> Paul Klinkenberg wrote: >> Hi Tomcat users! >> I have been working on an update for a Tomcat valve called mod_cfml. The >> project aims to provide automatic web context creation in Tomcat, when >> coming from a frontend webserver. >> The live code base can be found at https://github.com/utdream/mod_cfml >> <https://github.com/utdream/mod_cfml> >> One of the features I wanted to add, is adding an IP restriction in the >> valve (see github >> <https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>). >> While testing, I noticed that AJP works very well: it hides the IP address >> of the caller, which is the front-end Apache webserver, and instead returns >> the IP of the remote client / the client who called the frontend webserver. >> I have been digging around quite a lot, but have not been able to find the >> Apache httpd IP address :-( >> My question is hopefully simple to answer: can I retrieve the IP address >> which called the AJP connector, from within the valve? >> My server.xml is: >> <Server port="8005" shutdown="SHUTDOWN"> >> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> >> <Listener className="org.apache.catalina.core.AprLifecycleListener" >> SSLEngine="on" /> >> <Listener >> className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >> <Listener >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >> <Listener >> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> >> <GlobalNamingResources> >> <Resource name="UserDatabase" auth="Container" >> type="org.apache.catalina.UserDatabase" >> description="User database that can be updated and saved" >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >> pathname="conf/tomcat-users.xml" /> >> </GlobalNamingResources> >> <Service name="Catalina"> >> <Connector port="8080" protocol="HTTP/1.1" >> connectionTimeout="20000" >> redirectPort="8443" /> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> >> <Engine name="Catalina" defaultHost="localhost"> >> <Realm className="org.apache.catalina.realm.LockOutRealm"> >> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" >> resourceName="UserDatabase"/> >> </Realm> >> <Host name="localhost" appBase="webapps" unpackWARs="true" >> autoDeploy="true"> >> <Valve >> className="mod_cfml.core" >> loggingEnabled="true" >> waitForContext="10" >> maxContexts="9999" >> timeBetweenContexts="0" >> scanClassPaths="false" >> allowedIPs="127.0.0.1,192.168.1.52" /> >> </Host> >> </Engine> >> </Service> >> </Server> >> Thanks in advance for your time! >> Kind regards, >> Paul Klinkenberg >> The Netherlands >> p.s. I asked this question, in other wording, on SackOverflow.com >> <http://sackoverflow.com/> as well. I hope I have better luck here ;-) >> http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp >> >> <http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp> > Hi. > With Apache httpd and mod_jk as front-end, you have (at least) 2 options : > - set an additional HTTP request header at the Apache httpd level, before the > request is proxied to the back-end Tomcat > - set a "JkEnvVar" value at the at the Apache httpd level, before the request > is proxied to Tomcat > You can then retrieve these set values at the Tomcat level, either by parsing > the request headers, or by retrieving a "request attribute" corresponding to > the JkEnvVar. > The JkEnvVar/attribute method is probably more efficient in a mod_jk context; > the HTTP header solution is more portable, since it does not depend on > specifically mod_jk being used as a connector. > > Presumably, when at the Apache httpd level you decide to proxy a request to a > back-end Tomcat, you know through which interface you'll do it, and what its > IP address is, and you can put it into one of the things above. > > Is that enough info to get you started ? > > Caveat : one part I am not quite sure of, is what things you do have easy > access to, at the level of a Valve. The above is what you'd do at a webapp > level, I hope it is also accessible at your Valve level. >
Hi André, Thanks for the response, much appreciated. The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org <http://getrailo.org/> / lucee.org <http://lucee.org/>) Therefor, I cannot rely on an incoming header, as it could originate from anywhere. Also, a remote system could call the AJP endpoint on the Tomcat server, with this JkEnvVar set to a spoofed value. (if the port is not firewalled off course) So the problem with both options is, that they cannot be fully trusted. If I am able to find out where the AJP request came from, then I can validate the caller. Maybe you know which path to follow to get to the AJP request data? Thanks, Paul Klinkenberg --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
