Re: internalProxies regex

[Harrie Robins]

Wow that is great as well.

what would the procedure be to get CIDR support into tomcat?
I'm back from holiday, so I will have some time now. I guess I can start of
with testing the current code.

On 12 January 2018 at 16:36, Mark H. Wood <mw...@iupui.edu> wrote:

> On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote:
> > Wow, that will be great. And I think that many people would like this to
> be implemented!
> > I volunteer to test this!
> >
> > Also, with many people fronting that machines with cloudflare / load
> balancers, I think demand will increase for this.
> > I could just write a valve to replace the mod_cloudflare module that I
> used in apache (mod cloudflare is mod_remoteip with settings predefined).
> >
> > Regards,
> >
> > Harrie
> >
> > -Oorspronkelijk bericht-
> > Van: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Verzonden: 09 January 2018 00:25
> > Aan: users@tomcat.apache.org
> > Onderwerp: Re: internalProxies regex
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Harrie,
> >
> > On 1/5/18 3:47 AM, Harrie Robins wrote:
> > > our tomcat application server are fronted by 1. cloudflare, and 2.
> > > amazon load balancer. In apache there is mod_remote IP and I can
> > > simply put in CIDR range: https://www.cloudflare.com/ips/ that will
> > > swallow all those IP and will get the correct IP to tomcat.
> > >
> > > In Tomcat I need
> > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> > s/RemoteIpValve.html
> > >
> > >
> > which does not accept CIDR range however.
> >
> > Have a look at this:
> >
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=51953
> >
> > It was never merged into Tomcat, but if it got some additional interest
> and testing, perhaps it could be added.
> >
> > - -chris
>
> There's also this:
>
> https://github.com/mwoodiupui/tomcat-extras
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

Re: internalProxies regex

[Mark H. Wood]

On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote:
> Wow, that will be great. And I think that many people would like this to be 
> implemented!
> I volunteer to test this!
> 
> Also, with many people fronting that machines with cloudflare / load 
> balancers, I think demand will increase for this. 
> I could just write a valve to replace the mod_cloudflare module that I used 
> in apache (mod cloudflare is mod_remoteip with settings predefined).
> 
> Regards,
> 
> Harrie
> 
> -Oorspronkelijk bericht-
> Van: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Verzonden: 09 January 2018 00:25
> Aan: users@tomcat.apache.org
> Onderwerp: Re: internalProxies regex
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Harrie,
> 
> On 1/5/18 3:47 AM, Harrie Robins wrote:
> > our tomcat application server are fronted by 1. cloudflare, and 2.
> > amazon load balancer. In apache there is mod_remote IP and I can 
> > simply put in CIDR range: https://www.cloudflare.com/ips/ that will 
> > swallow all those IP and will get the correct IP to tomcat.
> > 
> > In Tomcat I need
> > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/RemoteIpValve.html
> >
> > 
> which does not accept CIDR range however.
> 
> Have a look at this:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=51953
> 
> It was never merged into Tomcat, but if it got some additional interest and 
> testing, perhaps it could be added.
> 
> - -chris

There's also this:

https://github.com/mwoodiupui/tomcat-extras

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

RE: internalProxies regex

[Harrie Robins]

Wow, that will be great. And I think that many people would like this to be 
implemented!
I volunteer to test this!

Also, with many people fronting that machines with cloudflare / load balancers, 
I think demand will increase for this. 
I could just write a valve to replace the mod_cloudflare module that I used in 
apache (mod cloudflare is mod_remoteip with settings predefined).

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Verzonden: 09 January 2018 00:25
Aan: users@tomcat.apache.org
Onderwerp: Re: internalProxies regex

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Harrie,

On 1/5/18 3:47 AM, Harrie Robins wrote:
> our tomcat application server are fronted by 1. cloudflare, and 2.
> amazon load balancer. In apache there is mod_remote IP and I can 
> simply put in CIDR range: https://www.cloudflare.com/ips/ that will 
> swallow all those IP and will get the correct IP to tomcat.
> 
> In Tomcat I need
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/RemoteIpValve.html
>
> 
which does not accept CIDR range however.

Have a look at this:

https://bz.apache.org/bugzilla/show_bug.cgi?id=51953

It was never merged into Tomcat, but if it got some additional interest and 
testing, perhaps it could be added.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/ccdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg12BAAlFadAURWxtWOlFZr
PT3vWgWBqnaEuqpLVA+S70+PbgAMI9sQkIMQsBHwMvKh4GGkOis+UxY+OAI6UskH
F4093hXWIGHyNgJXy+mRU9f/vrVDgonMjxqj8XELUQzjtw7rjlxYhrTYyuZII9S5
S6v7XF0eNXz0xSC00Xz5SCi53CrDefThLEnok0gMFwmtKZS62HGS4RT2m6NDzNwR
6Vy0Cs3CKB7q782WIFEk/6gyoDKKsjw2g81tGrwA4Bx1B7KjfXYoCHPUhPH06Bjg
rnDwQRguYfWrI3Gcoq8w8WAnFp4iswoHuqaS/fTMM2Xgk8t2h7oLj8moN0oOB1ns
MzAzU1IE2sT/VoTnu0J9l+yA/twiow77z6N1jb96k+Q56XO70pLmGXdMiz+NiRso
eyQvDoZ9gOW6rMo1x/mhtMDnD0R5nL2pKAv+HT2fENye36UXO9UgDE8TeFMAyjfB
+QVIogeFqZYLk+B+XzxbSaQAXt6R0nqxgRdLYHPg/TjrOB7YuupjZH4Fu/BZOMnX
SGZXurWCnQYVGxBcqBO+o6XRLwsv1aGtzraTYxPAEF48R4VhtUPATnBV0jXvxPAw
4yfrBm2L1hhifB3EC0mr0sbgmF6DxussRnu4RinqxsAR2dkoQwFOpwBqxf7IZ19B
Ow8OG5Lx6xTykvfPAesAI5/awGM=
=LLlx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: internalProxies regex

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Harrie,

On 1/5/18 3:47 AM, Harrie Robins wrote:
> our tomcat application server are fronted by 1. cloudflare, and 2.
> amazon load balancer. In apache there is mod_remote IP and I can
> simply put in CIDR range: https://www.cloudflare.com/ips/ that will
> swallow all those IP and will get the correct IP to tomcat.
> 
> In Tomcat I need 
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/RemoteIpValve.html
>
> 
which does not accept CIDR range however.

Have a look at this:

https://bz.apache.org/bugzilla/show_bug.cgi?id=51953

It was never merged into Tomcat, but if it got some additional
interest and testing, perhaps it could be added.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/ccdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg12BAAlFadAURWxtWOlFZr
PT3vWgWBqnaEuqpLVA+S70+PbgAMI9sQkIMQsBHwMvKh4GGkOis+UxY+OAI6UskH
F4093hXWIGHyNgJXy+mRU9f/vrVDgonMjxqj8XELUQzjtw7rjlxYhrTYyuZII9S5
S6v7XF0eNXz0xSC00Xz5SCi53CrDefThLEnok0gMFwmtKZS62HGS4RT2m6NDzNwR
6Vy0Cs3CKB7q782WIFEk/6gyoDKKsjw2g81tGrwA4Bx1B7KjfXYoCHPUhPH06Bjg
rnDwQRguYfWrI3Gcoq8w8WAnFp4iswoHuqaS/fTMM2Xgk8t2h7oLj8moN0oOB1ns
MzAzU1IE2sT/VoTnu0J9l+yA/twiow77z6N1jb96k+Q56XO70pLmGXdMiz+NiRso
eyQvDoZ9gOW6rMo1x/mhtMDnD0R5nL2pKAv+HT2fENye36UXO9UgDE8TeFMAyjfB
+QVIogeFqZYLk+B+XzxbSaQAXt6R0nqxgRdLYHPg/TjrOB7YuupjZH4Fu/BZOMnX
SGZXurWCnQYVGxBcqBO+o6XRLwsv1aGtzraTYxPAEF48R4VhtUPATnBV0jXvxPAw
4yfrBm2L1hhifB3EC0mr0sbgmF6DxussRnu4RinqxsAR2dkoQwFOpwBqxf7IZ19B
Ow8OG5Lx6xTykvfPAesAI5/awGM=
=LLlx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: internalProxies regex

