Re: internalProxies regex
Wow that is great as well. what would the procedure be to get CIDR support into tomcat? I'm back from holiday, so I will have some time now. I guess I can start of with testing the current code. On 12 January 2018 at 16:36, Mark H. Wood <mw...@iupui.edu> wrote: > On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote: > > Wow, that will be great. And I think that many people would like this to > be implemented! > > I volunteer to test this! > > > > Also, with many people fronting that machines with cloudflare / load > balancers, I think demand will increase for this. > > I could just write a valve to replace the mod_cloudflare module that I > used in apache (mod cloudflare is mod_remoteip with settings predefined). > > > > Regards, > > > > Harrie > > > > -Oorspronkelijk bericht- > > Van: Christopher Schultz [mailto:ch...@christopherschultz.net] > > Verzonden: 09 January 2018 00:25 > > Aan: users@tomcat.apache.org > > Onderwerp: Re: internalProxies regex > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Harrie, > > > > On 1/5/18 3:47 AM, Harrie Robins wrote: > > > our tomcat application server are fronted by 1. cloudflare, and 2. > > > amazon load balancer. In apache there is mod_remote IP and I can > > > simply put in CIDR range: https://www.cloudflare.com/ips/ that will > > > swallow all those IP and will get the correct IP to tomcat. > > > > > > In Tomcat I need > > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > > s/RemoteIpValve.html > > > > > > > > which does not accept CIDR range however. > > > > Have a look at this: > > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=51953 > > > > It was never merged into Tomcat, but if it got some additional interest > and testing, perhaps it could be added. > > > > - -chris > > There's also this: > > https://github.com/mwoodiupui/tomcat-extras > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > www.ulib.iupui.edu >
Re: internalProxies regex
On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote: > Wow, that will be great. And I think that many people would like this to be > implemented! > I volunteer to test this! > > Also, with many people fronting that machines with cloudflare / load > balancers, I think demand will increase for this. > I could just write a valve to replace the mod_cloudflare module that I used > in apache (mod cloudflare is mod_remoteip with settings predefined). > > Regards, > > Harrie > > -Oorspronkelijk bericht- > Van: Christopher Schultz [mailto:ch...@christopherschultz.net] > Verzonden: 09 January 2018 00:25 > Aan: users@tomcat.apache.org > Onderwerp: Re: internalProxies regex > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harrie, > > On 1/5/18 3:47 AM, Harrie Robins wrote: > > our tomcat application server are fronted by 1. cloudflare, and 2. > > amazon load balancer. In apache there is mod_remote IP and I can > > simply put in CIDR range: https://www.cloudflare.com/ips/ that will > > swallow all those IP and will get the correct IP to tomcat. > > > > In Tomcat I need > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > s/RemoteIpValve.html > > > > > which does not accept CIDR range however. > > Have a look at this: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=51953 > > It was never merged into Tomcat, but if it got some additional interest and > testing, perhaps it could be added. > > - -chris There's also this: https://github.com/mwoodiupui/tomcat-extras -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: internalProxies regex
Wow, that will be great. And I think that many people would like this to be implemented! I volunteer to test this! Also, with many people fronting that machines with cloudflare / load balancers, I think demand will increase for this. I could just write a valve to replace the mod_cloudflare module that I used in apache (mod cloudflare is mod_remoteip with settings predefined). Regards, Harrie -Oorspronkelijk bericht- Van: Christopher Schultz [mailto:ch...@christopherschultz.net] Verzonden: 09 January 2018 00:25 Aan: users@tomcat.apache.org Onderwerp: Re: internalProxies regex -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Harrie, On 1/5/18 3:47 AM, Harrie Robins wrote: > our tomcat application server are fronted by 1. cloudflare, and 2. > amazon load balancer. In apache there is mod_remote IP and I can > simply put in CIDR range: https://www.cloudflare.com/ips/ that will > swallow all those IP and will get the correct IP to tomcat. > > In Tomcat I need > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve s/RemoteIpValve.html > > which does not accept CIDR range however. Have a look at this: https://bz.apache.org/bugzilla/show_bug.cgi?id=51953 It was never merged into Tomcat, but if it got some additional interest and testing, perhaps it could be added. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/ccdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg12BAAlFadAURWxtWOlFZr PT3vWgWBqnaEuqpLVA+S70+PbgAMI9sQkIMQsBHwMvKh4GGkOis+UxY+OAI6UskH F4093hXWIGHyNgJXy+mRU9f/vrVDgonMjxqj8XELUQzjtw7rjlxYhrTYyuZII9S5 S6v7XF0eNXz0xSC00Xz5SCi53CrDefThLEnok0gMFwmtKZS62HGS4RT2m6NDzNwR 6Vy0Cs3CKB7q782WIFEk/6gyoDKKsjw2g81tGrwA4Bx1B7KjfXYoCHPUhPH06Bjg rnDwQRguYfWrI3Gcoq8w8WAnFp4iswoHuqaS/fTMM2Xgk8t2h7oLj8moN0oOB1ns MzAzU1IE2sT/VoTnu0J9l+yA/twiow77z6N1jb96k+Q56XO70pLmGXdMiz+NiRso eyQvDoZ9gOW6rMo1x/mhtMDnD0R5nL2pKAv+HT2fENye36UXO9UgDE8TeFMAyjfB +QVIogeFqZYLk+B+XzxbSaQAXt6R0nqxgRdLYHPg/TjrOB7YuupjZH4Fu/BZOMnX SGZXurWCnQYVGxBcqBO+o6XRLwsv1aGtzraTYxPAEF48R4VhtUPATnBV0jXvxPAw 4yfrBm2L1hhifB3EC0mr0sbgmF6DxussRnu4RinqxsAR2dkoQwFOpwBqxf7IZ19B Ow8OG5Lx6xTykvfPAesAI5/awGM= =LLlx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: internalProxies regex
