Restrict internet access to tomcat application in azure vm with Load balancer

Question

My setup is : Public facing LB - Linux VM - Apache tomcat : 2 applications - https://example.com and https://example.com/api/xxx. Now all security groups and rules are in place and able to access everything perfectly.

Need : Need to restrict the access to url https://example.com from internet. It should only be accessed only from client's internal network.

Done so far : Since LB doesn't support url based restriction, thought of doing this restriction in tomcat using RemoteCIDRValve. Provided the below inside the respective context.

<Valve className="org.apache.catalina.valves.RemoteCIDRValve" allow="111.11.111.0/22,222.22.222.0/22, ::1"/>

But it is allowing all the other IP addresses also. It is because when the request comes in, it is coming via the load balancer, so the IP is in allowed CIDR range. My original thought was that the LB will send the client's ip from where the request originates.

Please throw some light for solving this. what needs to be correct this? or any other wayto solve it...

My complete config below. This is inside HOST :

<Valve className="org.apache.catalina.valves.RemoteIpValve"  />

<Host name="example.com" appBase="xxxapps"
    unpackWARs="true"  autoDeploy="true" deployOnStartup="true">

    <Context name="API" path="/yyy" docBase="yyy.war"></Context>

    <Context name="Portal" path="" docBase="zzz.war">
        <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
        allow="xxx.yyy.zz.d/y, ::1"/>
    </Context>

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs/xxxlogs"
        prefix="xxx_access_log" suffix=".txt"
        pattern="%h %l %u %t &quot;%r&quot; %s %b %{x-forwarded-for}i %{x-forwarded-by}i"
        requestAttributesEnabled="true" />
</Host>

Answer 1

If the load balancer adds X-Forwarded-For headers (very likely), you just need to add a RemoteIpValve to your engine:

<Engine name="Catalina">
    <Valve className="org.apache.catalina.valves.RemoteIpValve" />
    ...
</Engine>

On recent Tomcat versions all valve attributes have reasonable defaults.

Edit: As you state in your comment, your domain name points additionally to Cloudflare servers. I don't know how they assign IPs to customers, but if the numer of IPs is limited (e.g. the 172.70.95.0/24 network) you can use:

<Engine name="Catalina">
    <Valve className="org.apache.catalina.valves.RemoteIpValve"
           trustedProxies="172\.70\.95\.\d+" />
    ...
</Engine>