dotCMS · wezell · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/dotCMS/src/main/resources/container/tomcat9/bin/setenv.sh b/dotCMS/src/main/resources/container/tomcat9/bin/setenv.sh
@@ -99,7 +99,7 @@ export CMS_ACCESSLOG_ROTATABLE=${CMS_ACCESSLOG_ROTATABLE:-"true"}
 
 # Remote IP Valve settings
 export CMS_REMOTEIP_REMOTEIPHEADER=${CMS_REMOTEIP_REMOTEIPHEADER:-"x-forwarded-for"}
-export CMS_REMOTEIP_INTERNALPROXIES=${CMS_REMOTEIP_INTERNALPROXIES:-"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|0:0:0:0:0:0:0:1"}
+export CMS_REMOTEIP_INTERNALPROXIES=${CMS_REMOTEIP_INTERNALPROXIES:-"(10|127)\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1|::1"}
 # Cookie settings
 export DOT_SAMESITE_COOKIES=${DOT_SAMESITE_COOKIES:-"lax"}
 

diff --git a/dotCMS/src/main/resources/container/tomcat9/conf/server.xml b/dotCMS/src/main/resources/container/tomcat9/conf/server.xml
@@ -163,12 +163,13 @@
       <!-- The remote IP valve picks up the X-FORWARDED-FOR header (by default) and uses it as the source ip
            remoteIpHeader and internalProxies may need to change when behind some WAF or proxy servers
            Also handles port forwarding for Docker scenarios via X-Forwarded-Port
+           internalProxies regex uses \d\d?\d? instead of \d{1,3} — bare braces clash with IntrospectionUtils ${...} resolver
       -->
         <Valve
             className="org.apache.catalina.valves.RemoteIpValve"
             remoteIpHeader="${CMS_REMOTEIP_REMOTEIPHEADER:-x-forwarded-for}"
             remoteIpPortHeader="${CMS_REMOTEIP_PORTHEADER:-x-forwarded-port}"
-            internalProxies="${CMS_REMOTEIP_INTERNALPROXIES:-10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1}"
+            internalProxies="${CMS_REMOTEIP_INTERNALPROXIES:-(10|127)\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?|192\.168\.\d\d?\d?\.\d\d?\d?|169\.254\.\d\d?\d?\.\d\d?\d?|172\.(1[6-9]|2\d|3[01])\.\d\d?\d?\.\d\d?\d?|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d\d?\d?\.\d\d?\d?|0:0:0:0:0:0:0:1|::1}"
         />
 
         <!-- Do not show server details up on BadRequest -->