Re: Strangest thing I've ever seen: Manager doesn't like its allow clause.

Wed, 12 Nov 2025 07:18:32 -0800 

Chuck,

On 11/11/25 9:20 PM, Chuck Caldarale wrote:



On 2025 Nov 11, at 19:05, James H. H. Lampert 
<[email protected]> wrote:

I've updated a customer box from 9.0.106 to 9.0.111, and I'm getting a weird 
error that's keeping Manager from coming up.


11-Nov-2025 18:44:59.637 SEVERE [main] 
org.apache.catalina.valves.RemoteCIDRValve.setAllow 
127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|65.76.160.206|68.4.199.145: The address 
[127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|65.76.160.206|68.4.199.145] is not valid


The address string in the allow clause of the RemoteCIDRValve in 
manager/META-INF/context.xml is exactly the same as what it was in their 106 
server, and very nearly identical to one in a working 111 environment, and yet 
it's getting rejected.

Any ideas of what could be the matter?



AFAICT from a brief perusal of the code, the RemoteCIDRValve only supports 
regex for the optional port numbers; IP addresses must use just comma-separated 
CIDR notation. (The RemoteAddrValve does use regex for IP addresses, but it has 
been deprecated in favor of the CIDR one.) The documentation is not terribly 
clear about this.



Agreed: the port-matching uses regular expressions and is totally 
undocumented.


The CIRD format is normal except for the totally-weird port matching:

127.0.0.1/32;^1*


This would match any connection coming from localhost with a port number 
starting with a 1. I'm not sure why port-matching requires regular 
expressions, because you could just use multiple CIDR "patterns" each 
with a separate port number. I guess maybe for just numbers of explicit 
ports?



I think your allow expression should be something like 
“127.0.0.0/8,::1,0:0:0:0:0:0:0:1,65.76.160.206,68.4.199.145”. (The two IPv6 
entries appear to be functionally identical, so one could likely be removed.)



Correct. Assuming you don't care about port numbers, just use a 
comma-separated list of CIDR addresses. Since you are using specific 
IPs, the /32 for IPv4 is implied and you can leave it out. If you want 
to make it SUPER CLEAR that the items are CIDR expressions, maybe you 
want to add the /32 (or /128) at the end.


-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to