All clear. I apologize, I was in fact not masking the backslashes, I did a wrong copy paste from the pattern I was using in my test
I tested the following 2 patterns: ^103\.21\.(2(4[4-7]))\.([0- 9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22 \.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ 103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])) Regards, Harrie On 5 January 2018 at 14:46, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Am 05.01.2018 um 09:47 schrieb Harrie Robins: > >> Hi Mark, >> >> our tomcat application server are fronted by 1. cloudflare, and 2. amazon >> load balancer. >> In apache there is mod_remote IP and I can simply put in CIDR range: >> https://www.cloudflare.com/ips/ that will swallow all those IP and will >> get >> the correct IP to tomcat. >> >> In Tomcat I need >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata >> lina/valves/RemoteIpValve.html >> which does not accept CIDR range however. I wrote a regex to match all the >> addresses and it works, it's matching way to many addresses however so I >> rewrote the pattern. My new pattern is not functioning however, so I >> tested >> then pattern in a small application. >> >> In my test I made a list of all addresses in this range: >> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( >> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- >> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ >> > > If you configure the valve through the internalProxies attribute, you are > using 'real' strings and don't need to mask the backslashes as you would > have to do with java strings. > > When you look at the documentation, you will find no double backslashes > there.|||| > > And regarding the usage of the anchors '^' and '$'. They are not needed, > either. Tomcat will use match instead of find and thus they are implicitly > added. > > Regards, > Felix > > || > >> I matched all these addresses and it works. When I set in tomcat however >> it >> does not, I have no understanding why not? >> >> Hope you understand what I am trying to do. >> >> thanks >> >> >> >> >> >> On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote: >> >> On 02/01/18 09:50, Harrie Robins wrote: >>> >>>> I'm still having problems with matching my pattern. >>>> >>>> Right now I'm feeding the following to internalProxies: >>>> >>>> ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2( >>>> >>> [0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1- >>> 9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ >>> >>>> I created a list of all involved IP addresses and matched those IP >>>> >>> addresses: >>> >>>> java.util.regex.Matcher / java.util.regex.Pattern, please see >>>> >>> https://pastebin.com/Lija7n9k >>> >>>> All addresses from the list I created are matching, just not in tomcat. >>>> >>> What is the value of the remote IP address that is failing to match? You >>> might want to look at writing a short custom Valve to log that and >>> insert it into the Pipeline ahead of the RemoteIpValve. >>> >>> Another option would be to simply remove the RemoteIpValve and write a >>> simple servlet that logs the remote IP. >>> >>> Mark >>> >>> Regards, >>>> >>>> Harrie >>>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Harrie Robins [mailto:har...@eyequestion.nl] >>>> Verzonden: 21 December 2017 09:55 >>>> Aan: 'Tomcat Users List' <users@tomcat.apache.org> >>>> Onderwerp: RE: internalProxies regex >>>> >>>> This makes perfect sense. >>>> I tested my regex, just against wrong engine. >>>> >>>> Thanks for pointing me in the right direction >>>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] >>>> Verzonden: 20 December 2017 15:19 >>>> Aan: Tomcat Users List <users@tomcat.apache.org> >>>> Onderwerp: Re: internalProxies regex >>>> >>>> 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: >>>> >>>>> Hello everyone, >>>>> >>>>> >>>>> >>>>> I have a question about the remoteipvalve in tomcat 8.5: >>>>> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve >>>>> s/Remo >>>>> teIpValve.html >>>>> >>>>> >>>>> >>>>> >>>>> internalProxies >>>>> >>>>> Regular expression that matches the IP addresses of internal proxies. >>>>> If they appear in the remoteIpHeader value, they will be trusted and >>>>> will not appear in the proxiesHeader value >>>>> >>>>> RemoteIPInternalProxy >>>>> >>>>> Regular expression (in the syntax supported by java.util.regex) >>>>> >>>>> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| >>>>> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| >>>>> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| >>>>> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} >>>>> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are >>>>> >>>> allowed. >>> >>>> >>>>> >>>>> I need to convert some CIDR ranges to regex: >>>>> >>>>> >>>>> my concern is that /d{1,3} wil match too many (non exist) addresses >>>>> >>>>> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| >>>>> 103\.3 >>>>> 1\.\d[4-7]\.\d[0-9]\d{1,3} >>>>> >>>>> >>>>> >>>>> So I re-wrote using capture groups, below does not function however, >>>>> and I assume it is due to OR (|) which tomcat will affectively see as a >>>>> >>>> new entry? >>> >>>> So I tried escaping, but I cannot get it to work: >>>>> >>>>> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ >>>>> |5[0-5 >>>>> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 >>>>> -9]\|5 >>>>> [0-5])) >>>>> >>>> Your assumption that "tomcat will affectively see as a new entry" is >>>> >>> wrong. >>> >>>> The string is used as whole to initialize a java.util.regex.Pattern(). >>>> Tomcat does not split it. >>>> >>>> You may write a simple program / junit test to test how >>>> java.util.regex.Pattern() processes your value. Or you may run Tomcat >>>> >>> with debugger, >>> >>>> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging >>>> https://wiki.apache.org/tomcat/FAQ/Troubleshooting_ >>>> >>> and_Diagnostics#Common_Troubleshooting_Scenario >>> >>>> AFAIK, '\|' in a regular expression will be interpreted as expecting >>>> >>> literal '|' character in the matched string. No IP address has this >>> character so none will match. >>> >>>> >>>> >>>> Best regards, >>>> Konstantin Kolinko >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >