will still add the IP of the spoofer in the
> beginning of the list.
>
> This may not be the general case for proxies, it is only for this case.
>
> E
>
> -----Original Message-----
> From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
> Sent: Thursday, October 08, 2009 1:04 AM
ng of the list.
>
> This may not be the general case for proxies, it is only for this case.
>
> E
>
> -Original Message-
> From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
> Sent: Thursday, October 08, 2009 1:04 AM
> To: Tomcat Users List
> Subject: Re: Cannot set remote
list.
This may not be the general case for proxies, it is only for this case.
E
-Original Message-
From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
Sent: Thursday, October 08, 2009 1:04 AM
To: Tomcat Users List
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Hello Elli
Hello,
I updated issue 47330 " proposal : port of mod_remoteip in Tomcat
as RemoteIpValve" to link to a Servlet Filter implementation of
mod_remoteip called XForwardedFilter. As detailed in the comment,
XForwardedFilter.java copyright may not fit the Apache Software
Foundation requirements a
Hello Christopher,
> > An idea to mitigate this risk is to ask the network team to remove
> > some http headers at the entry of the platform (x-forwarded-for,
> > x-forwarded-proto, x-forwarded-... )
>
> This makes a lot of sense, except that there might be some legitimate
> proxies in the path t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 10/9/2009 9:16 AM, Cyrille Le Clerc wrote:
> An idea to mitigate this risk is to ask the network team to remove
> some http headers at the entry of the platform (x-forwarded-for,
> x-forwarded-proto, x-forwarded-... )
This makes a lot of
Hello Christopher,
> > I am afraid there may be a flaw in the algorythm looking for the
> > first IP of the coma delimited x-forwarded-for header without
> > ensuring that this first IP has been set by a trusted proxy and not by
> > the requester ( getFirstIP(xforwardedForHeaderValue) ). Su
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 10/8/2009 4:03 AM, Cyrille Le Clerc wrote:
>I am afraid there may be a flaw in the algorythm looking for the
> first IP of the coma delimited x-forwarded-for header without
> ensuring that this first IP has been set by a trusted proxy
Hello Elli,
I am afraid there may be a flaw in the algorythm looking for the
first IP of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy and not by
the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing
can easily
I know I'm late in this discussion. Besides the very good mentioning of
mod_remoteip, RemoteIpValve and XForwardedFilter I guess there's a way
of doing it in case you are using mod_jk.
mod_jk (and mod_proxy_ajp) use the AJP protocol between the web server
and the backend, e.g. Tomcat. This protoco
Hi,
We can add the header to the custom valves, but then in addition we have to
change a few log file configurations, create a servlet filter and maybe
something else I cant think of now. Basically doing the same thing a few
times and keeping track of all the places that depend on the header. Idea
ltz
> To: Tomcat Users List
> Sent: Fri, 2 Oct 2009 07:32:06 -0700 (PDT)
> Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
>
>
> >> 2. There are other valves like request filters that cannot work without the
> >> correct IP, as well as custom login val
the spec as an
interface.
E
- Original Message -
From: Tim Funk
To: Tomcat Users List
Sent: Fri, 2 Oct 2009 07:46:14 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are executed before webapp filters. I believe (but not
confirmed) that valves
- Original Message -
From: Christopher Schultz
To: Tomcat Users List
Sent: Fri, 2 Oct 2009 07:32:06 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
>> 2. There are other valves like request filters that cannot work without the
>> correct IP, as we
Christopher Schultz wrote:
> Mark,
>
> On 10/2/2009 10:45 AM, Mark Thomas wrote:
>> Christopher Schultz wrote:
>
> 2. There are other valves like request filters that cannot work without
> the
> correct IP, as well as custom login valve.
Filters should be OK providing they are d
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 10:45 AM, Mark Thomas wrote:
> Christopher Schultz wrote:
>
2. There are other valves like request filters that cannot work without the
correct IP, as well as custom login valve.
>>> Filters should be OK providing they ar
My bad - by context filter I meant to say the web.xml as found in
$CATALINA_HOME/conf/web.xml
There is nothing contexty about it
-Tim
Caldarale, Charles R wrote:
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are
> From: Tim Funk [mailto:funk...@apache.org]
> Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
>
> Context filters are executed before webapp filters.
I'll bite: what's the difference between a "context filter" and a "webapp
filter"?
Context filters are executed before webapp filters. I believe (but not
confirmed) that valves execute before the filters.
-Tim
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
Elli Albek wrote:
A few reasons why not to
Christopher Schultz wrote:
> Mark,
>
> On 10/2/2009 5:55 AM, Mark Thomas wrote:
>> Elli Albek wrote:
>>> A few reasons why not to do this as a servlet filter:
>>>
>>> 1. There are many web apps on the server and I don't want to include the
>>> filter in each.
>> You don't have to. Configure it in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
> Elli Albek wrote:
>> A few reasons why not to do this as a servlet filter:
>>
>> 1. There are many web apps on the server and I don't want to include the
>> filter in each.
>
> You don't have to. Config
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 10/2/2009 4:41 AM, Elli Albek wrote:
> Yes, the remoteAddress member is protected. So you can only access it if you
> put your class in the same package.
>
> I thought of doing it like a filter (wrapping) but it does not look like a
> workab
Elli Albek wrote:
> A few reasons why not to do this as a servlet filter:
>
> 1. There are many web apps on the server and I don't want to include the
> filter in each.
You don't have to. Configure it in the global web.xml.
> 2. There are other valves like request filters that cannot work without
A few reasons why not to do this as a servlet filter:
1. There are many web apps on the server and I don't want to include the
filter in each.
2. There are other valves like request filters that cannot work without the
correct IP, as well as custom login valve.
3. We have a few environments and I
Cannot set remote address in valve (Tomcat 5.5)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 9/27/2009 12:19 AM, Elli Albek wrote:
> public void setRemoteAddr(String remoteAddr) {
> // Not used
> }
>
> The variable is protected so I cannot access it dir
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Elli,
On 9/27/2009 12:19 AM, Elli Albek wrote:
> public void setRemoteAddr(String remoteAddr) {
> // Not used
> }
>
> The variable is protected so I cannot access it directly from my code.
What variable? The remoteAddress member?
>
Elli Albek wrote:
> Hi,
> We have Tomcat behind a load balancer. The servlet API and tomcat libraries
> see the load balancer IP as the client IP.
>
> I tried to write a simple valve which will extract the IP from HTTP header
> X-Forwarded-For
> and continue the valve chain using this IP as the cl
homas
To: Tomcat Users List
Sent: Sun, 27 Sep 2009 02:13:49 -0700 (PDT)
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
https://issues.apache.org/bugzilla/show_bug.cgi?id=47330 is on the todo
list but my current plan is to implement it as a Filter rather than a valve.
What is the
Elli Albek wrote:
> Hi,
> We have Tomcat behind a load balancer. The servlet API and tomcat libraries
> see the load balancer IP as the client IP.
>
> I tried to write a simple valve which will extract the IP from HTTP header
> X-Forwarded-For
> and continue the valve chain using this IP as the c
29 matches
Mail list logo
