Re: Finding the Apache httpd IP address when AJP is used
Hi André, > Paul Klinkenberg wrote: >> Hi André, >>> Paul Klinkenberg wrote: >>>> Hi André, >>>>> Paul Klinkenberg wrote: >>>>>> Hi Christopher, >>>>>> Thanks for taking the time to respond; again much appreciated. >>>>>> Your point, and André's, is understood. Security should not be done >>>>>> based on incoming IP address. >>>>>> With this current project, we off course want to deliver software which >>>>>> is secure by default. Now, if someone would install Tomcat, then add the >>>>>> mod_cfml valve, and then doesn't lock port 8080 or 8009, the server >>>>>> would become vulnerable in the same way as if the /host-manager would >>>>>> not have password-protection. >>>>>> Currently, I am discussing with the main mod_cfml developers Jordan >>>>>> Michaels and Bilal Soylu how to implement security, since I now won't be >>>>>> implementing IP restriction. We'll probably go with using the "secret" >>>>>> configuration parameter for ajp like you suggested. Or maybe using a >>>>>> shared "secret" key between the frontend server and the Tomcat valve. In >>>>>> this last case, we would also have tackled security when remote >>>>>> attackers try to contact Tomcat on http-8080 directly, instead of using >>>>>> the ajp connector. >>>>>> I never knew the remote_addr could not be trusted, but I believe you at >>>>>> once when you say so. >>>>>> I thought it was taken from the actual socket connection. With the >>>>>> exception of ajp by the way, where it is programmatically changed to >>>>>> reflect the remote client while handling the http call. Out of >>>>>> curiosity, could you shed some light as to why the remote_addr is not to >>>>>> be trusted in a regular http request? >>>>>> Thanks again for your time and effort! >>>>>> Kind regards, >>>>>> Paul Klinkenberg >>>>> On Tomcat, you can set the AJP Connector to only listen on the local IP >>>>> address of the Tomcat server host. That means that only "local LAN" >>>>> clients (including the httpd front-end, presumably) can connect to that >>>>> . >>>>> So this already stops any external client (be it workstation or server) >>>>> from even connecting to Tomcat using AJP. >>>>> It also, presumably, insures that only your internal httpd front-ends can >>>>> potentially connect to Tomcat via AJP. >>>>> >>>>> Now if you do not even trust your internal servers/clients, /then/ you >>>>> need additional measures. But in such a case, whether you use a "secret" >>>>> which the front-end must provide, or whether you use an additional header >>>>> or Jk variable, is only a choice; but any of those requires some setup on >>>>> the front-ends. >>>>> >>>>> The same is for the other Connectors, like HTTP/HTTPS. If you do not >>>>> want people to connect through these, disable them or have them also only >>>>> listen on a local IP address. >>>> Thanks for these tips. I see there are quite a few options to secure the >>>> AJP connector, which is great. >>>> For the project I am currently working on, I have to take into >>>> consideration that the user might already have Tomcat installed, and then >>>> probably with the default configuration. That would mean the AJP connector >>>> is available, and http connector as well. When someone now wants to add >>>> the mod_cfml valve to their setup, I will warn them in the install/config >>>> notes to lock down their tomcat server, if they haven't done so already. >>>> Next to this, I would like to be able to make the valve "secure by >>>> default", without having to rely on external settings. >>>> For this "secure by default", a required shared secret key seems like a >>>> solution to me. >>> Note : to check. I am not sure if the HTTP/HTTPS Connectors provide this >>> "shared secret" thing. This may well be an AJP Connector feature only. >>> >>> Remote users accessing either the http connector or ajp connector (only >>> possible if th
Re: Finding the Apache httpd IP address when AJP is used
