On 02/01/18 09:50, Harrie Robins wrote: > I'm still having problems with matching my pattern. > > Right now I'm feeding the following to internalProxies: > > ^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ > I created a list of all involved IP addresses and matched those IP addresses: > > java.util.regex.Matcher / java.util.regex.Pattern, please see > https://pastebin.com/Lija7n9k > > All addresses from the list I created are matching, just not in tomcat.
What is the value of the remote IP address that is failing to match? You might want to look at writing a short custom Valve to log that and insert it into the Pipeline ahead of the RemoteIpValve. Another option would be to simply remove the RemoteIpValve and write a simple servlet that logs the remote IP. Mark > > Regards, > > Harrie > > -----Oorspronkelijk bericht----- > Van: Harrie Robins [mailto:har...@eyequestion.nl] > Verzonden: 21 December 2017 09:55 > Aan: 'Tomcat Users List' <users@tomcat.apache.org> > Onderwerp: RE: internalProxies regex > > This makes perfect sense. > I tested my regex, just against wrong engine. > > Thanks for pointing me in the right direction > > -----Oorspronkelijk bericht----- > Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Verzonden: 20 December 2017 15:19 > Aan: Tomcat Users List <users@tomcat.apache.org> > Onderwerp: Re: internalProxies regex > > 2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>: >> Hello everyone, >> >> >> >> I have a question about the remoteipvalve in tomcat 8.5: >> https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve >> s/Remo >> teIpValve.html >> >> >> >> >> internalProxies >> >> Regular expression that matches the IP addresses of internal proxies. >> If they appear in the remoteIpHeader value, they will be trusted and >> will not appear in the proxiesHeader value >> >> RemoteIPInternalProxy >> >> Regular expression (in the syntax supported by java.util.regex) >> >> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| >> 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| >> 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| >> 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} >> By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed. >> >> >> >> I need to convert some CIDR ranges to regex: >> >> >> my concern is that /d{1,3} wil match too many (non exist) addresses >> >> 103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}| >> 103\.3 >> 1\.\d[4-7]\.\d[0-9]\d{1,3} >> >> >> >> So I re-wrote using capture groups, below does not function however, >> and I assume it is due to OR (|) which tomcat will affectively see as a new >> entry? >> So I tried escaping, but I cannot get it to work: >> >> 103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\ >> |5[0-5 >> ]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0 >> -9]\|5 >> [0-5])) > > Your assumption that "tomcat will affectively see as a new entry" is wrong. > The string is used as whole to initialize a java.util.regex.Pattern(). > Tomcat does not split it. > > You may write a simple program / junit test to test how > java.util.regex.Pattern() processes your value. Or you may run Tomcat with > debugger, > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario > > AFAIK, '\|' in a regular expression will be interpreted as expecting literal > '|' character in the matched string. No IP address has this character so > none will match. > > > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