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Harrie, On 1/5/18 3:47 AM, Harrie Robins wrote: > our tomcat application server are fronted by 1. cloudflare, and 2. > amazon load balancer. In apache there is mod_remote IP and I can > simply put in CIDR range: https://www.cloudflare.com/ips/ that will > swallow all those IP and will get the correct IP to tomcat. > > In Tomcat I need > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve s/RemoteIpValve.html > > which does not accept CIDR range however. Have a look at this: https://bz.apache.org/bugzilla/show_bug.cgi?id=51953 It was never merged into Tomcat, but if it got some additional interest and testing, perhaps it could be added. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/ccdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg12BAAlFadAURWxtWOlFZr PT3vWgWBqnaEuqpLVA+S70+PbgAMI9sQkIMQsBHwMvKh4GGkOis+UxY+OAI6UskH F4093hXWIGHyNgJXy+mRU9f/vrVDgonMjxqj8XELUQzjtw7rjlxYhrTYyuZII9S5 S6v7XF0eNXz0xSC00Xz5SCi53CrDefThLEnok0gMFwmtKZS62HGS4RT2m6NDzNwR 6Vy0Cs3CKB7q782WIFEk/6gyoDKKsjw2g81tGrwA4Bx1B7KjfXYoCHPUhPH06Bjg rnDwQRguYfWrI3Gcoq8w8WAnFp4iswoHuqaS/fTMM2Xgk8t2h7oLj8moN0oOB1ns MzAzU1IE2sT/VoTnu0J9l+yA/twiow77z6N1jb96k+Q56XO70pLmGXdMiz+NiRso eyQvDoZ9gOW6rMo1x/mhtMDnD0R5nL2pKAv+HT2fENye36UXO9UgDE8TeFMAyjfB +QVIogeFqZYLk+B+XzxbSaQAXt6R0nqxgRdLYHPg/TjrOB7YuupjZH4Fu/BZOMnX SGZXurWCnQYVGxBcqBO+o6XRLwsv1aGtzraTYxPAEF48R4VhtUPATnBV0jXvxPAw 4yfrBm2L1hhifB3EC0mr0sbgmF6DxussRnu4RinqxsAR2dkoQwFOpwBqxf7IZ19B Ow8OG5Lx6xTykvfPAesAI5/awGM= =LLlx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: internalProxies regex
Am 08.01.2018 um 16:44 schrieb Harrie Robins: Thanks for the update I enabled logging for remoteIpFilter like: I thought you were using the remoteIpValve. org.apache.catalina.filters.RemoteIpFilter.level = ALL For the valve it should be org.apache.catalina.valves.RemoteIpValve = FINE Regards, Felix I do get matches when visiting. Is it also possible to print the list of IP’s? I have no clue how to do that. Regards, Harrie On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > wrote: Am 05.01.2018 um 15:43 schrieb Harrie Robins: All clear. I apologize, I was in fact not masking the backslashes, I did a wrong copy paste from the pattern I was using in my test I tested the following 2 patterns: ^103\.21\.(2(4[4-7]))\.([0- 9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22 \.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ 103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])) The regex can be "simplified" to 103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) or even 103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 103.22.200.x-103.22.203.x Have you enabled debug-logs for the RemoteIpValve? It should print out the IP it tries to match. Regards, Felix Regards, Harrie On 5 January 2018 at 14:46, Felix Schumacher < felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > wrote: Am 05.01.2018 um 09:47 schrieb Harrie Robins: Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat. In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata lina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ If you configure the valve through the internalProxies attribute, you are using 'real' strings and don't need to mask the backslashes as you would have to do with java strings. When you look at the documentation, you will find no double backslashes there. And regarding the usage of the anchors '^' and '$'. They are not needed, either. Tomcat will use match instead of find and thus they are implicitly added. Regards, Felix || I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org <mailto:ma...@apache.org> > wrote: On 02/01/18 09:50, Harrie Robins wrote: I'm still having problems with matching my pattern. Right now I'm feeding the following to internalProxies: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I created a list of all involved IP addresses and matched those IP addresses: java.util.regex.Matcher / java.util.regex.Pattern, please see https://pastebin.com/Lija7n9k All addresses from the list I created are matching, just not in tomcat. What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark Regards, Harrie -Oorspronkelijk bericht- Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> ] Verzonden: 21 December 2017 09:55 Aan: 'Tomcat Users List' <users@tomcat.apache.org <mailto:users@tomcat.apache.org> > Onderwerp: RE: internalProxies regex This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com <mailto:knst.koli...@gmail.com> ] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org <mailto:users@tomcat.apache.org> > O
Re: internalProxies regex