[Felix Schumacher]

Am 08.01.2018 um 16:44 schrieb Harrie Robins:

Thanks for the update

  


I enabled logging for remoteIpFilter like:


I thought you were using the remoteIpValve.



  


org.apache.catalina.filters.RemoteIpFilter.level = ALL

For the valve it should be

org.apache.catalina.valves.RemoteIpValve = FINE

Regards,
 Felix



  


I do get matches when visiting. Is it also possible to print the list of IP’s? 
I have no clue how to do that.

  


Regards,

Harrie

  


On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de 
<mailto:felix.schumac...@internetallee.de> > wrote:

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 
103.22.200.x-103.22.203.x

Have you enabled debug-logs for the RemoteIpValve? It should print out the IP 
it tries to match.

Regards,
  Felix

  



Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > 
wrote:

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
   Felix

||

I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org 
<mailto:ma...@apache.org> > wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> 
]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org <mailto:users@tomcat.apache.org> 
>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com 
<mailto:knst.koli...@gmail.com> ]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org <mailto:users@tomcat.apache.org> 
>
O

Re: internalProxies regex

[Harrie Robins]

Thanks for the update

 

I enabled logging for remoteIpFilter like:

 

org.apache.catalina.filters.RemoteIpFilter.level = ALL

 

I do get matches when visiting. Is it also possible to print the list of IP’s? 
I have no clue how to do that.

 

Regards,

Harrie

 

On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de 
<mailto:felix.schumac...@internetallee.de> > wrote:

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 
103.22.200.x-103.22.203.x

Have you enabled debug-logs for the RemoteIpValve? It should print out the IP 
it tries to match.

Regards,
 Felix

 


Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > 
wrote:

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
  Felix

||

I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org 
<mailto:ma...@apache.org> > wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> 
]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org 
<mailto:users@tomcat.apache.org> >
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com 
<mailto:knst.koli...@gmail.com> ]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org 
<mailto:users@tomcat.apache.org> >
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl 
<mailto:har...@eyequestion.nl> >:

Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5

Re: internalProxies regex

[Felix Schumacher]

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x 
and 103.22.200.x-103.22.203.x


Have you enabled debug-logs for the RemoteIpValve? It should print out 
the IP it tries to match.


Regards,
 Felix



Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 05.01.2018 um 09:47 schrieb Harrie Robins:


Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
  Felix

||


I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(


[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


I created a list of all involved IP addresses and matched those IP


addresses:


java.util.regex.Matcher / java.util.regex.Pattern, please see


https://pastebin.com/Lija7n9k


All addresses from the list I created are matching, just not in tomcat.


What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:


Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/Remo
teIpValve.html




internalProxies

Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be trusted and
will not appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are


allowed.

