From 19fdeec134026a58316421199107be7739d15cde Mon Sep 17 00:00:00 2001 From: kkolinko Date: Mon, 26 Sep 2011 00:24:20 +0000 Subject: [PATCH] There is a caveat when using RemoteAddrValve with IPv6 addresses - see thread "tomcat 7.0.21: bug in RemoteAddrValve?" of 2011-09-14 on users@ Document it and update configuration examples in manager and host-manager apps. Add usage examples to valve.html, filter.html. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1175633 13f79535-47bb-0310-9956-ffa450edef68 --- webapps/docs/config/filter.xml | 28 ++++++++++++++++++++++++++++ webapps/docs/config/valve.xml | 19 +++++++++++++++++++ webapps/docs/manager-howto.xml | 4 +++- webapps/host-manager/META-INF/context.xml | 2 +- webapps/manager/META-INF/context.xml | 2 +- 5 files changed, 52 insertions(+), 3 deletions(-) diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml index 49bd27ff5..707c6674a 100644 --- a/webapps/docs/config/filter.xml +++ b/webapps/docs/config/filter.xml @@ -531,6 +531,15 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ package. Please consult the Java documentation for details of the expressions supported.

+

Note: There is a caveat when using this filter with + IPv6 addresses. Format of the IP address that this valve is processing + depends on the API that was used to obtain it. If the address was obtained + from Java socket using Inet6Address class, its format will be + x:x:x:x:x:x:x:x. That is, the IP address for localhost + will be 0:0:0:0:0:0:0:1 instead of the more widely used + ::1. Consult your access logs for the actual value.

+ +

See also: Remote Host Filter.

@@ -569,6 +578,24 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ + +

To allow access only for the clients connecting from localhost:

+
+    <filter>
+      <filter-name>Remote Address Filter</filter-name>
+      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
+      <init-param>
+        <param-name>allow</param-name>
+        <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
+      </init-param>
+    </filter>
+    <filter-mapping>
+      <filter-name>Remote Address Filter</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+ + @@ -586,6 +613,7 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ package. Please consult the Java documentation for details of the expressions supported.

+

See also: Remote Address Filter.

diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 327273387..9572e6a18 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -509,6 +509,16 @@ package. Please consult the Java documentation for details of the expressions supported.

+

Note: There is a caveat when using this valve with + IPv6 addresses. Format of the IP address that this valve is processing + depends on the API that was used to obtain it. If the address was obtained + from Java socket using Inet6Address class, its format will be + x:x:x:x:x:x:x:x. That is, the IP address for localhost + will be 0:0:0:0:0:0:0:1 instead of the more widely used + ::1. Consult your access logs for the actual value.

+ +

See also: Remote Host Filter, + Remote IP Valve.

 @@ -544,6 +554,14 @@ + +

To allow access only for the clients connecting from localhost:

+
+    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+       allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
+
+ + @@ -565,6 +583,7 @@ package. Please consult the Java documentation for details of the expressions supported.

+

See also: Remote Address Filter.

diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml index 81ae2b016..bcfd7fd61 100644 --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -159,7 +159,9 @@ the role manager-script.

In addition to the password restrictions the Manager web application could be restricted by the remote IP address or host by adding a -RemoteAddrValve or RemoteHostValve. Here is +RemoteAddrValve or RemoteHostValve. +See valves documentation +for details. Here is an example of restricting access to the localhost by IP address:

 <Context privileged="true">
diff --git a/webapps/host-manager/META-INF/context.xml b/webapps/host-manager/META-INF/context.xml
index 1019dc4c7..3390e967c 100644
--- a/webapps/host-manager/META-INF/context.xml
+++ b/webapps/host-manager/META-INF/context.xml
@@ -22,6 +22,6 @@
   -->
   
 
\ No newline at end of file
diff --git a/webapps/manager/META-INF/context.xml b/webapps/manager/META-INF/context.xml
index 99276a257..21d9bac93 100644
--- a/webapps/manager/META-INF/context.xml
+++ b/webapps/manager/META-INF/context.xml
@@ -22,6 +22,6 @@
   -->
   
 
-- 
2.11.0