Re: org.apache.catalina.valves.RemoteAddrValve
Thanks Christopher! Sent from my iPhone > On Apr 4, 2024, at 10:20 PM, Christopher Schultz > wrote: > > Eric, > >> On 4/4/24 13:43, Eric Fetzer wrote: >> Hi All, >> When I originally set up my tomcat instance, I added the following to allow >> manager access under /opt/tomcat/webapps/manager/META-INF/context.xml: >> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" /> >> That worked wonderfully. Now I'm trying to add another IP range by >> changing it to: >> > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" /> >> This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't >> work either. I've verified I can get to port 8080 from the IP locations. >> Any idea what I'm doing wrong or do you have a means to troubleshoot this? > > I'm glad you are reporting that the issue is elsewhere and not a problem with > your use of RemoteAddrValve. > > But I'd like to point out that since these are regular expressions, your > specific use of them can lead to unintended consequences. For example: > > 1.3.5.* > > This will allow anyone from 1.3.5.1 or 1.3.5.99 or 1.3.5.254. That's probably > fine. But it will also allow anybody from 103.50.99.24 as well. That probably > wasn't intended. > > Changing it to the properly-escaped 1\.3\.5 but also trailing \..* (note > there are two periods there) really means 1.3.5.whatever. > > Using \d isn't strictly necessary but it does make it clear that you aren't > expecting non-digits e.g. hostnames. > > As you mentioned elsewhere in this thread, you thought it was "tomcat > language". When it comes to security controls, /please read the > documentation/ because knowing that it is a regular expression and not a > "tomcat language" can mean the difference between configuring a security > control properly or improperly. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] org.apache.catalina.valves.RemoteAddrValve
LOL, I'm decent at regex Robert. I got the \d+ from what ships in the context.xml: 127\.\d+\.\d+\.\d+ It looks like an attempt at saying localhost can get in as long as the localhost IP starts with 127. I assumed it wasn't actually regex but some "tomcat language"... Thanks for the education! I'll jump back on here if things don't work on the other side of the firewall... On Thu, Apr 4, 2024 at 12:11 PM Robert Egan wrote: > You need to read up on "regular expressions" (or "regex"). > > In a regular expression, a lowercase "d" is a single decimal digit. A "+" > means one or more of them. A period means ANY character (which is why you > have to escape it when you mean "period"). A backward slash means to treat > the character immediately after it normally and not as a special character. > So "\d" would mean the literal letter "d". > > There's more rules, but they're well documented all over the internet, so I > won't elaborate. > > Robert Egan > > > On Thu, Apr 4, 2024 at 2:01 PM Eric Fetzer wrote: > > > Thanks for the quick response Robert! So I tried escaping the periods > and > > putting the \d+ for the * but it didn't work. Is the \d+ incorrect in > > substitution for *? > > > > On Thu, Apr 4, 2024 at 11:53 AM Robert Egan > > wrote: > > > > > It looks like you need to escape your periods, like you did for 127\. > > > etc... > > > 1\.3\.5 > > > Robert Egan > > > > > > On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer > > wrote: > > > > > > > Hi All, > > > > > > > > When I originally set up my tomcat instance, I added the following to > > > allow > > > > manager access under > /opt/tomcat/webapps/manager/META-INF/context.xml: > > > > > > > > > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" /> > > > > > > > > That worked wonderfully. Now I'm trying to add another IP range by > > > > changing it to: > > > > > > > > > > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" > > > /> > > > > > > > > This is not working. I tried to use 2\.4\.6\.\d+ as well but that > > didn't > > > > work either. I've verified I can get to port 8080 from the IP > > locations. > > > > Any idea what I'm doing wrong or do you have a means to troubleshoot > > > this? > > > > > > > > Thanks, > > > > Eric > > > > > > > > > >
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Sorry folks (Robert), but upon further testing, it looks like port 8080 isn't open on these IP's. I was mistaking the attempt to connect from my curl command with a response. I withdrawal my question for now. I'll reply to this thread if it doesn't work once the hole in the firewall is carved properly. Thanks! On Thu, Apr 4, 2024 at 11:58 AM Eric Fetzer wrote: > Thanks for the quick response Robert! So I tried escaping the periods and > putting the \d+ for the * but it didn't work. Is the \d+ incorrect in > substitution for *? > > On Thu, Apr 4, 2024 at 11:53 AM Robert Egan > wrote: > >> It looks like you need to escape your periods, like you did for 127\. >> etc... >> 1\.3\.5 >> Robert Egan >> >> On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer wrote: >> >> > Hi All, >> > >> > When I originally set up my tomcat instance, I added the following to >> allow >> > manager access under /opt/tomcat/webapps/manager/META-INF/context.xml: >> > >> > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" /> >> > >> > That worked wonderfully. Now I'm trying to add another IP range by >> > changing it to: >> > >> > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" >> /> >> > >> > This is not working. I tried to use 2\.4\.6\.\d+ as well but that >> didn't >> > work either. I've verified I can get to port 8080 from the IP >> locations. >> > Any idea what I'm doing wrong or do you have a means to troubleshoot >> this? >> > >> > Thanks, >> > Eric >> > >> >
Re: [External] org.apache.catalina.valves.RemoteAddrValve
Thanks for the quick response Robert! So I tried escaping the periods and putting the \d+ for the * but it didn't work. Is the \d+ incorrect in substitution for *? On Thu, Apr 4, 2024 at 11:53 AM Robert Egan wrote: > It looks like you need to escape your periods, like you did for 127\. > etc... > 1\.3\.5 > Robert Egan > > On Thu, Apr 4, 2024 at 1:44 PM Eric Fetzer wrote: > > > Hi All, > > > > When I originally set up my tomcat instance, I added the following to > allow > > manager access under /opt/tomcat/webapps/manager/META-INF/context.xml: > > > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*" /> > > > > That worked wonderfully. Now I'm trying to add another IP range by > > changing it to: > > > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|1.3.5.*|2.4.6.*" > /> > > > > This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't > > work either. I've verified I can get to port 8080 from the IP locations. > > Any idea what I'm doing wrong or do you have a means to troubleshoot > this? > > > > Thanks, > > Eric > > >
org.apache.catalina.valves.RemoteAddrValve
Hi All, When I originally set up my tomcat instance, I added the following to allow manager access under /opt/tomcat/webapps/manager/META-INF/context.xml: That worked wonderfully. Now I'm trying to add another IP range by changing it to: This is not working. I tried to use 2\.4\.6\.\d+ as well but that didn't work either. I've verified I can get to port 8080 from the IP locations. Any idea what I'm doing wrong or do you have a means to troubleshoot this? Thanks, Eric
