Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)

Tue, 22 Mar 2022 06:41:05 -0700 

Tim,

On 3/22/22 05:33, Scott,Tim wrote:

Hi Chris and Mark,

Thank you both for your input.

I arrived at an sru.xml file in conf\Catalina\localhost, containing:

<?xml version="1.0" encoding="UTF-8"?>
<Context>

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
    addConnectorPort="true"
    allow="10\.\d+\.\d+\.\d+;8443|.*;8080"/>

<!-- other configuration here -->

</Context>

This means that private IPs (just those stating with 10.) can connect on port 
8443; any IP on port 8080. It’s there as a reminder that this can be done – my 
first test was limiting to (locahost);8443, similar to the example in the 
documentation, but allowed me to confirm that I can/cannot connect depending 
which port I use. This gave me confidence in the config.

Now I’m reminded why I wanted it to be configurable – it’s behind a load 
balancer in production and I don’t know what the load balancer is going to 
deliver as I don’t have one in my development environment. I also don’t know 
the network route the calling service will take.
If all requests (even "local" ones) will be going through the load-balancer (or even not, I guess), then you should configure the RemoteIpValve[1]. This will allow the load balancer to send you the original IP of the actual client through HTTP headers, and those will be used in log files, etc.
I *think* it will use those same remote IPs for your RemoteAddrValve, but you must make sure to have the RemoteIPValve configured to run *before* the RemoteAddrValve so that the addresses have a chance to be copied from those headers before they are evaluated for local-ness.
Ask your LB operator to enable the "X-Forwarded-For" header on the LB which is how that information it typically sent to back-end servers. 

Hope that helps,
-chris
[1] https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve 



Thanks,
Tim

--
Tim Scott
OCLC · Senior Software Engineer / Technical Product Manager

cc: IT file

OCLC COVID-19 resources: 
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to