1

We have the following set-up: several subdomains lead to the same server, which is running nginx as a proxy to each of them. All subdomains are currently used for testing features in development, so their content is more or less identical.

This is more or less how each nginx site configuration file looks like

server {

listen       80;
server_name  full.web.address;

location / {
    proxy_pass              http://devhost:8080;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        Host $http_host;

    proxy_cache global;
    proxy_cache_valid  200 302  600m;
    proxy_cache_valid  404      1m;

}

location /robots.txt {
    alias   /var/www/default/robots.txt;
}

}

server {

listen       443;
server_name  full.web.address;

location / {

    proxy_pass              http://devhost:8080/;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        Host $http_host;
    proxy_set_header        X-Forwarded-Proto https;

    proxy_cache global;
    proxy_cache_valid  200 302  600m;
    proxy_cache_valid  404      1m;
}

location /robots.txt {
     alias   /var/www/default/robots.txt;
}

ssl                  on;
ssl_certificate      /etc/nginx/combined.crt;
ssl_certificate_key  /etc/nginx/cert.key;
ssl_session_timeout  5m;
ssl_protocols  SSLv2 SSLv3 TLSv1;
}

devhost or whichever happens to be, is set in /etc/hosts by a script on reboot. We have three Tomcat 7 servers running right now and in all of their web.xml files we have the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Confidential resources</web-resource-name>
        <url-pattern>/manager/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>
            CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>

Every server.xml has the same:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8" />

<Engine name="Catalina" defaultHost="full.web.address">


  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

  <Host name="full.web.address"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">
    <Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for"
       remoteIpProxiesHeader="x-forwarded-by"
       protocolHeader="x-forwarded-proto"
    />
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

They also use the same WAR file. I actually copied everything and just changed the names and IP addresses. The problem is, in one of them it goes to https://full.web.address/manager/ without a problem, on the others it goes on an infinite redirect loop to itself. The settings and content are identical.

coladict
  • 219
  • 1
  • 7

2 Answers2

0

New day, new ideas. I checked Tomcat's Valve documentation and it provided the answer in https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html in internalProxies:

By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to describe with regular expressions

The server that wasn't working was in the 172.16/12 subgroup, because it's in a Docker container. Since it's inaccessible outside with it's port not being forwarded it was safe to set internalProxies=".*"

coladict
  • 219
  • 1
  • 7
0

The sentence "172.16/12 has not been enabled by default because it is complex to describe with regular expressions" made me cringe when I've read it for the first time. Anyway, you can just copypaste the regexp from the Tomcat 8 documentation for RemoteIpValve. Here is a complete example:

      <Valve className="org.apache.catalina.valves.RemoteIpValve"
         internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"
         protocolHeader="X-Forwarded-Proto" />

Maybe you could incorporate it into your answer?

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Paul Tobias
  • 740
  • 1
  • 8
  • 11