Thanks Christopher!
Sent from my iPhone > On Apr 4, 2024, at 10:20 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > Eric, > >> On 4/4/24 13:43, Eric Fetzer wrote: >> Hi All, >> When I originally set up my tomcat instance, I added the following to allow >> manager access under /opt/tomcat/webapps/manager/META-INF/context.xml: >> <Valve className="org.apache.catalina.valves.RemoteAddrValve" >> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" /> >> That worked wonderfully. Now I'm trying to add another IP range by >> changing it to: >> <Valve className="org.apache.catalina.valves.RemoteAddrValve" >> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" /> >> This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't >> work either. I've verified I can get to port 8080 from the IP locations. >> Any idea what I'm doing wrong or do you have a means to troubleshoot this? > > I'm glad you are reporting that the issue is elsewhere and not a problem with > your use of RemoteAddrValve. > > But I'd like to point out that since these are regular expressions, your > specific use of them can lead to unintended consequences. For example: > > 1.3.5.* > > This will allow anyone from 1.3.5.1 or 1.3.5.99 or 1.3.5.254. That's probably > fine. But it will also allow anybody from 103.50.99.24 as well. That probably > wasn't intended. > > Changing it to the properly-escaped 1\.3\.5 but also trailing \..* (note > there are two periods there) really means 1.3.5.whatever. > > Using \d isn't strictly necessary but it does make it clear that you aren't > expecting non-digits e.g. hostnames. > > As you mentioned elsewhere in this thread, you thought it was "tomcat > language". When it comes to security controls, /please read the > documentation/ because knowing that it is a regular expression and not a > "tomcat language" can mean the difference between configuring a security > control properly or improperly. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
