On 02/01/18 09:50, Harrie Robins wrote:
I'm still having problems with matching my pattern.
Right now I'm feeding the following to internalProxies:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
I created a list of all involved IP addresses and matched those IP
addresses:
java.util.regex.Matcher / java.util.regex.Pattern, please see
https://pastebin.com/Lija7n9k
All addresses from the list I created are matching, just not in tomcat.
What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.
Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.
Mark
Regards,
Harrie
-----Oorspronkelijk bericht-----
Van: Harrie Robins [mailto:har...@eyequestion.nl]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex
This makes perfect sense.
I tested my regex, just against wrong engine.
Thanks for pointing me in the right direction
-----Oorspronkelijk bericht-----
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex
2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:
Hello everyone,
I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/Remo
teIpValve.html
internalProxies
Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be trusted and
will not appear in the proxiesHeader value
RemoteIPInternalProxy
Regular expression (in the syntax supported by java.util.regex)
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are
allowed.
I need to convert some CIDR ranges to regex:
my concern is that /d{1,3} wil match too many (non exist) addresses
103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
103\.3
1\.\d[4-7]\.\d[0-9]\d{1,3}
So I re-wrote using capture groups, below does not function however,
and I assume it is due to OR (|) which tomcat will affectively see as a
new entry?
So I tried escaping, but I cannot get it to work:
103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
|5[0-5
]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
-9]\|5
[0-5]))
Your assumption that "tomcat will affectively see as a new entry" is
wrong.
The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.
You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value. Or you may run Tomcat
with debugger,
https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_
and_Diagnostics#Common_Troubleshooting_Scenario
AFAIK, '\|' in a regular expression will be interpreted as expecting
literal '|' character in the matched string. No IP address has this
character so none will match.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
