You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jörg Schaible <jo...@bpm-inspire.com> on 2019/08/28 09:17:50 UTC
Access denied (403) for external requests
Hi,
we've setup a Tomcat instance to answer on HTTP and port 8080 to requests from
the intranet and HTTPS with port 8445 to external requests. When we use HTTPS
and port 8445 from the intranet, our firewall will redirect the request, but
without changing protocol or port. Tomcat answers to every request from the
intranet using either HTTP/8080 or HTTPS/8445, but every external request is
denied with 403 and we have no clue why.
The server.xml is just modified by adding an additional connector for HTTPS and
an a valve to restrict the access to 8445 for external addresses:
...
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" />
<Connector port="8445"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/cert-with-chain.p12"
certificateKeystoreType="pkcs12"
certificateKeystorePassword="password" />
</SSLHostConfig>
</Connector>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8445" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log" suffix=".txt"
pattern="%h:%{local}p %{Host}i %l %u %t "%r" %s %b %S" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
allow=".*;8445|127\.\d+\.\d+\.\d+;80\d\d|192\.168\.\d+\.\d+;80\d\d"/>
</Host>
</Engine>
</Service>
...
We get the following 3 entries in our access log:
============ %< ========
192.168.10.31:8080 sub.intranet.local:8080 - - [28/Aug/2019:10:54:11 +0200]
"GET /app/ping HTTP/1.1" 200 1525 -
192.168.10.1:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:57 +0200] "GET /
app/ping HTTP/1.1" 200 1537 -
111.222.333.444:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:26 +0200]
"GET /app/ping HTTP/1.1" 403 983 -
============ %< ========
First two requests were from within the intranet:
http://sub.intranet.local:8080/app/ping
https://sub.domain.demo:8445/app/ping
However, if we make the latter request from external, we're denied although
the regex of the RemoteAddrValve matches.
We searched now for hours in the Tomcat documentation, FAQ and Google, but we
found neither an explanation for the behavior nor how we can enable further
diagnostics for this denial.
Regards,
Jörg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Access denied (403) for external requests
Posted by Jörg Schaible <jo...@bpm-inspire.com>.
Ouch.
You're definitely right, I should have post my environment. While looking at it
I detected Tomcat 9.0.10 ... quite old. So I did an update to 9.0.24.
Finalizing the update I recognized that someone had modified the global
context.xml and looking at the diff I found an additional Valve:
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1,192.168.10.0/24" />
So, no wonder we got only responses for requests from the intranet ... :-/
Am Mittwoch, 28. August 2019, 12:17:35 CEST schrieb André Warnier (tomcat):
> Hi.
> (While not saying yet that this is the problem in your case)
> It would help a lot if you specified the version of Tomcat, the JVM, and the
> platform on which you are running this.
> (Such as maybe a bug in a past version of RemoteAddrValve which would
> explain this).
[snip]
Cheers,
Jörg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Access denied (403) for external requests
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hi.
(While not saying yet that this is the problem in your case)
It would help a lot if you specified the version of Tomcat, the JVM, and the platform on
which you are running this.
(Such as maybe a bug in a past version of RemoteAddrValve which would explain this).
On 28.08.2019 11:17, Jörg Schaible wrote:
> Hi,
>
> we've setup a Tomcat instance to answer on HTTP and port 8080 to requests from
> the intranet and HTTPS with port 8445 to external requests. When we use HTTPS
> and port 8445 from the intranet, our firewall will redirect the request, but
> without changing protocol or port. Tomcat answers to every request from the
> intranet using either HTTP/8080 or HTTPS/8445, but every external request is
> denied with 403 and we have no clue why.
>
> The server.xml is just modified by adding an additional connector for HTTPS and
> an a valve to restrict the access to 8445 for external addresses:
>
> ...
> <Service name="Catalina">
> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" />
> <Connector port="8445"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
> <SSLHostConfig>
> <Certificate certificateKeystoreFile="conf/cert-with-chain.p12"
> certificateKeystoreType="pkcs12"
> certificateKeystorePassword="password" />
> </SSLHostConfig>
> </Connector>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8445" />
> <Engine name="Catalina" defaultHost="localhost">
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" prefix="localhost_access_log" suffix=".txt"
> pattern="%h:%{local}p %{Host}i %l %u %t "%r" %s %b %S" />
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> addConnectorPort="true"
> allow=".*;8445|127\.\d+\.\d+\.\d+;80\d\d|192\.168\.\d+\.\d+;80\d\d"/>
> </Host>
> </Engine>
> </Service>
> ...
>
> We get the following 3 entries in our access log:
>
> ============ %< ========
> 192.168.10.31:8080 sub.intranet.local:8080 - - [28/Aug/2019:10:54:11 +0200]
> "GET /app/ping HTTP/1.1" 200 1525 -
> 192.168.10.1:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:57 +0200] "GET /
> app/ping HTTP/1.1" 200 1537 -
> 111.222.333.444:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:26 +0200]
> "GET /app/ping HTTP/1.1" 403 983 -
> ============ %< ========
>
> First two requests were from within the intranet:
> http://sub.intranet.local:8080/app/ping
> https://sub.domain.demo:8445/app/ping
>
> However, if we make the latter request from external, we're denied although
> the regex of the RemoteAddrValve matches.
>
> We searched now for hours in the Tomcat documentation, FAQ and Google, but we
> found neither an explanation for the behavior nor how we can enable further
> diagnostics for this denial.
>
> Regards,
> Jörg
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org