-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Miklos,
On 5/28/13 7:19 PM, Miklos Espak wrote: >> Note that the "allow" and "deny" attributes are regular >> expressions, so you can get as creative as possible. There was a >> request a while back for a filter/valve that would operate on >> CIDR ranges... I don't think that ever got committed. A quick BZ >> search didn't find anything. It must have been on the mailing >> list. >> > > The CIDR format would be more natural for the address filtering, > but I could express the range with a regex, so this is not the > problem. Yeah, regexps will work of course, but CIDR is certainly much more standard. >> Combining the valves using OR is not really possible as you >> describe it. Tomcat doesn't have anything like Apache httpd's >> "RequireAny". You could easily write a new Valve that extends one >> or the other valve and implements its own OR semantics. >> > > Do I have to modify the tomcat sources for this, or could I keep my > code in a separate library? I would like to avoid maintaining a > patch for this and rebuilding tomcat after an upgrade. I do not > know the tomcat API. You could keep this in a separate library -- just make sure that you put it into Tomcat's lib/ directory. You will not have to modify Tomcat sources per se, but you'll be stealing some source from Tomcat and then maintaining it yourself. It's honestly not that much code. It might be fun to create some combinations of these "allow"-type filters that more closely-match some of the stuff that httpd can do. > Maybe it would be easier to install an apache httpd that directs > the http/https ports to tomcat and configure this in the httpd > config? It will certainly be easier in that you will only have to configure things and not have to write any software. But adding another service component adds a layer of complexity you may not want to add. Another option would be to use the url-rewrite filter[1] with appropriate rules to whitelist your hostnames and/or IPs and reject everything else. > I tried to configure this in iptables as well, but that does not > support domains as I saw. iptables works strictly on IP addresses and won't work on hostnames. - -chris [1] http://tuckey.org/urlrewrite/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRpl+rAAoJEBzwKT+lPKRYdugQAL4M9MPGlBTNa2DNVto7xrsN ZH0wHam8FuBM0pjtXU0S7KPOO36fAXRTXUfn8VwOhHYgbbfEat1Aiwm/7eYl8wmz jYCJSbyylgYaZWoNf0dfI4J9mnf1rgnZmFzqafOYHWoYlMsAI6w1YfvpFyceSHnE S1DKgAXNcd/fq+4b/bM0T0On36ZDiFNgvjyk/ckYAhqqTBF+pd6MaMZPvsGnejC0 wbUgauuJdZSn2Gvvsa0/Z3Z8r5rk2GYwGvKviigWtCyGg2+qwXHqAcDSBGHwGFDD UXMlVMlrIWLycOCqKMxzIFQMYYKynDLpLDFnWVIG2GDCDiEdAo4kS9tH6Tj+X9fm qv1Ntzb0mjLJr0JXxg53ppdJP7biOqdAbL8aTzCMEKd+FkSxnQ7HUL2FSO9ERFl+ e9dyOd90NuBZ/iUYVqvkTXFS7eY13g5h+AWz6UAoEkytDf7w5zLtm/T6Y0ol4RWB OZJUCmRUaFMfDbDx4E/Q9C3/J6lvgn9l1VVEIRcHsi/MWdRRwoICiyAvBVQ3t6BP L49WUOtRb2pdcRCv6HRJRuLLQnav9YpLpkRgQU97JfyUtzG+dvyo1molFBxTALbZ qw1iwruWbvw4WFWefcaAe3tuHxppEwwJfTuH4yXJJtAprvgyA8KSM/4s7Zl5aE2m 22tg5BBK/kLqw+HPSGtu =kjAC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