I n

Re: internalProxies regex

[Harrie Robins]

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))

Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Am 05.01.2018 um 09:47 schrieb Harrie Robins:
>
>> Hi Mark,
>>
>> our tomcat application server are fronted by 1. cloudflare, and 2. amazon
>> load balancer.
>> In apache there is mod_remote IP and I can simply put in CIDR range:
>> https://www.cloudflare.com/ips/ that will swallow all those IP and will
>> get
>> the correct IP to tomcat.
>>
>> In Tomcat I need
>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
>> lina/valves/RemoteIpValve.html
>> which does not accept CIDR range however. I wrote a regex to match all the
>> addresses and it works, it's matching way to many addresses however so I
>> rewrote the pattern. My new pattern is not functioning however, so I
>> tested
>> then pattern in a small application.
>>
>> In my test I made a list of all addresses  in this range:
>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>
>
> If you configure the valve through the internalProxies attribute, you are
> using 'real' strings and don't need to mask the backslashes as you would
> have to do with java strings.
>
> When you look at the documentation, you will find no double backslashes
> there.
>
> And  regarding the usage of the anchors '^' and '$'. They are not needed,
> either. Tomcat will use match instead of find and thus they are implicitly
> added.
>
> Regards,
>  Felix
>
> ||
>
>> I matched all these addresses and it works. When I set in tomcat however
>> it
>> does not, I have no understanding why not?
>>
>> Hope you understand what I am trying to do.
>>
>> thanks
>>
>>
>>
>>
>>
>> On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:
>>
>> On 02/01/18 09:50, Harrie Robins wrote:
>>>
>>>> I'm still having problems with matching my pattern.
>>>>
>>>> Right now I'm feeding the following to internalProxies:
>>>>
>>>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
>>>>
>>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
>>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
>>>
>>>> I created a list of all involved IP addresses and matched those IP
>>>>
>>> addresses:
>>>
>>>> java.util.regex.Matcher / java.util.regex.Pattern, please see
>>>>
>>> https://pastebin.com/Lija7n9k
>>>
>>>> All addresses from the list I created are matching, just not in tomcat.
>>>>
>>> What is the value of the remote IP address that is failing to match? You
>>> might want to look at writing a short custom Valve to log that and
>>> insert it into the Pipeline ahead of the RemoteIpValve.
>>>
>>> Another option would be to simply remove the RemoteIpValve and write a
>>> simple servlet that logs the remote IP.
>>>
>>> Mark
>>>
>>> Regards,
>>>>
>>>> Harrie
>>>>
>>>> -Oorspronkelijk bericht-
>>>> Van: Harrie Robins [mailto:har...@eyequestion.nl]
>>>> Verzonden: 21 December 2017 09:55
>>>> Aan: 'Tomcat Users List' <users@tomcat.apache.org>
>>>> Onderwerp: RE: internalProxies regex
>>>>
>>>> This makes perfect sense.
>>>> I tested my regex, just against wrong engine.
>>>>
>>>> Thanks for pointing me in the right direction
>>>>
>>>> -Oorspronkelijk bericht-
>>>> Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
>>>> Verzonden: 20 December 2017 15:19
>>>> Aan: Tomcat Users List <users@tomcat.apache.org>
>>>> Onderwerp: Re: internalProxies regex
>>>>
>>>> 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
>>>>
>>>>> Hello everyone,
>>>>>
>>&g

Re: internalProxies regex

[Felix Schumacher]

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


If you configure the valve through the internalProxies attribute, you 
are using 'real' strings and don't need to mask the backslashes as you 
would have to do with java strings.


When you look at the documentation, you will find no double backslashes 
there.


And  regarding the usage of the anchors '^' and '$'. They are not 
needed, either. Tomcat will use match instead of find and thus they are 
implicitly added.


Regards,
 Felix
||

I matched all these addresses and it works. When I set in tomcat however it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:


On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark


Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:

Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/Remo
teIpValve.html




internalProxies

Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be trusted and
will not appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are

allowed.



I need to convert some CIDR ranges to regex:


my concern is that /d{1,3} wil match too many (non exist) addresses

103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
103\.3
1\.\d[4-7]\.\d[0-9]\d{1,3}



So I re-wrote using capture groups, below does not function however,
and I assume it is due to OR (|) which tomcat will affectively see as a

new entry?

