Jaikit Savla wrote:
Hi,
You are right it does regrex matching. I wanted to say that it does not do any kind of dnslookup in filter.
@configuration: I do not have any particular configuration or firewall set up. I have mentioned below output from tcpdump (listening on loopback interface) and as you can see it get ip address from eth1 interface. Since I have my hosts where this code will be deployed - adding ip to filter will be lot of work.
===============================
tcpdump -i lo
No. Time Source Destination Protocol Length
Info
46 0.822296 108.13.226.208 108.13.226.208 HTTP 270 GET /ws/local/vip/info HTTP/1.1
Frame 46: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00
(00:00:00:00:00:00)
Internet Protocol Version 4, Src: 108.13.226.208 (108.13.226.208), Dst:
108.13.226.208 (108.13.226.208)
Transmission Control Protocol, Src Port: 16217 (16217), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 204
Hypertext Transfer Protocol
=================================
-bash-4.1$ ifconfig
eth1 Link encap:Ethernet HWaddr xx
inet addr:108.13.226.208 Bcast:108.13.226.208 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:xx errors:0 dropped:91 overruns:0 frame:379
TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:5000
RX bytes:xx (8.5 GiB) TX bytes:xx (6.2 GiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:xx errors:0 dropped:0 overruns:0 frame:0
TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:xx (102.4 GiB) TX bytes:xx (102.4 GiB)
There is something which I do not get, in all this.
On one of my own Linux hosts (which has the following interfaces :
eth0 Link encap:Ethernet HWaddr 00:19:66:c1:0c:c4
inet addr:192.168.245.20 Bcast:192.168.245.255 Mask:255.255.255.0
inet6 addr: fe80::219:66ff:fec1:cc4/64 Scope:Link
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
...
)
I am issuing various curl commands, and looking at the access log of *Apache httpd*
(because I have configured it to log the client's IP, and it is convenient).
The results I get are these :
1) curl http://localhost/something
Result in log :
::1 - - [24/Sep/2012:09:22:51 +0200] "GET /something HTTP/1.1" 404 282 "-" "curl/7.21.0
(i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6"
2) curl http://127.0.0.1/something
Result in log :
127.0.0.1 - - [24/Sep/2012:09:24:30 +0200] "GET /something HTTP/1.1" 404 282 "-"
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15
libssh2/1.2.6"
3) curl http://192.168.245.20/something
Result in log :
192.168.245.20 - - [24/Sep/2012:09:27:35 +0200] "GET /something HTTP/1.1" 404 287 "-"
"curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15
libssh2/1.2.6"
In other words, the client IP address as seen from the Apache httpd server looks totally
consistent with how the request was issued.
- if the request was issue to "localhost", then curl (through the OS) first resolves that
name to the IPv6 address "::1", and the request "goes out" through the corresponding
interface (lo), thus with the source address "::1", and that is also how it is seen by the
server.
- if the request was issued to "127.0.0.1", then there is no name resolving, the request
"goes out" through the IPv4 channel of the lo interface, thus with a aource address of
127.0.0.1, and that is also how it is seen by the server.
- if the request was to "192.168.245.20" (the IP address of the eth0 interface), then it
goes out through the eth0 interface, with a source address of "192.168.245.20", and that
is also how it is seen by the server.
etc..
Yet, you seem to experience different results with Tomcat.
So something else is amiss. If, from the same host, you issue a request to "localhost",
Tomcat should see this request as coming from either the IPv4 address "127.0.0.1" or the
IPv6 address "::1". If Tomcat does not see it that way, then something is wrong.
-----
Separately, and without taking anything away from the above :
Your technique of using the Remote Address Filter seems correct to me, and your settings
also. What I suspect however, is that there is something peculiar with your /etc/hosts
file (or your requests), that makes the requests "go out" through an interface other than
the one you expect.
You can configure Tomcat's access log so that it will trace which client IP it thinks the
request is coming from.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
