1

I'm trying to block all traffic within Tomcat except two ips. I found out that I can do that within the server.xml file, so I have this:

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.2" />
  </Host>

This is working, but now I want that there are two ip's allowed, so I tried the following two options that I found on internet:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.2,192.168.1.22" />

and

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.1\.\2|192\.168\.1\.22" />

But both are not working, what am I doing wrong here?

I'm using Tomcat version 8.5.46.0 on Red Hat.

fabje
  • 29
  • 1
  • 7
  • Because \2 the first IP wont work. remove the backslash. Keep it only before a dot. This error invalidates the whole string and both IP dont work. – Kir Kanos Nov 03 '22 at 12:16

1 Answers1

2

Try the following, it should work 

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.2|192.168.1.22" deny=""/>

Since Tomcat 7 the IPs should no be separated by commas, instead you should use a pipe | and no backslashes.

Ioannis Barakos
  • 1,319
  • 1
  • 11
  • 16
  • Thanks that works! No clue why I couldn't find this on the internet and only found the ones with separated commas etc. – fabje Nov 20 '19 at 14:29
  • Where does "no backslashes" come from? The value is expected to be a regular expressions, that's why the pipe makes sense instead of a comma and in those cases backslashes to escape `.` is best. https://confluence.atlassian.com/confkb/how-to-allow-or-deny-certain-hosts-to-have-access-to-confluence-963645026.html https://github.com/WQLSHELL/Tomcat-8.0.39-Source/blob/6f4e3406f7c78a6c8391b1cd5dbd2ee32795c026/src/org/apache/catalina/valves/RequestFilterValve.java#L35 – Thorsten Schöning Oct 20 '22 at 14:52