0

My setup is : Public facing LB - Linux VM - Apache tomcat : 2 applications - https://example.com and https://example.com/api/xxx. Now all security groups and rules are in place and able to access everything perfectly.

Need : Need to restrict the access to url https://example.com from internet. It should only be accessed only from client's internal network.

Done so far : Since LB doesn't support url based restriction, thought of doing this restriction in tomcat using RemoteCIDRValve. Provided the below inside the respective context.

<Valve className="org.apache.catalina.valves.RemoteCIDRValve" allow="111.11.111.0/22,222.22.222.0/22, ::1"/>

But it is allowing all the other IP addresses also. It is because when the request comes in, it is coming via the load balancer, so the IP is in allowed CIDR range. My original thought was that the LB will send the client's ip from where the request originates.

Please throw some light for solving this. what needs to be correct this? or any other wayto solve it...

My complete config below. This is inside HOST :

<Valve className="org.apache.catalina.valves.RemoteIpValve"  />

<Host name="example.com" appBase="xxxapps"
    unpackWARs="true"  autoDeploy="true" deployOnStartup="true">

    <Context name="API" path="/yyy" docBase="yyy.war"></Context>

    <Context name="Portal" path="" docBase="zzz.war">
        <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
        allow="xxx.yyy.zz.d/y, ::1"/>
    </Context>

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs/xxxlogs"
        prefix="xxx_access_log" suffix=".txt"
        pattern="%h %l %u %t &quot;%r&quot; %s %b %{x-forwarded-for}i %{x-forwarded-by}i"
        requestAttributesEnabled="true" />
</Host>
Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
Anitha.R
  • 344
  • 2
  • 15
  • 1
    An unrelated remark: since your WAR files are in the `appBase` folder **and** you define their contexts in the `server.xml` double-deployment will most certainly ensue, i.e. the "Portal" application will be deployed under `https://example.com/` and `https://example.com/zzz/` (the latter without any valve). You should disable `autoDeploy` and `deployOnStartup` in this case or move the war files out of the `appBase` folder. – Piotr P. Karwasz Jul 07 '21 at 14:12

1 Answers1

0

If the load balancer adds X-Forwarded-For headers (very likely), you just need to add a RemoteIpValve to your engine:

<Engine name="Catalina">
    <Valve className="org.apache.catalina.valves.RemoteIpValve" />
    ...
</Engine>

On recent Tomcat versions all valve attributes have reasonable defaults.

Edit: As you state in your comment, your domain name points additionally to Cloudflare servers. I don't know how they assign IPs to customers, but if the numer of IPs is limited (e.g. the 172.70.95.0/24 network) you can use:

<Engine name="Catalina">
    <Valve className="org.apache.catalina.valves.RemoteIpValve"
           trustedProxies="172\.70\.95\.\d+" />
    ...
</Engine>
Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Thanks for your reply. I have added this in my engine. But still access is not restricted. Also, in access log , I could see the IP which is neither my machine's public IP nor my LB's IP. That IP comes under my allowed CIDR range. What is the IP that I am seeing? From where it is coming? – Anitha.R Jul 07 '21 at 08:01
  • Microsoft might use multiple reverse proxies besides your load balancer. Add `%{x-forwarded-for}i` and `%{x-forwarded-by}i` to your access log data to see how many proxies are between you and your server. Modify the `trustedProxies` (or `internalProxies`) attribute accordingly. You might add the IP you just noticed to the question: it might help other people using Azure. – Piotr P. Karwasz Jul 07 '21 at 08:21
  • I did so. Edited the original question with complete config. Also, mentioned the log that I am getting.. `172.70.95.150 - - [07/Jul/2021:05:53:04 -0400] "GET / HTTP/1.1" 304 - -` Here I don't know what is the IP in the beginning. – Anitha.R Jul 07 '21 at 10:03
  • That IP belongs to Cloudflare (cf. [IP list](https://www.cloudflare.com/ips/)), a global CDN network. Probably your domain name points do Cloudflare servers, which forward the requests to your load balancer. – Piotr P. Karwasz Jul 07 '21 at 11:59
  • Correct. My domain points to cloudflare and it forwards the request to LB. So now what should I do to achieve my restriction – Anitha.R Jul 07 '21 at 13:16
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/234625/discussion-between-anitha-r-and-piotr-p-karwasz). – Anitha.R Jul 07 '21 at 14:17