Hi André, > Paul Klinkenberg wrote: >> Hi André, >>> Paul Klinkenberg wrote: >>>> Hi Christopher, >>>> Thanks for taking the time to respond; again much appreciated. >>>> Your point, and André's, is understood. Security should not be done based >>>> on incoming IP address. >>>> With this current project, we off course want to deliver software which is >>>> secure by default. Now, if someone would install Tomcat, then add the >>>> mod_cfml valve, and then doesn't lock port 8080 or 8009, the server would >>>> become vulnerable in the same way as if the /host-manager would not have >>>> password-protection. >>>> Currently, I am discussing with the main mod_cfml developers Jordan >>>> Michaels and Bilal Soylu how to implement security, since I now won't be >>>> implementing IP restriction. We'll probably go with using the "secret" >>>> configuration parameter for ajp like you suggested. Or maybe using a >>>> shared "secret" key between the frontend server and the Tomcat valve. In >>>> this last case, we would also have tackled security when remote attackers >>>> try to contact Tomcat on http-8080 directly, instead of using the ajp >>>> connector. >>>> I never knew the remote_addr could not be trusted, but I believe you at >>>> once when you say so. >>>> I thought it was taken from the actual socket connection. With the >>>> exception of ajp by the way, where it is programmatically changed to >>>> reflect the remote client while handling the http call. Out of curiosity, >>>> could you shed some light as to why the remote_addr is not to be trusted >>>> in a regular http request? >>>> Thanks again for your time and effort! >>>> Kind regards, >>>> Paul Klinkenberg >>> On Tomcat, you can set the AJP Connector to only listen on the local IP >>> address of the Tomcat server host. That means that only "local LAN" >>> clients (including the httpd front-end, presumably) can connect to that >>> . >>> So this already stops any external client (be it workstation or server) >>> from even connecting to Tomcat using AJP. >>> It also, presumably, insures that only your internal httpd front-ends can >>> potentially connect to Tomcat via AJP. >>> >>> Now if you do not even trust your internal servers/clients, /then/ you need >>> additional measures. But in such a case, whether you use a "secret" which >>> the front-end must provide, or whether you use an additional header or Jk >>> variable, is only a choice; but any of those requires some setup on the >>> front-ends. >>> >>> The same is for the other Connectors, like HTTP/HTTPS. If you do not want >>> people to connect through these, disable them or have them also only listen >>> on a local IP address. >> Thanks for these tips. I see there are quite a few options to secure the AJP >> connector, which is great. >> For the project I am currently working on, I have to take into consideration >> that the user might already have Tomcat installed, and then probably with >> the default configuration. That would mean the AJP connector is available, >> and http connector as well. When someone now wants to add the mod_cfml valve >> to their setup, I will warn them in the install/config notes to lock down >> their tomcat server, if they haven't done so already. Next to this, I would >> like to be able to make the valve "secure by default", without having to >> rely on external settings. >> For this "secure by default", a required shared secret key seems like a >> solution to me. > > Note : to check. I am not sure if the HTTP/HTTPS Connectors provide this > "shared secret" thing. This may well be an AJP Connector feature only. > > Remote users accessing either the http connector or ajp connector (only > possible if the server is not firewalled), would need to have that key in > order to get the valve to create a new context. >> I _do_ trust the internal servers/clients, I just want to make sure that if >> a mod_cfml user was too lame to secure it's server, then mod_cfml isn't the >> weakest link to be able to hack the server. I hope that makes sense? > > Ok, so at this point, you only want to know, by intellectual curiosity, *how > you could* theoretically, in your Valve, obtain the IP address and port of > the front-e
Re: Finding the Apache httpd IP address when AJP is used
Hi André, > Paul Klinkenberg wrote: >> Hi Christopher, >> Thanks for taking the time to respond; again much appreciated. >> Your point, and André's, is understood. Security should not be done based on >> incoming IP address. >> With this current project, we off course want to deliver software which is >> secure by default. Now, if someone would install Tomcat, then add the >> mod_cfml valve, and then doesn't lock port 8080 or 8009, the server would >> become vulnerable in the same way as if the /host-manager would not have >> password-protection. >> Currently, I am discussing with the main mod_cfml developers Jordan Michaels >> and Bilal Soylu how to implement security, since I now won't be implementing >> IP restriction. We'll probably go with using the "secret" configuration >> parameter for ajp like