« December 2009 | Main | February 2010 »

11 posts from January 2010

01/28/2010

Tomcat 6: First Impression of the New Remote IP Valve

First introduced for production use in the recently released 6.0.24 version, the Remote IP Valve provides tomcat with built-in support for pulling the client IP from the X-Forwarded-For header field and making that IP address available to applications.  Prior to this, if you wanted to grab the client IP address from the X-Forwarded-For header, you needed to hard-code it into your applications yourself.  If you weren't too careful, you could wind up with cases where you were getting the IP address only *most* of the time.

Setting up this valve is very straightforward.  Edit your server.xml file and insert the following lines, (which can reside within the context, host, or engine levels):

 <Valve className="org.apache.catalina.valves.RemoteIpValve"
   />

If you place the valve higher than the Access Log Valve within server.xml, you won't need to utilize a custom log file pattern to log the client ip address but I did notice some unexpected behavior with access logs when combining the Remote IP Valve with the Remote Address filter. I don't know if it is necessarily a bug, a configuration error, or if it is a lack of understanding of the behavior of the Remote Address filter on my part. In my test container, which is a non-custom, straight-from-a-mirror binary download running on Snow Leopard, I modified server.xml to include the following:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
          />

        <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
          allow="10.11.12.13" deny="127.0.0.1"/>

        <Valve className="org.apache.catalina.valves.AccessLogValve" 
          directory="logs"  
          prefix="localhost_access_log." suffix=".txt" 
          pattern="combined" resolveHosts="false"/>

      </Host>
    </Engine>
  </Service>

My test script is a basic HTTP Get written in Groovy, which I'm running from within groovyConsole so that I can enable and disable the custom request header at will:

def url = new URL("https://localhost:8080/docs/introduction.html")
def connection = url.openConnection()
  connection.setRequestProperty("X-Forwarded-For","10.11.12.13")
  connection.setRequestProperty("User-Agent","benevolent-bot/blog.techstacks.com")
 
if(connection.responseCode == 200){
 println "Connection successful"
 }
else{
 println "Ouchy! Error! ${connection.responseCode}"
 }

When tailing the tomcat access log and executing the test with the X-Forwarded-For property enabled, everything works as expected. I see my successful request in the logs using the ip address 10.11.12.13. However, when disabling this property and re-sending the request along, I do see the 403 status code returned from tomcat, which is expected, but nothing gets logged in the access log, which was not expected. I was expecting to see a request logged in the access log from ip address 127.0.0.1 for /introduction.html with a 403 status code. Logging request attempts from forbidden remote IP's seems like it should be useful.

Logging issues aside, (which, again could be my fault), the new Remote IP Valve is a useful addition to apache tomcat and I encourage everyone to start making use of it. Even if you don't have a reverse proxy device sitting in front of your tomcat servers, chances are very good that your customers do go through one to get to you and the Remote IP Valve will give you the actual customer IP address, without the need for custom coding within your servlets.

01/25/2010

Security-Related Info on Apache Tomcat 6.0.24 Release

As I noted in the release announcement pointer from a couple of days ago, Apache Tomcat 6.0.24 incorporates changes from unreleased versions 6.0.21, 6.0.22, and 6.0.23.  Three of those changes are security related and they are rated as low severity, so assess soon instead of assess "right now".  Below are links to the mailing list that provide more detail on these items:

These vulnerabilities exist in tomcat 5.5.X as well but release 5.5.29, which fixes them, has not been released yet.

01/22/2010

Update: Microsoft 40% Off Coupon Offer

This offer expired. Please visit Techstacks Promos for the latest promotions and events
I am reposting this primarily because there seems to have been a lot of interest. Microsoft has updated the checkout coupon to use to qualify for 40% off on selected systems.  Use MSStore2-PC-40% at checkout if you plan on purchasing any of the following systems by January 25th, 2010.