You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/01/24 00:14:58 UTC

[Bug 56058] New: AccessLogValve Local IP/port inconsistent

https://issues.apache.org/bugzilla/show_bug.cgi?id=56058

            Bug ID: 56058
           Summary: AccessLogValve Local IP/port inconsistent
           Product: Tomcat 6
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: andilist@gmx.de

Hi,
i think the logging of 
%A - Local IP address
%p - Local port on which this request was received
is inconsisstent if an ajp-connector is used.

%A logs the ip of the tomcat Server
%p logs the port of the Apache webserver

There should be a possibility to log:
1) the ip-address of the tomcat Server on which the request was recieved
2) the port of the tomcat Server on which the request was recieved

3) the ip-address of the webserver on which the request was recieved
4) the port of the webserver on which the request was recieved

Even 
%h - Remote host name (or IP address if resolveHosts is false) (and %a)
is not clear in case of an ajp-request.

There should be a possibility to log
5) the remote host of the ajp-request (= webserver)
6) the remote host of the webserver-request (= browser)

Use case:
i want to log, who is connecting to my tomcat Server. In case of ajp i can only
see the endusers ip (with %h).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56058] AccessLogValve Local IP/port inconsistent

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56058

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I've been looking at the source and doing some testing.

For the AJP protocol:
- %a and %h always refer to the client as seen by the reverse proxy
- %v is the host header received by the reverse proxy or the reverse proxy's
host name for HTTP/1.0 or HTTP/0.9 requests
- %A is always InetAddress.getLocalHost().getHostAddress() (or 127.0.0.1 if
that fails)
- %p is the port that the reverse proxy received the connection on

The IP address that the reverse proxy received the connection on is not
available in the AJP protocol. You could make this available by setting a
custom HTTP header in the reverse proxy and then displaying the value of that
header in the AccessLogValve.

Because of the way AJP is implemented, it is probably easiest to expose the
connector port the same way (since the reverse proxy must know what port it is
sending the request to).

It is highly unlikely that there is going to be any functional changes to
Tomcat 6 this area.

You do get much more control if you:
- upgrade to Tomcat 7.0.x or Tomcat 8.0.x
- switch to using HTTP rather than AJP for your reverse proxy
- use the RemoteIpValve or RemoteIpFilter
- configure the RemoteIpValve or RemoteIpFilter with
requestAttributesEnabled=true
- configure the AccessLogValve with requestAttributesEnabled=false

With this configuration the standard access log valve elements will record the
values as seen by Tomcat. The values as seen by the proxy will be available as
request attributes that can be included in the access log via the %{xxx}r
pattern.

I'm not going to resolve this just yet as I think the documentation (for all
Tomcat versions) could be improved to make clear exactly what gets logged
and/or when what gets logged varies.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56058] AccessLogValve Local IP/port inconsistent

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56058

--- Comment #2 from Rainer Jung <ra...@kippdata.de> ---
Some related info is contained in

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html

It also contains the names of the Apache variables one can set if one wants to
override the data automatically forwarded via AJP by mod_jk (not
mod_proxy_ajp).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org