Thanks for the update I enabled logging for remoteIpFilter like: org.apache.catalina.filters.RemoteIpFilter.level = ALL I do get matches when visiting. Is it also possible to print the list of IP’s? I have no clue how to do that. Regards, Harrie On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > wrote: Am 05.01.2018 um 15:43 schrieb Harrie Robins: All clear. I apologize, I was in fact not masking the backslashes, I did a wrong copy paste from the pattern I was using in my test I tested the following 2 patterns: ^103\.21\.(2(4[4-7]))\.([0- 9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22 \.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ 103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])) The regex can be "simplified" to 103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) or even 103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 103.22.200.x-103.22.203.x Have you enabled debug-logs for the RemoteIpValve? It should print out the IP it tries to match. Regards, Felix Regards, Harrie On 5 January 2018 at 14:46, Felix Schumacher < felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > wrote: Am 05.01.2018 um 09:47 schrieb Harrie Robins: Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat. In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata lina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ If you configure the valve through the internalProxies attribute, you are using 'real' strings and don't need to mask the backslashes as you would have to do with java strings. When you look at the documentation, you will find no double backslashes there. And regarding the usage of the anchors '^' and '$'. They are not needed, either. Tomcat will use match instead of find and thus they are implicitly added. Regards, Felix || I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org <mailto:ma...@apache.org> > wrote: On 02/01/18 09:50, Harrie Robins wrote: I'm still having problems with matching my pattern. Right now I'm feeding the following to internalProxies: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I created a list of all involved IP addresses and matched those IP addresses: java.util.regex.Matcher / java.util.regex.Pattern, please see https://pastebin.com/Lija7n9k All addresses from the list I created are matching, just not in tomcat. What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark Regards, Harrie -Oorspronkelijk bericht- Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> ] Verzonden: 21 December 2017 09:55 Aan: 'Tomcat Users List' <users@tomcat.apache.org <mailto:users@tomcat.apache.org> > Onderwerp: RE: internalProxies regex This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com <mailto:knst.koli...@gmail.com> ] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org <mailto:users@tomcat.apache.org> > Onderwerp: Re: internalProxies regex 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl <mailto:har...@eyequestion.nl> >: Hello everyone, I have a question about the remoteipvalve in tomcat 8.5
Re: internalProxies regex
Am 05.01.2018 um 15:43 schrieb Harrie Robins: All clear. I apologize, I was in fact not masking the backslashes, I did a wrong copy paste from the pattern I was using in my test I tested the following 2 patterns: ^103\.21\.(2(4[4-7]))\.([0- 9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22 \.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ 103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])) The regex can be "simplified" to 103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) or even 103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5])) But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 103.22.200.x-103.22.203.x Have you enabled debug-logs for the RemoteIpValve? It should print out the IP it tries to match. Regards, Felix Regards, Harrie On 5 January 2018 at 14:46, Felix Schumacher < felix.schumac...@internetallee.de> wrote: Am 05.01.2018 um 09:47 schrieb Harrie Robins: Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat. In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata lina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ If you configure the valve through the internalProxies attribute, you are using 'real' strings and don't need to mask the backslashes as you would have to do with java strings. When you look at the documentation, you will find no double backslashes there. And regarding the usage of the anchors '^' and '$'. They are not needed, either. Tomcat will use match instead of find and thus they are implicitly added. Regards, Felix || I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: On 02/01/18 09:50, Harrie Robins wrote: I'm still having problems with matching my pattern. Right now I'm feeding the following to internalProxies: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I created a list of all involved IP addresses and matched those IP addresses: java.util.regex.Matcher / java.util.regex.Pattern, please see https://pastebin.com/Lija7n9k All addresses from the list I created are matching, just not in tomcat. What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark Regards, Harrie -Oorspronkelijk bericht- Van: Harrie Robins [mailto:har...@eyequestion.nl] Verzonden: 21 December 2017 09:55 Aan: 'Tomcat Users List' <users@tomcat.apache.org> Onderwerp: RE: internalProxies regex This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org> Onderwerp: Re: internalProxies regex 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: Hello everyone, I have a question about the remoteipvalve in tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve s/Remo teIpValve.html internalProxies Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value RemoteIPInternalProxy Regular expression (in the syntax supported by java.util.regex) 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. I n
