tomcat6 behind xinetd - real client ip

Question

In server.xml, at the Connector I specify proxyPort as 80.

Here's the xinetd service:

service http
{
        socket_type     = stream
        protocol        = tcp
        user            = tomcat6
        wait            = no
        bind            = 0.0.0.0
        port            = 80
        redirect        = 127.0.0.1 8080
        disable         = no
        flags           = REUSE
        log_type        = FILE /var/log/xinetd_http_access.log
        log_on_success  -= PID HOST DURATION EXIT

        per_source      = UNLIMITED
        instances       = UNLIMITED
}

Still, in the access logs of Tomcat I see lines like the following:

127.0.0.1 - - [17/Aug/2012:00:23:23 +0300] "GET / HTTP/1.1" 200 1975
127.0.0.1 - - [17/Aug/2012:00:23:23 +0300] "GET /_static/css/global.css HTTP/1.1" 304 -

Any ideas?

Answer 1

Can xinetd pass an X-FORWARDED-FOR HTTP header?

If tomcat is behind a reverse proxy (e.g. nginx) that passes X-FORWARDED-FOR, i.e.:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Then you can set in your tomcat server.xml for the AccessLogValve:

pattern="%{X-Forwarded-For}i %l %u %t %r %s %b %{User-Agent}i %{Referer}i"

And you will get the originating IP address of the client in the access log.

Cheers

Answer 2

Nope, nothing can be done. You cannot do this with xinetd. It appeared working for me, but then I realize that most of the IP addresses in the log are still 127.0.0.1.

I finally managed to get Tomcat running as (mostly) restricted user using jsvc with the --user option. It is also possible with iptables.