Bug 66470 - Tomcat missing ip range for internalProxies
Summary: Tomcat missing ip range for internalProxies
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 11
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 critical (vote)
Target Milestone: -------
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-08 10:41 UTC by sgloxhuber
Modified: 2023-02-15 14:58 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sgloxhuber 2023-02-08 10:41:23 UTC
SETUP:

We implemented a solution in Spring Boot to allow additional origins for requests to handle CORS correctly.
Because of that we override a bean in the security config:

```
  @Bean
        public CorsConfigurationSource corsConfigurationSource() {
            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            CorsConfiguration config = new CorsConfiguration();
            config.setAllowCredentials(true);
            config.addAllowedOrigin(origin);

            List header = List.of("*");
            config.setAllowedHeaders(header);
            config.setAllowedMethods(header);
            source.registerCorsConfiguration("/**", config)
        }
```

The spring boot application runs in a kubernetes cluster by different providers. 

On many cluster provider we have no problems with the implemenation but on the provider Scaleway we get for Request a Http Code 403 Forbidden and the message "Invalid CORS Request" as Reponse.

PROBLEM:

The problem is spring boot internal tomcat. It using the configuration option server.tomcat.remoteip.internal-proxies in the application properties. The default is RFC 1918 IP Range of private networks, which used for localhost (ipv4 and ipv6). But the RFC 6598 as shared address space is not included in the list.

--> The area 100.64.0.0/10, which is defined as shared address space, is not included in the list.

However, Scaleway (and almost certainly many other providers) use this area internally in the cluster, as the area cannot be routed by definition and thus provides at least as much security as the private IP address areas.

The result is that tomcat blocks the request by this IP.

https://www.rfc-editor.org/rfc/rfc1918
https://www.rfc-editor.org/rfc/rfc6598

SOLUTION:

We fixed the problem temporally by changing the default behaviour of the tomcat and added the ip range

https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.webserver.use-behind-a-proxy-server.tomcat

```
 tomcat:
    basedir: /tmp
    max-swallow-size: -1
    remoteip:
      internal-proxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.[7-9]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.1[0-1]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|0:0:0:0:0:0:0:1|::1"
```
Comment 1 sgloxhuber 2023-02-08 10:45:00 UTC
https://github.com/apache/tomcat/blob/11.0.0-M2/java/org/apache/catalina/valves/RemoteIpValve.java

in line 399 is the definition of the ip range
Comment 2 Mark Thomas 2023-02-15 14:58:42 UTC
Fixed in:
- 11.0.x for 11.0.0-M3 onwards
- 10.1.x for 10.1.6 onwards
-  9.0.x for  9.0.72 onwards
-  8.5.x for  8.5.86 onwards

Both Valve and Filter were updated