Re: internalProxies regex
All clear. I apologize, I was in fact not masking the backslashes, I did a wrong copy paste from the pattern I was using in my test I tested the following 2 patterns: ^103\.21\.(2(4[4-7]))\.([0- 9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22 \.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ 103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])) Regards, Harrie On 5 January 2018 at 14:46, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Am 05.01.2018 um 09:47 schrieb Harrie Robins: > >> Hi Mark, >> >> our tomcat application server are fronted by 1. cloudflare, and 2. amazon >> load balancer. >> In apache there is mod_remote IP and I can simply put in CIDR range: >> https://www.cloudflare.com/ips/ that will swallow all those IP and will >> get >> the correct IP to tomcat. >> >> In Tomcat I need >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata >> lina/valves/RemoteIpValve.html >> which does not accept CIDR range however. I wrote a regex to match all the >> addresses and it works, it's matching way to many addresses however so I >> rewrote the pattern. My new pattern is not functioning however, so I >> tested >> then pattern in a small application. >> >> In my test I made a list of all addresses in this range: >> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( >> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- >> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ >> > > If you configure the valve through the internalProxies attribute, you are > using 'real' strings and don't need to mask the backslashes as you would > have to do with java strings. > > When you look at the documentation, you will find no double backslashes > there. > > And regarding the usage of the anchors '^' and '$'. They are not needed, > either. Tomcat will use match instead of find and thus they are implicitly > added. > > Regards, > Felix > > || > >> I matched all these addresses and it works. When I set in tomcat however >> it >> does not, I have no understanding why not? >> >> Hope you understand what I am trying to do. >> >> thanks >> >> >> >> >> >> On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: >> >> On 02/01/18 09:50, Harrie Robins wrote: >>> >>>> I'm still having problems with matching my pattern. >>>> >>>> Right now I'm feeding the following to internalProxies: >>>> >>>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( >>>> >>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- >>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ >>> >>>> I created a list of all involved IP addresses and matched those IP >>>> >>> addresses: >>> >>>> java.util.regex.Matcher / java.util.regex.Pattern, please see >>>> >>> https://pastebin.com/Lija7n9k >>> >>>> All addresses from the list I created are matching, just not in tomcat. >>>> >>> What is the value of the remote IP address that is failing to match? You >>> might want to look at writing a short custom Valve to log that and >>> insert it into the Pipeline ahead of the RemoteIpValve. >>> >>> Another option would be to simply remove the RemoteIpValve and write a >>> simple servlet that logs the remote IP. >>> >>> Mark >>> >>> Regards, >>>> >>>> Harrie >>>> >>>> -Oorspronkelijk bericht- >>>> Van: Harrie Robins [mailto:har...@eyequestion.nl] >>>> Verzonden: 21 December 2017 09:55 >>>> Aan: 'Tomcat Users List' <users@tomcat.apache.org> >>>> Onderwerp: RE: internalProxies regex >>>> >>>> This makes perfect sense. >>>> I tested my regex, just against wrong engine. >>>> >>>> Thanks for pointing me in the right direction >>>> >>>> -Oorspronkelijk bericht- >>>> Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] >>>> Verzonden: 20 December 2017 15:19 >>>> Aan: Tomcat Users List <users@tomcat.apache.org> >>>> Onderwerp: Re: internalProxies regex >>>> >>>> 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: >>>> >>>>> Hello everyone, >>>>> >>&g
Re: internalProxies regex
