On 27.02.2018 09:29, Vasantharaju Trichy wrote:
Tomcat version 7.0.82 | Windows
We have a requirement such that admins(tomcat users) need to login remotely
to the machine where Tomcat is hosted and access tomcat webapp to perform
certain action or see certain pages . These pages or actions are not
permitted if users login remotely
Initially thought *request.getRemoteAddr* can be used determine actual
client ip is local or not but looks like based *X-Forwarded-For* header it
is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
from trusted internal proxies
There are two aspects that I don't understand in this paragraph:
* "Spoofing is possible even from trusted internal proxies". Well, you
trust them, do you? Then they probably have a point in spoofing
* What's your problem with getRemoteAddr?
getRemoteAddr will give you the address that this request originates
from. If you have a proxy running on the same machine, using http or
https to proxy your traffic: *That's* your originator, by definition.
Using http/https in forwards indeed requires you to utilize
X-Forwarded-For.
And your proxy should drop any such header that it receives from
outside, replacing it by its own. If you don't trust your proxy: Why are
you running all traffic through it? Stop using it. Add firewall rules,
so that only your proxy can connect to Tomcat.
So thought *request.getServerName* is reliable than *request.getRemoteAddr*
But *HOST* header can be spoofed to reflect *request.getServerName*
Strangely Tomcat honors HOST header to update request. getServerName .
Tomcat needs to. You can connect to an arbitrary address and let it know
in the HOSTS header, which virtual host you're actually aiming at. This
greatly extended the lifetime of IPV4. HOST and getServerName are meant
for Virtual Host resolution, not for implementing what you intend to.
I strongly feel this is a tomcat issue or let us know how can we reliably
determine if the request is originated from local or this is something not
possible
Nope, it's not. Your options are:
* Run your proxy on another machine, and have your admins directly
connect to tomcat
* Stop using your proxy, as you don't trust it
* Change the communication between proxy and tomcat to AJP (which will
forward the originating remoteAddr)
I might have missed one or more other options, but I'm sure that others
will happily add them here.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org