1

I have a load balancer in front of an Apache httpd server, which in turn is in front of a server running Tomcat6. We're using Tomcat to running Shibboleth's IdP. The follow looks like this:

Client -> Load Balancer -> Apache httpd server (mod_proxy_ajp) -> Tomcat server

I'm looking to pass the client's IP to the Tomcat server. The LB passes the variable ClientIP to the httpd server, which I can parse in httpd's LogFormat as "%{ClientIP}i", but this obviously does not make it to the Tomcat server, instead Tomcat logs the IP of the LB.

I've tried using Tomcat's RemoteIpValve as (in server.xml insider <Engine>) :

> <Valve className="org.apache.catalina.valves.RemoteIpValve"   
> remoteIpHeader="X-Forwarded-For"    protocolHeader="X-Forwarded-Proto"
> protocolHeaderHttpsValue="https" />

hoping that the use of mod_proxy would pass the IP in X-Forwarded-For without success. I've seen posts on mod_rpaf, but I'm hoping to do this without additional apache httpd mods.

I think I'm a couple of pieces away from tying all this together, but stuck in a rut. Any ideas?

KM.
  • 1,746
  • 2
  • 18
  • 31

1 Answers1

1

If the load balancer is inserting the client IP address in a header called ClientIP, mod_proxy should pass that on to the Tomcat sever without any special configuration. Try configuring the Tomcat RemoteIpValve to look for ClientIP instead of X-Forwarded-For. e.g.

<Valve className="org.apache.catalina.valves.RemoteIpValve" 
       remoteIpHeader="ClientIP"
       protocolHeaderHttpsValue="https" />
Vortura
  • 360
  • 2
  • 9
  • Thanks Vortura. I got the `ClientIP` logged into Tomcat's access logs by adjusting the `pattern` field, but I can't seem to get the `ClientIP` passed to the Shibboleth's IdP. Perhaps that is a separate question (-; but you wouldn't happen to know Shibboleth's IdP, would you? (-: – KM. Jun 15 '13 at 22:27