[mailto:clecl...@xebia.fr]
Sent: Thursday, October 08, 2009 1:04 AM
To: Tomcat Users List
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Hello Elli,
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
, October 08, 2009 1:04 AM
To: Tomcat Users List
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Hello Elli,
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set
of the list.
This may not be the general case for proxies, it is only for this case.
E
-Original Message-
From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
Sent: Thursday, October 08, 2009 1:04 AM
To: Tomcat Users List
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Hello Elli
Hello,
I updated issue 47330 proposal : port of mod_remoteip in Tomcat
as RemoteIpValve to link to a Servlet Filter implementation of
mod_remoteip called XForwardedFilter. As detailed in the comment,
XForwardedFilter.java copyright may not fit the Apache Software
Foundation requirements as
Hello Christopher,
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy and not by
the requester ( getFirstIP(xforwardedForHeaderValue) ). Such
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 10/9/2009 9:16 AM, Cyrille Le Clerc wrote:
An idea to mitigate this risk is to ask the network team to remove
some http headers at the entry of the platform (x-forwarded-for,
x-forwarded-proto, x-forwarded-... )
This makes a lot of
Hello Christopher,
An idea to mitigate this risk is to ask the network team to remove
some http headers at the entry of the platform (x-forwarded-for,
x-forwarded-proto, x-forwarded-... )
This makes a lot of sense, except that there might be some legitimate
proxies in the path that
Hello Elli,
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy and not by
the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing
can easily
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 10/8/2009 4:03 AM, Cyrille Le Clerc wrote:
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy
I know I'm late in this discussion. Besides the very good mentioning of
mod_remoteip, RemoteIpValve and XForwardedFilter I guess there's a way
of doing it in case you are using mod_jk.
mod_jk (and mod_proxy_ajp) use the AJP protocol between the web server
and the backend, e.g. Tomcat. This
- Original Message -
From: Christopher Schultz ch...@christopherschultz.net
To: Tomcat Users List users@tomcat.apache.org
Sent: Fri, 2 Oct 2009 07:32:06 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
2. There are other valves like request filters that cannot
by the spec as an
interface.
E
- Original Message -
From: Tim Funk funk...@apache.org
To: Tomcat Users List users@tomcat.apache.org
Sent: Fri, 2 Oct 2009 07:46:14 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are executed before webapp filters. I
: Christopher Schultz ch...@christopherschultz.net
To: Tomcat Users List users@tomcat.apache.org
Sent: Fri, 2 Oct 2009 07:32:06 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
2. There are other valves like request filters that cannot work without the
correct IP, as well
Hi,
We can add the header to the custom valves, but then in addition we have to
change a few log file configurations, create a servlet filter and maybe
something else I cant think of now. Basically doing the same thing a few
times and keeping track of all the places that depend on the header.
remote address in valve (Tomcat 5.5)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 9/27/2009 12:19 AM, Elli Albek wrote:
public void setRemoteAddr(String remoteAddr) {
// Not used
}
The variable is protected so I cannot access it directly from my code.
What
A few reasons why not to do this as a servlet filter:
1. There are many web apps on the server and I don't want to include the
filter in each.
2. There are other valves like request filters that cannot work without the
correct IP, as well as custom login valve.
3. We have a few environments and I
Elli Albek wrote:
A few reasons why not to do this as a servlet filter:
1. There are many web apps on the server and I don't want to include the
filter in each.
You don't have to. Configure it in the global web.xml.
2. There are other valves like request filters that cannot work without the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 10/2/2009 4:41 AM, Elli Albek wrote:
Yes, the remoteAddress member is protected. So you can only access it if you
put your class in the same package.
I thought of doing it like a filter (wrapping) but it does not look like a
workable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
Elli Albek wrote:
A few reasons why not to do this as a servlet filter:
1. There are many web apps on the server and I don't want to include the
filter in each.
You don't have to. Configure it in
Christopher Schultz wrote:
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
Elli Albek wrote:
A few reasons why not to do this as a servlet filter:
1. There are many web apps on the server and I don't want to include the
filter in each.
You don't have to. Configure it in the global
Context filters are executed before webapp filters. I believe (but not
confirmed) that valves execute before the filters.
-Tim
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
Elli Albek wrote:
A few reasons why not to
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are executed before webapp filters.
I'll bite: what's the difference between a context filter and a webapp
filter? Aren't all filters are configured in some web.xml
My bad - by context filter I meant to say the web.xml as found in
$CATALINA_HOME/conf/web.xml
There is nothing contexty about it
-Tim
Caldarale, Charles R wrote:
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 10:45 AM, Mark Thomas wrote:
Christopher Schultz wrote:
2. There are other valves like request filters that cannot work without the
correct IP, as well as custom login valve.
Filters should be OK providing they are defined in
Christopher Schultz wrote:
Mark,
On 10/2/2009 10:45 AM, Mark Thomas wrote:
Christopher Schultz wrote:
2. There are other valves like request filters that cannot work without
the
correct IP, as well as custom login valve.
Filters should be OK providing they are defined in the right
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 9/27/2009 12:19 AM, Elli Albek wrote:
public void setRemoteAddr(String remoteAddr) {
// Not used
}
The variable is protected so I cannot access it directly from my code.
What variable? The remoteAddress member?
Is
Elli Albek wrote:
Hi,
We have Tomcat behind a load balancer. The servlet API and tomcat libraries
see the load balancer IP as the client IP.
I tried to write a simple valve which will extract the IP from HTTP header
X-Forwarded-For
and continue the valve chain using this IP as the client
ma...@apache.org
To: Tomcat Users List users@tomcat.apache.org
Sent: Sun, 27 Sep 2009 02:13:49 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
https://issues.apache.org/bugzilla/show_bug.cgi?id=47330 is on the todo
list but my current plan is to implement it as a Filter
Elli Albek wrote:
Hi,
We have Tomcat behind a load balancer. The servlet API and tomcat libraries
see the load balancer IP as the client IP.
I tried to write a simple valve which will extract the IP from HTTP header
X-Forwarded-For
and continue the valve chain using this IP as the client
29 matches
Mail list logo