Zak Mc Kracken wrote:
[...]
Let's try this another way.
You want to allow requests from either www.somewhere.com, or one or more
IP addresses, and block all the rest.
First, filtering requests on the base of a DNS hostname is "expensive" :
it forces Tomcat to do a reverse DNS lookup. That is because when a
request comes in, it does not come in with a DNS name for the client,
but just with an IP address of the client. So Tomcat has to ask the DNS
system for the name (or names) that correspond to IP address a.b.c.d
(the client's address), and then match those names with the rule.
There is also a good chance that some clients have (of course) an IP
address and a DNS name, but their reverse DNS is not set up properly.
In that case, you would be denying clients that maybe you don't want to
deny.
What I'm getting at, is that if you want to accept requests from
"www.somewhere.com", you might already know the IP address (or the range
of IP addresses), that correspond to this name.
If so, then you can just use the Remote Address Filter Valve, and forget
about the Remote Host Filter Valve. And it will be much more efficient.
The second part is that for the Remote Address Filter Valve, both the
allow and deny attributes are regular expressions, giving you a lot of
flexibility in which addresses you allow or deny.
As a practical example :
Suppose that you want to allow requests from "www.somewhere.com", and
from any IP address in the range 112.23.90.0-112.23.90.255, and deny all
others.
You would first do a DNS lookup for the hostname "www.somewhere.com", to
get its IP address (nslookup www.somewhere.com).
Suppose this gives you "213.87.32.100".
Then you would configure your Valve as follows :
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="213\.87\.32\.100,112\.23\.90\.\d{1,3}" />
Now suppose that, within the range 112.23.90.0-112.23.90.255 (which you
in principle accept), you want nevertheless to deny the subrange
112.23.90.21-112.23.90.30, then you would change the Valve as follows :
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="213\.87\.32\.100,112\.23\.90\.\d{1,3}"
deny="112\.23\.90\.(2[1-9]|30)"
/>
If you do not understand the expressions above like
"112\.23\.90\.(2[1-9]|30)", then that is a question of "regular
expressions" which you need to look up, but it's not really something
specific to Tomcat.
Final note : if you accept/deny ranges of IP addresses, it is probably a
good idea to not deny requests from "localhost", if only just for
testing. So add "127\.0\.0\.1" to your accept range.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