Am 05.01.2018 um 09:47 schrieb Harrie Robins: Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat. In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ If you configure the valve through the internalProxies attribute, you are using 'real' strings and don't need to mask the backslashes as you would have to do with java strings. When you look at the documentation, you will find no double backslashes there. And regarding the usage of the anchors '^' and '$'. They are not needed, either. Tomcat will use match instead of find and thus they are implicitly added. Regards, Felix || I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: On 02/01/18 09:50, Harrie Robins wrote: I'm still having problems with matching my pattern. Right now I'm feeding the following to internalProxies: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I created a list of all involved IP addresses and matched those IP addresses: java.util.regex.Matcher / java.util.regex.Pattern, please see https://pastebin.com/Lija7n9k All addresses from the list I created are matching, just not in tomcat. What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark Regards, Harrie -Oorspronkelijk bericht- Van: Harrie Robins [mailto:har...@eyequestion.nl] Verzonden: 21 December 2017 09:55 Aan: 'Tomcat Users List' <users@tomcat.apache.org> Onderwerp: RE: internalProxies regex This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org> Onderwerp: Re: internalProxies regex 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: Hello everyone, I have a question about the remoteipvalve in tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve s/Remo teIpValve.html internalProxies Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value RemoteIPInternalProxy Regular expression (in the syntax supported by java.util.regex) 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. I need to convert some CIDR ranges to regex: my concern is that /d{1,3} wil match too many (non exist) addresses 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| 103\.3 1\.\d[4-7]\.\d[0-9]\d{1,3} So I re-wrote using capture groups, below does not function however, and I assume it is due to OR (|) which tomcat will affectively see as a new entry? So I tried escaping, but I cannot get it to work: 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ |5[0-5 ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 -9]\|5 [0-5])) Your assumption that "tomcat will affectively see as a new entry" is wrong. The string is used as whole to initialize a java.util.regex.Pattern(). Tomcat does not split it. You may write a simple program / junit test to test how java.util.regex.Pattern() processes your value. Or you may run Tomcat with debugger, https://wiki.apache.org/tomcat/FAQ/Developing#Debugging https://wiki.apache.org/tomcat/FAQ/Troubleshooting_ and_Diagnostics#Common_Troubleshooting_Scenario AFAIK, '\|' in a regu
Re: internalProxies regex
Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat. In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: > On 02/01/18 09:50, Harrie Robins wrote: > > I'm still having problems with matching my pattern. > > > > Right now I'm feeding the following to internalProxies: > > > > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( > [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- > 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ > > I created a list of all involved IP addresses and matched those IP > addresses: > > > > java.util.regex.Matcher / java.util.regex.Pattern, please see > https://pastebin.com/Lija7n9k > > > > All addresses from the list I created are matching, just not in tomcat. > > What is the value of the remote IP address that is failing to match? You > might want to look at writing a short custom Valve to log that and > insert it into the Pipeline ahead of the RemoteIpValve. > > Another option would be to simply remove the RemoteIpValve and write a > simple servlet that logs the remote IP. > > Mark > > > > > Regards, > > > > Harrie > > > > -Oorspronkelijk bericht- > > Van: Harrie Robins [mailto:har...@eyequestion.nl] > > Verzonden: 21 December 2017 09:55 > > Aan: 'Tomcat Users List' <users@tomcat.apache.org> > > Onderwerp: RE: internalProxies regex > > > > This makes perfect sense. > > I tested my regex, just against wrong engine. > > > > Thanks for pointing me in the right direction > > > > -Oorspronkelijk bericht- > > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > > Verzonden: 20 December 2017 15:19 > > Aan: Tomcat Users List <users@tomcat.apache.org> > > Onderwerp: Re: internalProxies regex > > > > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: > >> Hello everyone, > >> > >> > >> > >> I have a question about the remoteipvalve in tomcat 8.5: > >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > >> s/Remo > >> teIpValve.html > >> > >> > >> > >> > >> internalProxies > >> > >> Regular expression that matches the IP addresses of internal proxies. > >> If they appear in the remoteIpHeader value, they will be trusted and > >> will not appear in the proxiesHeader value > >> > >> RemoteIPInternalProxy > >> > >> Regular expression (in the syntax supported by java.util.regex) > >> > >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| > >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| > >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| > >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} > >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are > allowed. > >> > >> > >> > >> I need to convert some CIDR ranges to regex: > >> > >> > >> my concern is that /d{1,3} wil match too many (non exist) addresses > >> > >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| > >> 103\.3 > >> 1\.\d[4-7]\.\d[0-9]\d{1,3} > >> > >> > >> > >> So I re-wrote using capture groups, below does not function however, > >> and I assume it is due to OR (|) which tomcat will affectively see as a > new entry? > >> So I tried escaping, but I cannot get it to work: > >> > >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ > >> |5[0-5 > >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0
