You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Miklos Espak <es...@gmail.com> on 2013/05/28 15:17:01 UTC
allow domains *and* ip range
Hi,
is it possible to allow access to Tomcat for hosts in a certain domain or
IP range?
The RemoteHostValve and RemoteAddrValve works well until I have only one of
them, but if I have a domain name filter and an IP filter together, every
request is refused.
Is there a way to combine these valves by OR?
Thank you,
Miklos
Re: allow domains *and* ip range
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Miklos,
On 5/28/13 7:19 PM, Miklos Espak wrote:
>> Note that the "allow" and "deny" attributes are regular
>> expressions, so you can get as creative as possible. There was a
>> request a while back for a filter/valve that would operate on
>> CIDR ranges... I don't think that ever got committed. A quick BZ
>> search didn't find anything. It must have been on the mailing
>> list.
>>
>
> The CIDR format would be more natural for the address filtering,
> but I could express the range with a regex, so this is not the
> problem.
Yeah, regexps will work of course, but CIDR is certainly much more
standard.
>> Combining the valves using OR is not really possible as you
>> describe it. Tomcat doesn't have anything like Apache httpd's
>> "RequireAny". You could easily write a new Valve that extends one
>> or the other valve and implements its own OR semantics.
>>
>
> Do I have to modify the tomcat sources for this, or could I keep my
> code in a separate library? I would like to avoid maintaining a
> patch for this and rebuilding tomcat after an upgrade. I do not
> know the tomcat API.
You could keep this in a separate library -- just make sure that you
put it into Tomcat's lib/ directory. You will not have to modify
Tomcat sources per se, but you'll be stealing some source from Tomcat
and then maintaining it yourself. It's honestly not that much code.
It might be fun to create some combinations of these "allow"-type
filters that more closely-match some of the stuff that httpd can do.
> Maybe it would be easier to install an apache httpd that directs
> the http/https ports to tomcat and configure this in the httpd
> config?
It will certainly be easier in that you will only have to configure
things and not have to write any software. But adding another service
component adds a layer of complexity you may not want to add.
Another option would be to use the url-rewrite filter[1] with
appropriate rules to whitelist your hostnames and/or IPs and reject
everything else.
> I tried to configure this in iptables as well, but that does not
> support domains as I saw.
iptables works strictly on IP addresses and won't work on hostnames.
- -chris
[1] http://tuckey.org/urlrewrite/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJRpl+rAAoJEBzwKT+lPKRYdugQAL4M9MPGlBTNa2DNVto7xrsN
ZH0wHam8FuBM0pjtXU0S7KPOO36fAXRTXUfn8VwOhHYgbbfEat1Aiwm/7eYl8wmz
jYCJSbyylgYaZWoNf0dfI4J9mnf1rgnZmFzqafOYHWoYlMsAI6w1YfvpFyceSHnE
S1DKgAXNcd/fq+4b/bM0T0On36ZDiFNgvjyk/ckYAhqqTBF+pd6MaMZPvsGnejC0
wbUgauuJdZSn2Gvvsa0/Z3Z8r5rk2GYwGvKviigWtCyGg2+qwXHqAcDSBGHwGFDD
UXMlVMlrIWLycOCqKMxzIFQMYYKynDLpLDFnWVIG2GDCDiEdAo4kS9tH6Tj+X9fm
qv1Ntzb0mjLJr0JXxg53ppdJP7biOqdAbL8aTzCMEKd+FkSxnQ7HUL2FSO9ERFl+
e9dyOd90NuBZ/iUYVqvkTXFS7eY13g5h+AWz6UAoEkytDf7w5zLtm/T6Y0ol4RWB
OZJUCmRUaFMfDbDx4E/Q9C3/J6lvgn9l1VVEIRcHsi/MWdRRwoICiyAvBVQ3t6BP
L49WUOtRb2pdcRCv6HRJRuLLQnav9YpLpkRgQU97JfyUtzG+dvyo1molFBxTALbZ
qw1iwruWbvw4WFWefcaAe3tuHxppEwwJfTuH4yXJJtAprvgyA8KSM/4s7Zl5aE2m
22tg5BBK/kLqw+HPSGtu
=kjAC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: allow domains *and* ip range
Posted by Miklos Espak <es...@gmail.com>.
