Tomcat 8 RemoteHostValve无法正常工作

Question

The access to my server should be limited to some Remote hosts, and I want to allow Uptimerobot to monitor my server.

Currently uptimerobot gets always a 403 Forbidden.

I added Server.xml looks like this:

<Server .........>
  <Service name="Catalina">
      <Engine>
        <Value className="org.apache.catalina.valves.RemoteHostValve" allow=".*\.uptimerobot\.com" />
      </Engine>
  </Service>

To match all hosts in this list UptimeRobot Whitelist

But after restarting server nothing changed, still 403.

I also tried to use a domain-name without wildcards like this:

allow="engine19\.uptimerobot\.com"
allow="engine19.uptimerobot.com"

But still 403,

I tried to enable hostnamelookups with adding

enableLookups="true"

to the <Connector tag, but again no effect.

But in my logs I see that the access is resolved to "engine19.uptimerobot.com" wich matches my RemoteHost-Pattern.

Any Ideas, why it is still forbidden ?

EDIT:

Access via IP with

 <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="63\.143\.42\.244"/>

is working. But I dont want to add the whole list of ips there. Is it possible that RemoteAddrValve and RemoteHostValve are disturbing eachother ?

Answer 1

I have tried this and this worked for me

set useIPVHosts to true in connector (Inside server.xml).

I am using HTTP connector and it looks as follow

<Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443"
    enableLookups="true"
    useIPVHosts="true" />

Details of attributes can be found here

Answer 2

Check tomcat/logs/local_access_log... to see what host name used for 403.

I found that our company DNS reports some names in all uppercase and others in all lowercase. Use (?i) to have regex be case insensitive:

allow="(?i)engine19\.uptimerobot\.com"

If you have both RemoteHostValve and RemoteAddValve, both must allow an incoming host. If either does not allow then 403 will be returned.