Re: internalProxies regex
On 02/01/18 09:50, Harrie Robins wrote: > I'm still having problems with matching my pattern. > > Right now I'm feeding the following to internalProxies: > > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ > I created a list of all involved IP addresses and matched those IP addresses: > > java.util.regex.Matcher / java.util.regex.Pattern, please see > https://pastebin.com/Lija7n9k > > All addresses from the list I created are matching, just not in tomcat. What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark > > Regards, > > Harrie > > -Oorspronkelijk bericht- > Van: Harrie Robins [mailto:har...@eyequestion.nl] > Verzonden: 21 December 2017 09:55 > Aan: 'Tomcat Users List' <users@tomcat.apache.org> > Onderwerp: RE: internalProxies regex > > This makes perfect sense. > I tested my regex, just against wrong engine. > > Thanks for pointing me in the right direction > > -Oorspronkelijk bericht- > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Verzonden: 20 December 2017 15:19 > Aan: Tomcat Users List <users@tomcat.apache.org> > Onderwerp: Re: internalProxies regex > > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: >> Hello everyone, >> >> >> >> I have a question about the remoteipvalve in tomcat 8.5: >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve >> s/Remo >> teIpValve.html >> >> >> >> >> internalProxies >> >> Regular expression that matches the IP addresses of internal proxies. >> If they appear in the remoteIpHeader value, they will be trusted and >> will not appear in the proxiesHeader value >> >> RemoteIPInternalProxy >> >> Regular expression (in the syntax supported by java.util.regex) >> >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. >> >> >> >> I need to convert some CIDR ranges to regex: >> >> >> my concern is that /d{1,3} wil match too many (non exist) addresses >> >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| >> 103\.3 >> 1\.\d[4-7]\.\d[0-9]\d{1,3} >> >> >> >> So I re-wrote using capture groups, below does not function however, >> and I assume it is due to OR (|) which tomcat will affectively see as a new >> entry? >> So I tried escaping, but I cannot get it to work: >> >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ >> |5[0-5 >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 >> -9]\|5 >> [0-5])) > > Your assumption that "tomcat will affectively see as a new entry" is wrong. > The string is used as whole to initialize a java.util.regex.Pattern(). > Tomcat does not split it. > > You may write a simple program / junit test to test how > java.util.regex.Pattern() processes your value. Or you may run Tomcat with > debugger, > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario > > AFAIK, '\|' in a regular expression will be interpreted as expecting literal > '|' character in the matched string. No IP address has this character so > none will match. > > > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: internalProxies regex
I'm still having problems with matching my pattern. Right now I'm feeding the following to internalProxies: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I created a list of all involved IP addresses and matched those IP addresses: java.util.regex.Matcher / java.util.regex.Pattern, please see https://pastebin.com/Lija7n9k All addresses from the list I created are matching, just not in tomcat. Regards, Harrie -Oorspronkelijk bericht- Van: Harrie Robins [mailto:har...@eyequestion.nl] Verzonden: 21 December 2017 09:55 Aan: 'Tomcat Users List' <users@tomcat.apache.org> Onderwerp: RE: internalProxies regex This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org> Onderwerp: Re: internalProxies regex 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: > Hello everyone, > > > > I have a question about the remoteipvalve in tomcat 8.5: > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > s/Remo > teIpValve.html > > > > > internalProxies > > Regular expression that matches the IP addresses of internal proxies. > If they appear in the remoteIpHeader value, they will be trusted and > will not appear in the proxiesHeader value > > RemoteIPInternalProxy > > Regular expression (in the syntax supported by java.util.regex) > > 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| > 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| > 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| > 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} > By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. > > > > I need to convert some CIDR ranges to regex: > > > my concern is that /d{1,3} wil match too many (non exist) addresses > > 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| > 103\.3 > 1\.\d[4-7]\.