So I tried escaping, but I cannot get it to work:

103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
|5[0-5
]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
-9]\|5
[0-5]))

Your assumption that "tomcat will affectively see as a new entry" is

wrong.

The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat

with debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_

and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regu

Re: internalProxies regex

[Harrie Robins]

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
I matched all these addresses and it works. When I set in tomcat however it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:

> On 02/01/18 09:50, Harrie Robins wrote:
> > I'm still having problems with matching my pattern.
> >
> > Right now I'm feeding the following to internalProxies:
> >
> > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
> > I created a list of all involved IP addresses and matched those IP
> addresses:
> >
> > java.util.regex.Matcher / java.util.regex.Pattern, please see
> https://pastebin.com/Lija7n9k
> >
> > All addresses from the list I created are matching, just not in tomcat.
>
> What is the value of the remote IP address that is failing to match? You
> might want to look at writing a short custom Valve to log that and
> insert it into the Pipeline ahead of the RemoteIpValve.
>
> Another option would be to simply remove the RemoteIpValve and write a
> simple servlet that logs the remote IP.
>
> Mark
>
> >
> > Regards,
> >
> > Harrie
> >
> > -Oorspronkelijk bericht-
> > Van: Harrie Robins [mailto:har...@eyequestion.nl]
> > Verzonden: 21 December 2017 09:55
> > Aan: 'Tomcat Users List' <users@tomcat.apache.org>
> > Onderwerp: RE: internalProxies regex
> >
> > This makes perfect sense.
> > I tested my regex, just against wrong engine.
> >
> > Thanks for pointing me in the right direction
> >
> > -Oorspronkelijk bericht-
> > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
> > Verzonden: 20 December 2017 15:19
> > Aan: Tomcat Users List <users@tomcat.apache.org>
> > Onderwerp: Re: internalProxies regex
> >
> > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> >> Hello everyone,
> >>
> >>
> >>
> >> I have a question about the remoteipvalve in tomcat 8.5:
> >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> >> s/Remo
> >> teIpValve.html
> >>
> >>
> >>
> >>
> >> internalProxies
> >>
> >> Regular expression that matches the IP addresses of internal proxies.
> >> If they appear in the remoteIpHeader value, they will be trusted and
> >> will not appear in the proxiesHeader value
> >>
> >> RemoteIPInternalProxy
> >>
> >> Regular expression (in the syntax supported by java.util.regex)
> >>
> >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are
> allowed.
> >>
> >>
> >>
> >> I need to convert some CIDR ranges to regex:
> >>
> >>
> >> my concern is that /d{1,3} wil match too many (non exist) addresses
> >>
> >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> >> 103\.3
> >> 1\.\d[4-7]\.\d[0-9]\d{1,3}
> >>
> >>
> >>
> >> So I re-wrote using capture groups, below does not function however,
> >> and I assume it is due to OR (|) which tomcat will affectively see as a
> new entry?
> >> So I tried escaping, but I cannot get it to work:
> >>
> >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> >> |5[0-5
> >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0

Re: internalProxies regex

[Mark Thomas]

On 02/01/18 09:50, Harrie Robins wrote:
> I'm still having problems with matching my pattern.
> 
> Right now I'm feeding the following to internalProxies:
>  
> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
> I created a list of all involved IP addresses and matched those IP addresses:
> 
> java.util.regex.Matcher / java.util.regex.Pattern, please see 
> https://pastebin.com/Lija7n9k 
> 
> All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

