https://bz.apache.org/bugzilla/show_bug.cgi?id=62334
Bug ID: 62334
Summary: Filter by remote IP address of request for status
worker of ISAPI redirector
Product: Tomcat Connectors
Version: 1.2.42
Hardware: PC
Status: NEW
Severity: enhancement
Priority: P2
Component: isapi
Assignee: dev@tomcat.apache.org
Reporter: abra...@gmail.com
Target Milestone: ---
Created attachment 35896
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35896&action=edit
Adds support of filter by remote IP address into status worker
ISAPI rediector has status worker which provides management console I use in my
project. This management console can be configured as read only. It can be even
protected by authentication (and list of allowed users can be configured).
Unfortunately, it's not sufficient for my customer - he requires to add one
more level of "protection" - management console (status worker of ISAPI
redirector) should be accessible only for requests coming from particular hosts
(IP addresses). For example, in some environments management console should be
accessible just from the same host where IIS works. I understand it looks naive
"protection" (especially if there is already authentication configured and
required), but it's a customer / regulatory authority requirement I have to
implement and follow.
I use a workaround with Microsoft URL Rewrite Module for IIS
(https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-url-rewrite-module-20)
in the moment. I'm not satisfied with it because:
1. It increases complexity (deployment and maintenance).
2. Decreases performance adding one more layer of filtering.
3. Doesn't work on some environments I have to maintain.
I found that there is remote IP address passed with each request into ISAPI
redirector workers. I found that filtering by remote IP address can be
implemented very similar to filtering by user name which is already implemented
in ISAPI redirector. So, I extended ISAPI redirector 1.2.43 with filtering by
remote address - refer to attached "status_worker_ip_addr_limit.diff" (patch
works for both trunk@1826346 and 1.2.43 version).
The patched I suggest does the following:
1. Adds one more optional property into status worker - "remote_address".
2. This property is parsed using the same rules as are used for "user"
property, i.e. there can be multiple IP addresses separated by comma.
3. These addresses are considered as strings, i.e. no validation (valid IPv4 or
valid IPv6 IP address) is performed and no conversion is used when comparing
these addresses with remote IP address which comes in request to status worker.
4. Filtering by IP address (if not empty list of allowed IP addresses is
specified) is performed before filtering by authenticated user name.
5. If validation of remote IP address of request fails then it's handled
exactly the same way as failed validation of user name (except text which is
log with debug level of logging).
I appreciate if my changes (or new feature providing similar function) can be
taken into the next version of ISAPI redirector. It's always simpler to use
official binaries other building custom version.
I cloned Tomcat Connectors into a git repository at GitHub. That repository can
be found at https://github.com/mabrarov/tomcat-connectors. It contains:
1. CMake project for ISAPI redirector
(https://github.com/mabrarov/tomcat-connectors/pull/2).
2. Filtering by remote IP address for status worker
(https://github.com/mabrarov/tomcat-connectors/pull/1) - the same as in
attached "status_worker_ip_addr_limit.diff".
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
