tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: RemoteAddrValve and RemoteHostValve
Date Sat, 28 Feb 2009 15:04:35 GMT
Zak Mc Kracken wrote:
[...]

Let's try this another way.

You want to allow requests from either www.somewhere.com, or one or more 
IP addresses, and block all the rest.

First, filtering requests on the base of a DNS hostname is "expensive" : 
  it forces Tomcat to do a reverse DNS lookup.  That is because when a 
request comes in, it does not come in with a DNS name for the client, 
but just with an IP address of the client.  So Tomcat has to ask the DNS 
system for the name (or names) that correspond to IP address a.b.c.d 
(the client's address), and then match those names with the rule.
There is also a good chance that some clients have (of course) an IP 
address and a DNS name, but their reverse DNS is not set up properly. 
In that case, you would be denying clients that maybe you don't want to 
deny.

What I'm getting at, is that if you want to accept requests from 
"www.somewhere.com", you might already know the IP address (or the range 
of IP addresses), that correspond to this name.
If so, then you can just use the Remote Address Filter Valve, and forget 
about the Remote Host Filter Valve. And it will be much more efficient.

The second part is that for the Remote Address Filter Valve, both the 
allow and deny attributes are regular expressions, giving you a lot of 
flexibility in which addresses you allow or deny.

As a practical example :
Suppose that you want to allow requests from "www.somewhere.com", and 
from any IP address in the range 112.23.90.0-112.23.90.255, and deny all 
others.
You would first do a DNS lookup for the hostname "www.somewhere.com", to 
get its IP address (nslookup www.somewhere.com).
Suppose this gives you "213.87.32.100".

Then you would configure your Valve as follows :

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
     allow="213\.87\.32\.100,112\.23\.90\.\d{1,3}" />

Now suppose that, within the range 112.23.90.0-112.23.90.255 (which you 
in principle accept), you want nevertheless to deny the subrange 
112.23.90.21-112.23.90.30, then you would change the Valve as follows :

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
     allow="213\.87\.32\.100,112\.23\.90\.\d{1,3}"
     deny="112\.23\.90\.(2[1-9]|30)"
  />

If you do not understand the expressions above like 
"112\.23\.90\.(2[1-9]|30)", then that is a question of "regular 
expressions" which you need to look up, but it's not really something 
specific to Tomcat.


Final note : if you accept/deny ranges of IP addresses, it is probably a 
good idea to not deny requests from "localhost", if only just for 
testing.  So add "127\.0\.0\.1" to your accept range.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message