Hi Chris,
Note that the "allow" and "deny" attributes are regular expressions,
> so you can get as creative as possible. There was a request a while
> back for a filter/valve that would operate on CIDR ranges... I don't
> think that ever got committed. A quick BZ search didn't find anything.
> It must have been on the mailing list.
>
The CIDR format would be more natural for the address filtering, but I
could express the range with a regex, so this is not the problem.
Combining the valves using OR is not really possible as you describe
> it. Tomcat doesn't have anything like Apache httpd's "RequireAny". You
> could easily write a new Valve that extends one or the other valve and
> implements its own OR semantics.
>
Do I have to modify the tomcat sources for this, or could I keep my code in
a separate library? I would like to avoid maintaining a patch for this and
rebuilding tomcat after an upgrade. I do not know the tomcat API.
Maybe it would be easier to install an apache httpd that directs the
http/https ports to tomcat and configure this in the httpd config?
I tried to configure this in iptables as well, but that does not support
domains as I saw.
Thanks,
Miklos
Re: allow domains *and* ip range
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Miklos,
On 5/28/13 9:17 AM, Miklos Espak wrote:
> is it possible to allow access to Tomcat for hosts in a certain
> domain or IP range?
>
> The RemoteHostValve and RemoteAddrValve works well until I have
> only one of them, but if I have a domain name filter and an IP
> filter together, every request is refused.
>
> Is there a way to combine these valves by OR?
Note that the "allow" and "deny" attributes are regular expressions,
so you can get as creative as possible. There was a request a while
back for a filter/valve that would operate on CIDR ranges... I don't
think that ever got committed. A quick BZ search didn't find anything.
It must have been on the mailing list.
Combining the valves using OR is not really possible as you describe
it. Tomcat doesn't have anything like Apache httpd's "RequireAny". You
could easily write a new Valve that extends one or the other valve and
implements its own OR semantics.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJRpOA4AAoJEBzwKT+lPKRYDnsP/0590X/pRZKrmhjFDfM18YUK
fbC/tFlqHMSZ3cBMnDqFnTlqoi7aAstZCVIqdHczxTScmEGfwuCQofp1WwXfX8+t
wbnTL9xZGm8E1BoIdfyS58cUgcMOTHnhJ8zoSc0IXOKe8eJK8yI+DA8Wm00qzymh
x1tz5XVAJrbNTSDDuSbGztRLqcJ8uRS8cfdcVBX19w6laX6RnDwmbTX4ffis2rAF
WpjKfCtFInbeFTR/8Kr2fnvk6VI3GcnHztDMhrJfEjmAEeCFP8Xu60FfZBZzfluO
aqJkZw97SRJOM4V6bY4F66ePVwfmakhJebqdKGmkP3WKWBqjhmh15N4cMgdXGx1y
HENI8VTumT0MZze2vaibgPDuk5eizbGGsBcHEYDtnpHgTXqbYrETlZtDPyxCJy1O
S6dnHLMkxjSqbNgMpEvz9Yp5I09aRoeYUhaSMRTWeHToqPwq/5QCAvq8pMDHnjsM
sQSYfQEwf98VpLWEEMoy2HXvlqMwFgMVi5tqBbgope6fX68nD1WqBjvN3VvH4QF8
T75kkBPNPH7+mFivb8VoA/MNAAxtvFwJPX5/Ycn+3UzhLIzs2Minq2mp8Pp9yMt4
Pf5i2KyGpQXxdGyKK4G5+N5Nxeu0DHz1PtOulcjIGqTZ2sT13jAZYMm/TE7z5mNH
eICwwC/OfAFwCzM8HYDR
=khcQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org