\d[0-9]\d{1,3} > > > > So I re-wrote using capture groups, below does not function however, > and I assume it is due to OR (|) which tomcat will affectively see as a new > entry? > So I tried escaping, but I cannot get it to work: > > 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ > |5[0-5 > ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 > -9]\|5 > [0-5])) Your assumption that "tomcat will affectively see as a new entry" is wrong. The string is used as whole to initialize a java.util.regex.Pattern(). Tomcat does not split it. You may write a simple program / junit test to test how java.util.regex.Pattern() processes your value. Or you may run Tomcat with debugger, https://wiki.apache.org/tomcat/FAQ/Developing#Debugging https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario AFAIK, '\|' in a regular expression will be interpreted as expecting literal '|' character in the matched string. No IP address has this character so none will match. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: internalProxies regex
This makes perfect sense. I tested my regex, just against wrong engine. Thanks for pointing me in the right direction -Oorspronkelijk bericht- Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Verzonden: 20 December 2017 15:19 Aan: Tomcat Users List <users@tomcat.apache.org> Onderwerp: Re: internalProxies regex 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: > Hello everyone, > > > > I have a question about the remoteipvalve in tomcat 8.5: > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > s/Remo > teIpValve.html > > > > > internalProxies > > Regular expression that matches the IP addresses of internal proxies. > If they appear in the remoteIpHeader value, they will be trusted and > will not appear in the proxiesHeader value > > RemoteIPInternalProxy > > Regular expression (in the syntax supported by java.util.regex) > > 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| > 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| > 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| > 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} > By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. > > > > I need to convert some CIDR ranges to regex: > > > my concern is that /d{1,3} wil match too many (non exist) addresses > > 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| > 103\.3 > 1\.\d[4-7]\.\d[0-9]\d{1,3} > > > > So I re-wrote using capture groups, below does not function however, > and I assume it is due to OR (|) which tomcat will affectively see as a new > entry? > So I tried escaping, but I cannot get it to work: > > 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ > |5[0-5 > ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 > -9]\|5 > [0-5])) Your assumption that "tomcat will affectively see as a new entry" is wrong. The string is used as whole to initialize a java.util.regex.Pattern(). Tomcat does not split it. You may write a simple program / junit test to test how java.util.regex.Pattern() processes your value. Or you may run Tomcat with debugger, https://wiki.apache.org/tomcat/FAQ/Developing#Debugging https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario AFAIK, '\|' in a regular expression will be interpreted as expecting literal '|' character in the matched string. No IP address has this character so none will match. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: internalProxies regex
2017-12-20 11:37 GMT+03:00 Harrie Robins: > Hello everyone, > > > > I have a question about the remoteipvalve in tomcat 8.5: > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/Remo > teIpValve.html > > > > > internalProxies > > Regular expression that matches the IP addresses of internal proxies. If > they appear in the remoteIpHeader value, they will be trusted and will not > appear in the proxiesHeader value > > RemoteIPInternalProxy > > Regular expression (in the syntax supported by java.util.regex) > > 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| > 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| > 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| > 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} > By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. > > > > I need to convert some CIDR ranges to regex: > > > my concern is that /d{1,3} wil match too many (non exist) addresses > > 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|103\.3 > 1\.\d[4-7]\.\d[0-9]\d{1,3} > > > > So I re-wrote using capture groups, below does not function however, and I > assume it is due to OR (|) which tomcat will affectively see as a new entry? > So I tried escaping, but I cannot get it to work: > > 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5[0-5 > ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5 > [0-5])) Your assumption that "tomcat will affectively see as a new entry" is wrong. The string is used as whole to initialize a java.util.regex.Pattern(). Tomcat does not split it. You may write a simple program / junit test to test how java.util.regex.Pattern() processes your value. Or you may run Tomcat with debugger, https://wiki.apache.org/tomcat/FAQ/Developing#Debugging https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario AFAIK, '\|' in a regular expression will be interpreted as expecting literal '|' character in the matched string. No IP address has this character so none will match. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org