tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Date Mon, 24 Sep 2012 07:58:21 GMT
Jaikit Savla wrote:
> Hi,
> 
> You are right it does regrex matching. I wanted to say that it does not do any kind of
dnslookup in filter. 
> @configuration: I do not have any particular configuration or firewall set up. I have
mentioned below output from tcpdump (listening on loopback interface) and as you can see it
get ip address from eth1 interface. Since I have my hosts where this code will be deployed
- adding ip to filter will be lot of work.
> 
> 
> ===============================
> 
> tcpdump -i lo
> 
> 
> No.     Time        Source                Destination           Protocol Length Info
>      46 0.822296    108.13.226.208        108.13.226.208        HTTP     270    GET /ws/local/vip/info
HTTP/1.1 
> 
> Frame 46: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits)
> Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
> Internet Protocol Version 4, Src: 108.13.226.208 (108.13.226.208), Dst: 108.13.226.208
(108.13.226.208)
> Transmission Control Protocol, Src Port: 16217 (16217), Dst Port: http (80), Seq: 1,
Ack: 1, Len: 204
> Hypertext Transfer Protocol
> 
> =================================
> 
> -bash-4.1$ ifconfig
> eth1      Link encap:Ethernet  HWaddr xx  
>           inet addr:108.13.226.208 Bcast:108.13.226.208  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:xx errors:0 dropped:91 overruns:0 frame:379
>           TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:5000 
>           RX bytes:xx (8.5 GiB)  TX bytes:xx (6.2 GiB)
>           Interrupt:17 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:xx errors:0 dropped:0 overruns:0 frame:0
>           TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:xx (102.4 GiB)  TX bytes:xx (102.4 GiB)
> 


There is something which I do not get, in all this.
On one of my own Linux hosts (which has the following interfaces :

eth0      Link encap:Ethernet  HWaddr 00:19:66:c1:0c:c4
           inet addr:192.168.245.20  Bcast:192.168.245.255  Mask:255.255.255.0
           inet6 addr: fe80::219:66ff:fec1:cc4/64 Scope:Link
...
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
...
)

I am issuing various curl commands, and looking at the access log of *Apache httpd* 
(because I have configured it to log the client's IP, and it is convenient).
The results I get are these :

1) curl http://localhost/something

Result in log :

::1 - - [24/Sep/2012:09:22:51 +0200] "GET /something HTTP/1.1" 404 282 "-" "curl/7.21.0 
(i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6"

2) curl http://127.0.0.1/something

Result in log :

127.0.0.1 - - [24/Sep/2012:09:24:30 +0200] "GET /something HTTP/1.1" 404 282 "-" 
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 
libssh2/1.2.6"

3) curl http://192.168.245.20/something

Result in log :

192.168.245.20 - - [24/Sep/2012:09:27:35 +0200] "GET /something HTTP/1.1" 404 287 "-" 
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 
libssh2/1.2.6"

In other words, the client IP address as seen from the Apache httpd server looks totally 
consistent with how the request was issued.
- if the request was issue to "localhost", then curl (through the OS) first resolves that

name to the IPv6 address "::1", and the request "goes out" through the corresponding 
interface (lo), thus with the source address "::1", and that is also how it is seen by the

server.
- if the request was issued to "127.0.0.1", then there is no name resolving, the request 
"goes out" through the IPv4 channel of the lo interface, thus with a aource address of 
127.0.0.1, and that is also how it is seen by the server.
- if the request was to "192.168.245.20" (the IP address of the eth0 interface), then it 
goes out through the eth0 interface, with a source address of "192.168.245.20", and that 
is also how it is seen by the server.
etc..

Yet, you seem to experience different results with Tomcat.

So something else is amiss.  If, from the same host, you issue a request to "localhost", 
Tomcat should see this request as coming from either the IPv4 address "127.0.0.1" or the 
IPv6 address "::1".  If Tomcat does not see it that way, then something is wrong.

-----

Separately, and without taking anything away from the above :
Your technique of using the Remote Address Filter seems correct to me, and your settings 
also.  What I suspect however, is that there is something peculiar with your /etc/hosts 
file (or your requests), that makes the requests "go out" through an interface other than

the one you expect.

You can configure Tomcat's access log so that it will trace which client IP it thinks the

request is coming from.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message