You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kasa, Nubli" <mm...@iu.edu> on 2016/08/01 17:39:52 UTC
RE: Tomcat 8 RemoteIpValve Issues
Chris,
This doesn't seem to be the case with a fresh new install on Tomcat 8 on Ubuntu. Our sysadmin also did a fresh install on Redhat with the same result.
-Nubli
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Sunday, July 31, 2016 8:43 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat 8 RemoteIpValve Issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nubli,
On 7/28/16 3:30 PM, Kasa, Nubli wrote:
> It seems that requestAttributesEnabled="true" is required in order to
> make the valve work.
Note that requestAttributesEnabled="true" is the default. Did you change that default?
- -chris
> -----Original Message----- From: abhijitd@apple.com
> [mailto:abhijitd@apple.com] On Behalf Of Abhijit Das Sent:
> Thursday, July 28, 2016 12:37 PM To: Tomcat Users List
> <us...@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues
>
> This is how it works for me in Tomcat 8.x (I have hashed out some
> internal values) (some of my pattern may be redundant)
>
> 1.2.3.4 will be your LB IP, the IP that is used to talk to the server.
> typically the MIP or the SNIP.
>
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4"
> remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by"
> requestAttributesEnabled="true"/>
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="/var/xxx/yyy/zzz/logs" prefix=“application_access"
> suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S
> %{User-Agent}i %U %s %r %q %A %v %p %b %I %D"
> requestAttributesEnabled="true" resolveHosts="false"/>
>
> And, this is my access log :
>
> [28/Jul/2016:09:33:57 -0700] <client_IP> <userid> <url_accessed> -
> <session_id> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
> AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1
> Safari/601.6.16 <context> 200 POST <context> HTTP/1.1 <server
> instance IP> <Server base URL/FQDN> 443 181 http-nio-8443-exec-13
> 9
>
> On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mm...@iu.edu> wrote:
>
> Hi,
>
> We have been using RemoteIpValve in Tomcat 7 but it stopped working
> for us in Tomcat 8. Our load balancer will set a header named
> "X-Cluster-Client-Ip" with the client's IP as its value. We expect the
> client's IP value would be overwritten as the "remoteAddr" but it is
> not. It is working for us currently on Tomcat 7 but not on the server
> with Tomcat 8.
>
> I even created a fresh VM and install fresh apache-tomcat-8.0.36 on
> Ubuntu and added the following settings as a test:
>
> <Engine> . . .
>
> <Host name="localhost" appBase="webapps" unpackWARs="true"
> autoDeploy="true">
>
> <!-- SingleSignOn valve, share authentication between web applications
> Documentation at: /docs/config/valve.html --> <!-- <Valve
> className="org.apache.catalina.authenticator.SingleSignOn"
> /> -->
>
>
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\"
> remoteIpHeader="X-Cluster-Client-Ip" />
>
>
> <!-- Access log processes all example. Documentation at:
> /docs/config/valve.html Note: The pattern used is equivalent to using
> pattern="common" --> <Valve
> className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" prefix="localhost_access_log" suffix=".txt"
> pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t "%r"
> %s %b" />
>
> </Host> </Engine>
>
> I then use a browser plugin to set X-Cluster-Client-Ip header with
> value "156.56.0.1" and GET the page /Home/Status on the same machine
> that is hosting Tomcat. I got the following results from
> AccessLogValve:
>
> 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 -
> [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274
>
> %h is still showing my browser IP - 192.168.56.10
> %{X-Cluster-Client-Ip}i correctly picks up the header value -
> 156.56.0.1 %a picks up my browser "Remote IP address" -
> 192.168.56.10 %A just picks up local IP - 127.0.1.1
>
> I have other people verified this issue and we can't seem to figure
> out if we are missing a configuration or if there is a bigger problem.
> We would appreciate any aid you can give us.
>
> Thank you, Nubli
>
>
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAled8lkACgkQ9CaO5/Lv0PC2BgCgpUKmD7kMQS2FyKI2YOBCboG1
aTkAoIV6pvffdipdhjI9p0q1EiCUeTMN
=BfdC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 8 RemoteIpValve Issues
Posted by "Kasa, Nubli" <mm...@iu.edu>.
Hi Chuck,
I downloaded the following package: http://www-us.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.tar.gz
Simply unpackaged it and started it with /bin/catalina.sh. Nothing was done except setting up localhost context and added the RemoteIpValve section in server.xml
This is done on a fresh install Ubuntu 16.04 LTS.
It is working now since we added requestAttributesEnabled="true". I understand that this is supposed to be the default but it doesn't seem to be the case.
-Nubli
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, August 1, 2016 2:23 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: Tomcat 8 RemoteIpValve Issues
> From: Kasa, Nubli [mailto:mmohdkas@iu.edu]
> Subject: RE: Tomcat 8 RemoteIpValve Issues
> This doesn't seem to be the case with a fresh new install on Tomcat 8
> on Ubuntu. Our sysadmin also did a fresh install on Redhat with the same result.
Install of what? A real Tomcat from tomcat.apache.org, or a 3rd-party repackaged (and reconfigured) version? For the latter, you may need to consult with the 3rd party, since they've been known to change the defaults somewhat arbitrarily.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 8 RemoteIpValve Issues
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Kasa, Nubli [mailto:mmohdkas@iu.edu]
> Subject: RE: Tomcat 8 RemoteIpValve Issues
> This doesn't seem to be the case with a fresh new install on Tomcat 8 on Ubuntu. Our sysadmin
> also did a fresh install on Redhat with the same result.
Install of what? A real Tomcat from tomcat.apache.org, or a 3rd-party repackaged (and reconfigured) version? For the latter, you may need to consult with the 3rd party, since they've been known to change the defaults somewhat arbitrarily.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org