you suggested. Or maybe using a shared "secret" key >> between the frontend server and the Tomcat valve. In this last case, we >> would also have tackled security when remote attackers try to contact Tomcat >> on http-8080 directly, instead of using the ajp connector. >> I never knew the remote_addr could not be trusted, but I believe you at once >> when you say so. >> I thought it was taken from the actual socket connection. With the exception >> of ajp by the way, where it is programmatically changed to reflect the >> remote client while handling the http call. Out of curiosity, could you shed >> some light as to why the remote_addr is not to be trusted in a regular http >> request? >> Thanks again for your time and effort! >> Kind regards, >> Paul Klinkenberg > > On Tomcat, you can set the AJP Connector to only listen on the local IP > address of the Tomcat server host. That means that only "local LAN" clients > (including the httpd front-end, presumably) can connect to that . > So this already stops any external client (be it workstation or server) from > even connecting to Tomcat using AJP. > It also, presumably, insures that only your internal httpd front-ends can > potentially connect to Tomcat via AJP. > > Now if you do not even trust your internal servers/clients, /then/ you need > additional measures. But in such a case, whether you use a "secret" which the > front-end must provide, or whether you use an additional header or Jk > variable, is only a choice; but any of those requires some setup on the > front-ends. > > The same is for the other Connectors, like HTTP/HTTPS. If you do not want > people to connect through these, disable them or have them also only listen > on a local IP address. Thanks for these tips. I see there are quite a few options to secure the AJP connector, which is great. For the project I am currently working on, I have to take into consideration that the user might already have Tomcat installed, and then probably with the default configuration. That would mean the AJP connector is available, and http connector as well. When someone now wants to add the mod_cfml valve to their setup, I will warn them in the install/config notes to lock down their tomcat server, if they haven't done so already. Next to this, I would like to be able to make the valve "secure by default", without having to rely on external settings. For this "secure by default", a required shared secret key seems like a solution to me. Remote users accessing either the http connector or ajp connector (only possible if the server is not firewalled), would need to have that key in order to get the valve to create a new context. I _do_ trust the internal servers/clients, I just want to make sure that if a mod_cfml user was too lame to secure it's server, then mod_cfml isn't the weakest link to be able to hack the server. I hope that makes sense? Kind regards, Paul Klinkenberg >> Op 29 apr. 2015, om 17:48 heeft Christopher Schultz >> het volgende geschreven: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Paul, >> >> On 4/29/15 11:17 AM, Paul Klinkenberg wrote: >>> The reason I want to add the IP restriction in the valve, is to >>> make 100% sure that the request (for creating a new Tomcat context) >>> is indeed coming from the frontend webserver. >> I think there are better ways to do this. Among them: >> >> 1. Firewall rule that only allows access to the AJP port from a >> certain IP address/range. >> >> 2. Use of the "secret" configuration parameter for mod_jk/AJP connector >> >> In production, we tunnel AJP from our web servers to our application >> servers using stunnel, and s
Re: Finding the Apache httpd IP address when AJP is used
Hi Christopher, > Paul, > > On 4/29/15 10:18 PM, l...@bsoft.com.cn wrote: >> p.s. I asked this question, in other wording, on SackOverflow.com >> <http://sackoverflow.com/> as well. I hope I have better luck here >> ;-) >> http://stackoverflow.com/questions/29858030/where-can-i-find-the-apach > e-httpd-server-ip-from-within-a-tomcat-valve-when-ajp >> <http://stackoverflow.com/questions/29858030/where-can-i-find-the-apac > he-httpd-server-ip-from-within-a-tomcat-valve-when-ajp> > > It's more clear from this post that you just want to make sure that > the HTTP (or AJP) request is coming from localhost. > > If that's all you want, then change the configuration so > that it's only listening on localhost, like this: > > ... > /> > > This will prevent any incoming connections from the outside world. > > Does that solve your