tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harrie Robins <har...@eyequestion.nl>
Subject Re: internalProxies regex
Date Fri, 05 Jan 2018 14:43:56 GMT
All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))

Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumacher@internetallee.de> wrote:

> Am 05.01.2018 um 09:47 schrieb Harrie Robins:
>
>> Hi Mark,
>>
>> our tomcat application server are fronted by 1. cloudflare, and 2. amazon
>> load balancer.
>> In apache there is mod_remote IP and I can simply put in CIDR range:
>> https://www.cloudflare.com/ips/ that will swallow all those IP and will
>> get
>> the correct IP to tomcat.
>>
>> In Tomcat I need
>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
>> lina/valves/RemoteIpValve.html
>> which does not accept CIDR range however. I wrote a regex to match all the
>> addresses and it works, it's matching way to many addresses however so I
>> rewrote the pattern. My new pattern is not functioning however, so I
>> tested
>> then pattern in a small application.
>>
>> In my test I made a list of all addresses  in this range:
>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>
>
> If you configure the valve through the internalProxies attribute, you are
> using 'real' strings and don't need to mask the backslashes as you would
> have to do with java strings.
>
> When you look at the documentation, you will find no double backslashes
> there.||||
>
> And  regarding the usage of the anchors '^' and '$'. They are not needed,
> either. Tomcat will use match instead of find and thus they are implicitly
> added.
>
> Regards,
>  Felix
>
> ||
>
>> I matched all these addresses and it works. When I set in tomcat however
>> it
>> does not, I have no understanding why not?
>>
>> Hope you understand what I am trying to do.
>>
>> thanks
>>
>>
>>
>>
>>
>> On 2 January 2018 at 19:33, Mark Thomas <markt@apache.org> wrote:
>>
>> On 02/01/18 09:50, Harrie Robins wrote:
>>>
>>>> I'm still having problems with matching my pattern.
>>>>
>>>> Right now I'm feeding the following to internalProxies:
>>>>
>>>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>>>>
>>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>>
>>>> I created a list of all involved IP addresses and matched those IP
>>>>
>>> addresses:
>>>
>>>> java.util.regex.Matcher / java.util.regex.Pattern, please see
>>>>
>>> https://pastebin.com/Lija7n9k
>>>
>>>> All addresses from the list I created are matching, just not in tomcat.
>>>>
>>> What is the value of the remote IP address that is failing to match? You
>>> might want to look at writing a short custom Valve to log that and
>>> insert it into the Pipeline ahead of the RemoteIpValve.
>>>
>>> Another option would be to simply remove the RemoteIpValve and write a
>>> simple servlet that logs the remote IP.
>>>
>>> Mark
>>>
>>> Regards,
>>>>
>>>> Harrie
>>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Harrie Robins [mailto:harrie@eyequestion.nl]
>>>> Verzonden: 21 December 2017 09:55
>>>> Aan: 'Tomcat Users List' <users@tomcat.apache.org>
>>>> Onderwerp: RE: internalProxies regex
>>>>
>>>> This makes perfect sense.
>>>> I tested my regex, just against wrong engine.
>>>>
>>>> Thanks for pointing me in the right direction
>>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
>>>> Verzonden: 20 December 2017 15:19
>>>> Aan: Tomcat Users List <users@tomcat.apache.org>
>>>> Onderwerp: Re: internalProxies regex
>>>>
>>>> 2017-12-20 11:37 GMT+03:00 Harrie Robins <harrie@eyequestion.nl>:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>>
>>>>>
>>>>> I have a question about the remoteipvalve in tomcat 8.5:
>>>>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
>>>>> s/Remo
>>>>> teIpValve.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> internalProxies
>>>>>
>>>>> Regular expression that matches the IP addresses of internal proxies.
>>>>> If they appear in the remoteIpHeader value, they will be trusted and
>>>>> will not appear in the proxiesHeader value
>>>>>
>>>>> RemoteIPInternalProxy
>>>>>
>>>>> Regular expression (in the syntax supported by java.util.regex)
>>>>>
>>>>> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
>>>>> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
>>>>> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
>>>>> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
>>>>> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are
>>>>>
>>>> allowed.
>>>
>>>>
>>>>>
>>>>> I need to convert some CIDR ranges to regex:
>>>>>
>>>>>
>>>>> my concern is that /d{1,3} wil match too many (non exist) addresses
>>>>>
>>>>> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
>>>>> 103\.3
>>>>> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>>>>>
>>>>>
>>>>>
>>>>> So I re-wrote using capture groups, below does not function however,
>>>>> and I assume it is due to OR (|) which tomcat will affectively see as
a
>>>>>
>>>> new entry?
>>>
>>>> So I tried escaping, but I cannot get it to work:
>>>>>
>>>>> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
>>>>> |5[0-5
>>>>> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
>>>>> -9]\|5
>>>>> [0-5]))
>>>>>
>>>> Your assumption that "tomcat will affectively see as a new entry" is
>>>>
>>> wrong.
>>>
>>>> The string is used as whole to initialize a java.util.regex.Pattern().
>>>> Tomcat does not split it.
>>>>
>>>> You may write a simple program / junit test to test how
>>>> java.util.regex.Pattern() processes your value.  Or you may run Tomcat
>>>>
>>> with debugger,
>>>
>>>> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>>>> https://wiki.apache.org/tomcat/FAQ/Troubleshooting_
>>>>
>>> and_Diagnostics#Common_Troubleshooting_Scenario
>>>
>>>> AFAIK, '\|' in a regular expression will be interpreted as expecting
>>>>
>>> literal '|' character in the matched string.  No IP address has this
>>> character so none will match.
>>>
>>>>
>>>>
>>>> Best regards,
>>>> Konstantin Kolinko
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message