Eric,
On 4/4/24 13:43, Eric Fetzer wrote:
Hi All,
When I originally set up my tomcat instance, I added the following to allow
manager access under /opt/tomcat/webapps/manager/META-INF/context.xml:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" />
That worked wonderfully. Now I'm trying to add another IP range by
changing it to:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" />
This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't
work either. I've verified I can get to port 8080 from the IP locations.
Any idea what I'm doing wrong or do you have a means to troubleshoot this?
I'm glad you are reporting that the issue is elsewhere and not a problem
with your use of RemoteAddrValve.
But I'd like to point out that since these are regular expressions, your
specific use of them can lead to unintended consequences. For example:
1.3.5.*
This will allow anyone from 1.3.5.1 or 1.3.5.99 or 1.3.5.254. That's
probably fine. But it will also allow anybody from 103.50.99.24 as well.
That probably wasn't intended.
Changing it to the properly-escaped 1\.3\.5 but also trailing \..* (note
there are two periods there) really means 1.3.5.whatever.
Using \d isn't strictly necessary but it does make it clear that you
aren't expecting non-digits e.g. hostnames.
As you mentioned elsewhere in this thread, you thought it was "tomcat
language". When it comes to security controls, /please read the
documentation/ because knowing that it is a regular expression and not a
"tomcat language" can mean the difference between configuring a security
control properly or improperly.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
