the RemoteIpFilter, RemoteIpValve (and may
+ * be set by other similar components) that identifies for the connector the
+ * conection peer IP address.
Review comment:
con`n`ection
##########
File path: webapps/docs/changelog.xml
##########
@@ -117,6 +117,22 @@
Especially add support for connector specific configuration
using <code>addConnectorPort</code>. (rjung)
</add>
+ <add>
+ Add <code>peerAddress</code> to coyote request, which contains
+ the IP address of the direct connection peer. If a reverse proxy
+ sits in front of Tomcat and the protocol used is AJP or HTTP
+ in combination with the <code>RemoteIp(Valve|Filter)</code>,
+ the peer address might differ from the <code>remoteAddress</code>.
+ The latter then contains the address of the client in front of the
+ reverse proxy, not the address of the proxy itself.
+ Support for the peer address has been added to the
+ RemoteAddrValve and RemoteCIDRValve with the new attribute
+ <code>usePeerAddress</code>. This can be used to restrict access
+ to Tomcat bsed on the reverse proxy IP address, which is especially
+ useful to harden access to AJP connecrtors. The peer address can also
Review comment:
s/connecrtors/connectors/
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] rainerjung commented on a change in pull request #385: Add peerAddress to coyote request
Posted by GitBox <gi...@apache.org>.
rainerjung commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537434611
##########
File path: java/org/apache/coyote/Constants.java
##########
@@ -96,4 +96,11 @@
* the X-Forwarded-For HTTP header.
*/
public static final String REMOTE_ADDR_ATTRIBUTE = "org.apache.tomcat.remoteAddr";
+
+ /**
+ * The request attribute set by the RemoteIpFilter, RemoteIpValve (and may
+ * be set by other similar components) that identifies for the connector the
+ * conection peer IP address.
Review comment:
Thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] rainerjung commented on a change in pull request #385: Add peerAddress to coyote request
Posted by GitBox <gi...@apache.org>.
rainerjung commented on a change in pull request #385:
URL: https://github.com/apache/tomcat/pull/385#discussion_r537434443
##########
File path: java/org/apache/catalina/valves/AbstractAccessLogValve.java
##########
@@ -861,19 +868,50 @@ public void addElement(CharArrayWriter buf, Date date, Request request,
* write remote IP address - %a
*/
protected class RemoteAddrElement implements AccessLogElement, CachedElement {
+ /**
+ * Type of address to log
+ */
+ private static final String remoteAddress = "remote";
Review comment:
AbstractAccessLogValve consistently uses camel case for static Strings. I sticked to the local concentions in ther file. I would prefer to change the static string nameing conventions in an independent commit.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [GitHub] [tomcat] rainerjung opened a new pull request #385: Add
peerAddress to coyote request
Posted by Rainer Jung <ra...@kippdata.de>.
Hi all,
I plan to integrate this PR. I adressed the comments of Martin except
for the constants name casing, which I wanted to keep conskistent in the
file for now.
If anyone needs more time to review, please let me know. Any feedback
highly welcome.
Since IMHO it is useful for all branches, I would also backport it.
Thanks and regards,
Rainer
Am 06.12.2020 um 16:20 schrieb GitBox:
>
> rainerjung opened a new pull request #385:
> URL: https://github.com/apache/tomcat/pull/385
>
>
> It contains the IP address of the direct connection peer.
> If a reverse proxy sits in front of Tomcat and the protocol
> used is AJP or HTTP in combination with the RemoteIp(Valve|Filter),
> the peer address might differ from the remoteAddress.
> The latter then contains the address of the client in front of the
> reverse proxy, not the address of the proxy itself.
>
> Support for the peer address has been added to the
> RemoteAddrValve and RemoteCIDRValve with the new attribute
> "usePeerAddress". This can be used to restrict access
> to Tomcat bsed on the reverse proxy IP address, which is especially
> useful to harden access to AJP connecrtors.
>
> The peer address can also be logged in the access log
> using the new %{peer}a syntax.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org