> 
> Regards,
> 
> Harrie
> 
> -Oorspronkelijk bericht-
> Van: Harrie Robins [mailto:har...@eyequestion.nl] 
> Verzonden: 21 December 2017 09:55
> Aan: 'Tomcat Users List' <users@tomcat.apache.org>
> Onderwerp: RE: internalProxies regex
> 
> This makes perfect sense.
> I tested my regex, just against wrong engine.
> 
> Thanks for pointing me in the right direction
> 
> -Oorspronkelijk bericht-
> Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
> Verzonden: 20 December 2017 15:19
> Aan: Tomcat Users List <users@tomcat.apache.org>
> Onderwerp: Re: internalProxies regex
> 
> 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
>> Hello everyone,
>>
>>
>>
>> I have a question about the remoteipvalve in tomcat 8.5:
>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
>> s/Remo
>> teIpValve.html
>>
>>
>>
>>
>> internalProxies
>>
>> Regular expression that matches the IP addresses of internal proxies. 
>> If they appear in the remoteIpHeader value, they will be trusted and 
>> will not appear in the proxiesHeader value
>>
>> RemoteIPInternalProxy
>>
>> Regular expression (in the syntax supported by java.util.regex)
>>
>> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
>> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
>> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
>> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
>> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>>
>>
>>
>> I need to convert some CIDR ranges to regex:
>>
>>
>> my concern is that /d{1,3} wil match too many (non exist) addresses
>>
>> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
>> 103\.3
>> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>>
>>
>>
>> So I re-wrote using capture groups, below does not function however, 
>> and I assume it is due to OR (|) which tomcat will affectively see as a new 
>> entry?
>> So I tried escaping, but I cannot get it to work:
>>
>> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
>> |5[0-5
>> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
>> -9]\|5
>> [0-5]))
> 
> Your assumption that "tomcat will affectively see as a new entry" is wrong.
> The string is used as whole to initialize a java.util.regex.Pattern().
> Tomcat does not split it.
> 
> You may write a simple program / junit test to test how
> java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
> debugger,
> 
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
> https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario
> 
> AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
> '|' character in the matched string.  No IP address has this character so 
> none will match.
> 
> 
> 
> Best regards,
> Konstantin Kolinko
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: internalProxies regex

[Harrie Robins]

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:
 
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
I created a list of all involved IP addresses and matched those IP addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see 
https://pastebin.com/Lija7n9k 

All addresses from the list I created are matching, just not in tomcat.

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl] 
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. 
> If they appear in the remoteIpHeader value, they will be trusted and 
> will not appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> 103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, 
> and I assume it is due to OR (|) which tomcat will affectively see as a new 
> entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> |5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
> -9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
'|' character in the matched string.  No IP address has this character so none 
will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: internalProxies regex

[Harrie Robins]

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
> s/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. 
> If they appear in the remoteIpHeader value, they will be trusted and 
> will not appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
> 103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, 
> and I assume it is due to OR (|) which tomcat will affectively see as a new 
> entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
> |5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
> -9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat with 
debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting literal 
'|' character in the matched string.  No IP address has this character so none 
will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: internalProxies regex

[Konstantin Kolinko]

2017-12-20 11:37 GMT+03:00 Harrie Robins :
> Hello everyone,
>
>
>
> I have a question about the remoteipvalve in tomcat 8.5:
> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/Remo
> teIpValve.html
>
>
>
>
> internalProxies
>
> Regular expression that matches the IP addresses of internal proxies. If
> they appear in the remoteIpHeader value, they will be trusted and will not
> appear in the proxiesHeader value
>
> RemoteIPInternalProxy
>
> Regular expression (in the syntax supported by java.util.regex)
>
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.
>
>
>
> I need to convert some CIDR ranges to regex:
>
>
> my concern is that /d{1,3} wil match too many (non exist) addresses
>
> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|103\.3
> 1\.\d[4-7]\.\d[0-9]\d{1,3}
>
>
>
> So I re-wrote using capture groups, below does not function however, and I
> assume it is due to OR (|) which tomcat will affectively see as a new entry?
> So I tried escaping, but I cannot get it to work:
>
> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5[0-5
> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\|5
> [0-5]))

Your assumption that "tomcat will affectively see as a new entry" is wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat
with debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as expecting
literal '|' character in the matched string.  No IP address has this
character so none will match.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org