1

We are injecting the x-forwarded-for header in the loadbalancer, which sends the request to apache web server, which inturn proxys (mod_proxy_balancer) the request to the backend tomcat server. we are seeing the client IP in 'x-forwarded-for' header on apache, but we get '-' in Tomcat access logs.

we have added the loadbalancer IP in internalProxies list on Tomcat.

from https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html it looks like for secure connections (requests coming from internal Proxies) the x-forwarded-for becomes NULL and client IP is assigned to remote address. is that correct? is there a way to keep the client-IP in x-forwarded-for header on tomcat when using internal Proxy setting?

Thanks

akay
  • 53
  • 1
  • 5

1 Answers1

-1

AJP is being used in our case between the web servers and Tomcat servers. Update: I found this answer in the Tomcat documentation, https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html, which is what I think is happening. Specifically:

If the incoming request.getRemoteAddr() matches the valve's list of internal proxies :

  • Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http header named $remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order. For each ip/host of the list:
  • if it matches the internal proxies list, the ip/host is swallowe
  • if it matches the trusted proxies list, the ip/host is added to the created proxies headerotherwise, the ip/host is declared to be the remote ip and looping is stopped.
  • If the request http header named $protocolHeader (e.g. x-forwarded-for) equals to the value of protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true, request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the $httpsServerPort configuration parameter.
Stephen
  • 1
  • 1