Hi Mark, our tomcat application server are fronted by 1. cloudflare, and 2. amazon load balancer. In apache there is mod_remote IP and I can simply put in CIDR range: https://www.cloudflare.com/ips/ that will swallow all those IP and will get the correct IP to tomcat.
In Tomcat I need https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html which does not accept CIDR range however. I wrote a regex to match all the addresses and it works, it's matching way to many addresses however so I rewrote the pattern. My new pattern is not functioning however, so I tested then pattern in a small application. In my test I made a list of all addresses in this range: ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ I matched all these addresses and it works. When I set in tomcat however it does not, I have no understanding why not? Hope you understand what I am trying to do. thanks On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: > On 02/01/18 09:50, Harrie Robins wrote: > > I'm still having problems with matching my pattern. > > > > Right now I'm feeding the following to internalProxies: > > > > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( > [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- > 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ > > I created a list of all involved IP addresses and matched those IP > addresses: > > > > java.util.regex.Matcher / java.util.regex.Pattern, please see > https://pastebin.com/Lija7n9k > > > > All addresses from the list I created are matching, just not in tomcat. > > What is the value of the remote IP address that is failing to match? You > might want to look at writing a short custom Valve to log that and > insert it into the Pipeline ahead of the RemoteIpValve. > > Another option would be to simply remove the RemoteIpValve and write a > simple servlet that logs the remote IP. > > Mark > > > > > Regards, > > > > Harrie > > > > -----Oorspronkelijk bericht----- > > Van: Harrie Robins [mailto:har...@eyequestion.nl] > > Verzonden: 21 December 2017 09:55 > > Aan: 'Tomcat Users List' <users@tomcat.apache.org> > > Onderwerp: RE: internalProxies regex > > > > This makes perfect sense. > > I tested my regex, just against wrong engine. > > > > Thanks for pointing me in the right direction > > > > -----Oorspronkelijk bericht----- > > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > > Verzonden: 20 December 2017 15:19 > > Aan: Tomcat Users List <users@tomcat.apache.org> > > Onderwerp: Re: internalProxies regex > > > > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: > >> Hello everyone, > >> > >> > >> > >> I have a question about the remoteipvalve in tomcat 8.5: > >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > >> s/Remo > >> teIpValve.html > >> > >> > >> > >> > >> internalProxies > >> > >> Regular expression that matches the IP addresses of internal proxies. > >> If they appear in the remoteIpHeader value, they will be trusted and > >> will not appear in the proxiesHeader value > >> > >> RemoteIPInternalProxy > >> > >> Regular expression (in the syntax supported by java.util.regex) > >> > >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| > >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| > >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| > >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} > >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are > allowed. > >> > >> > >> > >> I need to convert some CIDR ranges to regex: > >> > >> > >> my concern is that /d{1,3} wil match too many (non exist) addresses > >> > >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| > >> 103\.3 > >> 1\.\d[4-7]\.\d[0-9]\d{1,3} > >> > >> > >> > >> So I re-wrote using capture groups, below does not function however, > >> and I assume it is due to OR (|) which tomcat will affectively see as a > new entry? > >> So I tried escaping, but I cannot get it to work: > >> > >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ > >> |5[0-5 > >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 > >> -9]\|5 > >> [0-5])) > > > > Your assumption that "tomcat will affectively see as a new entry" is > wrong. > > The string is used as whole to initialize a java.util.regex.Pattern(). > > Tomcat does not split it. > > > > You may write a simple program / junit test to test how > > java.util.regex.Pattern() processes your value. Or you may run Tomcat > with debugger, > > > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > > https://wiki.apache.org/tomcat/FAQ/Troubleshooting_ > and_Diagnostics#Common_Troubleshooting_Scenario > > > > AFAIK, '\|' in a regular expression will be interpreted as expecting > literal '|' character in the matched string. No IP address has this > character so none will match. > > > > > > > > Best regards, > > Konstantin Kolinko > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
