Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to allow only single or selected IPs in urlrewrite.xml in tomcat

sreenivasulu vadde
sreenivasulu vadde October 20, 2021

Hello ,

Due to Security reason , we have blocked rest/api/2/priority endpoint using below  rule

<rule>
<from>(?s)^/rest/api/.*/priority</from>
<set type="status">403</set>
<to>null</to>
</rule>

But these is blocking one of the integration that is using this end point and tried below rule but not working

<rule>
<condition name="%{REMOTE_ADDR}" operator="notequal">XX\.XX\.XX\.XX</condition>
<from>(?s)^/rest/api/.*/priority</from>

<set type="status">403</set>
<to>null</to>
</rule>

 

Any help on this,

 

Thanks,

Sreeni.

Answer
Watch
Like Be the first to like this
777 views

2 answers

1 accepted

0 votes
Answer accepted
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
October 20, 2021

Hi @sreenivasulu vadde ,

Maybe the below condition format works.

<condition type="remote-addr" operator="notequal">^XX\.XX\.XX\.XX$</condition> 
View More Comments
sreenivasulu vadde
sreenivasulu vadde October 20, 2021

Thanks @Mehmet A _Bloompeak_ , It is working . 

Also can you Please help us to mention IP rage(regex) in the rule Please.

Like
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
October 20, 2021

It is just regex. For instance if your ip range is from XX.XX.XX.0 to XX.XX.XX.255, then you can use ^XX\.XX\.XX\.[0-9]+$

Like
sreenivasulu vadde
sreenivasulu vadde October 21, 2021

@Mehmet A _Bloompeak_  -  this rule is working fine if we access nodes individual URLs(http://NodeA/rest/api/2/priority   and http://NodeB//rest/api/2/priority)and we are using GCP Load Balancer and accessing via from LB: https://mycompany.com//rest/api/2/priority ,  rule is failing  and blocking the end point. 

DO we need to do any changes in the connector? your help will be appreciated .

Proxy Connector :

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" maxHttpHeaderSize="8192" maxThreads="250" minSpareThreads="25" protocol="HTTP/1.1" enableLookups="false" disableUploadTimeout="true" bindOnInit="false" acceptCount="100" secure="true" scheme="https" redirectPort="8443" connectionTimeout="20000" useBodyEncodingForURI="true" proxyName="company.com" proxyPort="443"/>

 

Non Proxy Connector:

 

<Connector port="8081"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
acceptCount="100"
disableUploadTimeout="true"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"/>

Like
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
October 22, 2021

Most probably, you see the load balancer ip in "remote-addr". The load balancer must be adding the actual remote address into another header( maybe x-forwarded-for or true-client-ip). Or there might be configuration on load balancer to speciy the name of this header. You can change the urlrewrite.xml condition to check this header instead.

Like
sreenivasulu vadde
sreenivasulu vadde November 2, 2021

Thanks @Mehmet A _Bloompeak_ !

 x-forwarded-for is coming like : <client-ip>,<load-balancer-ip>,<GFE-IP><backend-IP>

Now how to get only client ip(how to split the  IPs chain and compare) in the urlrewrite.xml condition.

Thanks in advance for your help.

Thanks,

Sreeni.

Like
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
November 2, 2021

Your regex should match <client-ip>,<load-balancer-ip>,<GFE-IP><backend-IP>.

^XX\.XX\.XX\.[0-9]+,.*$

 In the above regex,  "XX\.XX\.XX\.[0-9]+" matches client-ip.
The remaining ",.*" matches ",<load-balancer-ip>,<GFE-IP><backend-IP>".

Like
Reply
0 votes
sreenivasulu vadde
sreenivasulu vadde October 20, 2021

Thanks @Mehmet A _Bloompeak_  for your response !

Still no luck , it is allowing to access other IPs as well.

View More Comments
sreenivasulu vadde
sreenivasulu vadde October 20, 2021

Please ignore this comments , It is working fine.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.18.2
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security