we've setup a Tomcat instance to answer on HTTP and port 8080 to requests from 
the intranet and HTTPS with port 8445 to external requests. When we use HTTPS 
and port 8445 from the intranet, our firewall will redirect the request, but 
without changing protocol or port. Tomcat answers to every request from the 
intranet using either HTTP/8080 or HTTPS/8445, but every external request is 
denied with 403 and we have no clue why.

The server.xml is just modified by adding an additional connector for HTTPS and 
an a valve to restrict the access to 8445 for external addresses:

 <Service name="Catalina">
   <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" />
   <Connector port="8445"
     maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
       <Certificate certificateKeystoreFile="conf/cert-with-chain.p12"
         certificateKeystorePassword="password" />
   <Connector port="8009" protocol="AJP/1.3" redirectPort="8445" />
   <Engine name="Catalina" defaultHost="localhost">
     <Realm className="org.apache.catalina.realm.LockOutRealm">
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
     <Host name="localhost"  appBase="webapps"
       unpackWARs="true" autoDeploy="true">
       <Valve className="org.apache.catalina.valves.AccessLogValve"
         directory="logs" prefix="localhost_access_log" suffix=".txt"
         pattern="%h:%{local}p %{Host}i %l %u %t &quot;%r&quot; %s %b %S" />
       <Valve className="org.apache.catalina.valves.RemoteAddrValve"

We get the following 3 entries in our access log:

============ %< ======== sub.intranet.local:8080 - - [28/Aug/2019:10:54:11 +0200] 
"GET /app/ping HTTP/1.1" 200 1525 - sub.domain.demo:8445 - - [28/Aug/2019:10:53:57 +0200] "GET /
app/ping HTTP/1.1" 200 1537 -
111.222.333.444:8445 sub.domain.demo:8445 - - [28/Aug/2019:10:53:26 +0200] 
"GET /app/ping HTTP/1.1" 403 983 -
============ %< ========

First two requests were from within the intranet:

However, if we make the latter request from external, we're denied although 
the regex of the RemoteAddrValve matches.

We searched now for hours in the Tomcat documentation, FAQ and Google, but we 
found neither an explanation for the behavior nor how we can enable further 
diagnostics for this denial.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to