problem? > > - -chris On stackOverflow, I indeed said I (just) wanted to check for 127.0.0.1/localhost. That was a simplification of the case, to keep the focus on getting the AJP request's source IP address. In real life, there will also be setups where the source IP will be different. Sorry for any confusion this may have caused. All in all, the SO question isn't really important anymore, since I now know that IP restriction wouldn't be the best way to accomplish the security I am looking for. Personally, I'd still like to know the answer, but that's only because I have spent multiple hours trying to find that IP address from inside the valve ;) Kind regards, Paul Klinkenberg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Finding the Apache httpd IP address when AJP is used
Hi Christopher, Thanks for taking the time to respond; again much appreciated. Your point, and André's, is understood. Security should not be done based on incoming IP address. With this current project, we off course want to deliver software which is secure by default. Now, if someone would install Tomcat, then add the mod_cfml valve, and then doesn't lock port 8080 or 8009, the server would become vulnerable in the same way as if the /host-manager would not have password-protection. Currently, I am discussing with the main mod_cfml developers Jordan Michaels and Bilal Soylu how to implement security, since I now won't be implementing IP restriction. We'll probably go with using the "secret" configuration parameter for ajp like you suggested. Or maybe using a shared "secret" key between the frontend server and the Tomcat valve. In this last case, we would also have tackled security when remote attackers try to contact Tomcat on http-8080 directly, instead of using the ajp connector. I never knew the remote_addr could not be trusted, but I believe you at once when you say so. I thought it was taken from the actual socket connection. With the exception of ajp by the way, where it is programmatically changed to reflect the remote client while handling the http call. Out of curiosity, could you shed some light as to why the remote_addr is not to be trusted in a regular http request? Thanks again for your time and effort! Kind regards, Paul Klinkenberg > Op 29 apr. 2015, om 17:48 heeft Christopher Schultz > het volgende geschreven: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Paul, > > On 4/29/15 11:17 AM, Paul Klinkenberg wrote: >> The reason I want to add the IP restriction in the valve, is to >> make 100% sure that the request (for creating a new Tomcat context) >> is indeed coming from the frontend webserver. > > I think there are better ways to do this. Among them: > > 1. Firewall rule that only allows access to the AJP port from a > certain IP address/range. > > 2. Use of the "secret" configuration parameter for mod_jk/AJP connector > > In production, we tunnel AJP from our web servers to our application > servers using stunnel, and stunnel connections are only allowed from > the range of IPs used by our web servers. Then, we actually have the > AJP connector listen on ::1 so nobody from the outside can connect to > us, except through such a tunnel. > >> This valve is a setup not just for me, where I could tweak server >> settings and such, but for anyone who uses the mod_cfml connector. >> It is installed by default by the Railo/Lucee installers >> (getrailo.org <http://getrailo.org/> / lucee.org >> <http://lucee.org/>) > > It seems a little fragile, because it requires configuration beyond > what an installer can auto-configure for you (i.e. it has no idea what > the IP address of the web server(s) is(are)). > >> Therefor, I cannot rely on an incoming header, as it could >> originate from anywhere. Also, a remote system could call the AJP >> endpoint on the Tomcat server, with this JkEnvVar set to a spoofed >> value. (if the port is not firewalled off course) So the problem >> with both options is, that they cannot be fully trusted. > > If you are that paranoid, you also can't trust the source IP address > in the IP header, so you are back to square 1: you can't trust > anything, so don't build your security around this lack-of-trust. > >> If I am able to find out where the AJP request came from, then I >> can validate the caller. > > The only way to check the caller would be to get ahold of the Socket > that Tomcat is using to communicate. That's not easily done, since > Tomcat wants to protect its sockets from code messing-around with the > state of those Sockets. > > If you don't trust mod_jk to send you the right values, then you also > can't trust the REMOTE_ADDR value that is pointing to the "real" > client. Basically, it comes down to this: you either trust mod_jk or > not. If you don't, then all bets are off. > > If you *can* trust mod_jk, then just forward an environment variable > using JkEnvVar: that technique can't be modified by the client > injecting an HTTP header or anything like that. But of course, you > still have to trust mod_jk and the connection the request came from. > This is what the firewall should be used for, IMO. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVQP1VAAoJEBzwKT+lPKRYkcwQAKEJ4L4xqd7h2TRoA0TaAZYk > MsnpJy9fKSOB+18jAgN8d1vcctV9+zabgRqT+BhK6rArc3RcaO4puLgNe2k3Id
Re: Finding the Apache httpd IP address when AJP is used
> Paul Klinkenberg wrote: >> Hi Tomcat users! >> I have been working on an update for a Tomcat valve called mod_cfml. The >> project aims to provide automatic web context creation in Tomcat, when >> coming from a frontend webserver. >> The live code base can be found at https://github.com/utdream/mod_cfml >> <https://github.com/utdream/mod_cfml> >> One of the features I wanted to add, is adding an IP restriction in the >> valve (see github >> <https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>). >> While testing, I noticed that AJP works very well: it hides the IP address >> of the caller, which is the front-end Apache webserver, and instead returns >> the IP of the remote client / the client who called the frontend webserver. >> I have been digging around quite a lot, but have not been able to find the >> Apache httpd IP address :-( >> My question is hopefully simple to answer: can I retrieve the IP address >> which called the AJP connector, from within the valve? >> My server.xml is: >> >> >> > SSLEngine="on" /> >> > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> >> >>> type="org.apache.catalina.UserDatabase" >> description="User database that can be updated and saved" >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >> pathname="conf/tomcat-users.xml" /> >> >> >>> connectionTimeout="2" >> redirectPort="8443" /> >> >> >> >>> resourceName="UserDatabase"/> >> >> > autoDeploy="true"> >>>className="mod_cfml.core" >>loggingEnabled="true" >>waitForContext="10" >>maxContexts="" >>timeBetweenContexts="0" >>scanClassPaths="false" >>allowedIPs="127.0.0.1,192.168.1.52" /> >> >> >> >> >> Thanks in advance for your time! >> Kind regards, >> Paul Klinkenberg >> The Netherlands >> p.s. I asked this question, in other wording, on SackOverflow.com >> <http://sackoverflow.com/> as well. I hope I have better luck here ;-) >> http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp >> >> <http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp> > Hi. > With Apache httpd and mod_jk as front-end, you have (at least) 2 options : > - set an additional HTTP request header at the Apache httpd level, before the > request is proxied to the back-end Tomcat > - set a "JkEnvVar" value at the at the Apache httpd level, before the request > is proxied to Tomcat > You can then retrieve these set values at the Tomcat level, either by parsing > the request headers, or by retrieving a "request attribute" corresponding to > the JkEnvVar. > The JkEnvVar/attribute method is probably more efficient in a mod_jk context; > the HTTP header solution is more portable, since it does not depend on > specifically mod_jk being used as a connector. > > Presumably, when at the Apache httpd level you decide to proxy a request to a > back-end Tomcat, you know through which interface you'll do it, and what its > IP address is, and you can put it into one of the things above. > > Is that enough info to get you started ? > > Caveat : one part I am not quite sure of, is what things you do have easy > access to, at the level of a Valve. The above is what you'd do at a webapp > level, I hope it is also accessible at your Valve level. > Hi André, Thanks for the response, much appreciated. The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org
Finding the Apache httpd IP address when AJP is used
Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml <https://github.com/utdream/mod_cfml> One of the features I wanted to add, is adding an IP restriction in the valve (see github <https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com <http://sackoverflow.com/> as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp <http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp>
