You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leon Rosenberg <ro...@gmail.com> on 2021/06/14 16:01:29 UTC
Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
hi,
I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
"see" the user's ip in my logs. When I print out the headers I see that I
have headers in the request
CF-Connecting-IP
and
X-Forwarded-For
with real user's up, say 93.72.251.122. But when I make a request to
request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
ip address, not the real one.
I added to the server.xml the remoteipvalue in different configuration und
"Host", i.e.:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto"
/>
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
/>
or assuming for defaults:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
/>
or even:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="CF-Connecting-IP"
/>
but none of them give me the getRemoteAddr properly. Is there a trick to
this configuration?
kr
Leon
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Leon Rosenberg <ro...@gmail.com>.
and to add a quick note to that, the log-output when I am using
trustedProxies is "skip" for nearly everything:
15-Jun-2021 00:22:09.543 FINE [ajp-nio-8013-exec-23]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request
/api/v1/loginpixel/B:0BB57BE90B9C750FE773604354BF6E4D1920EF76D5500AE8673BD599D668983223A8666226FED1087E61D0E99A19F6EBEB8E64DB0BEE6BC3A5F20DCDC06FE4C27EFEE1B535C49367BCFB034E176AF8E40EE0A43F54C1D0D4DEFAAE38C9C2426DD6E585F2A7548076C577D291011712E3BDEEE4D8DCBAE7D5B7A144B0B06011E9
with originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-7]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/b/EA01F2D2BB616202A4F4A55E650D684D/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-9]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/d/1390B1ED751C81B39B21785D818F4570/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-18]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/js/extRegUpdatePassword.js with originalRemoteAddr
'198.41.242.13'
15-Jun-2021 00:22:09.547 FINE [ajp-nio-8013-exec-15]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/js/websocket/websocket.js with originalRemoteAddr
'198.41.242.49'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-16]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/d/531BD3EA43EC8662E9BA9967689AEEBC/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.548 FINE [ajp-nio-8013-exec-12]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_1_lg.png with
originalRemoteAddr '198.41.242.73'
15-Jun-2021 00:22:09.549 FINE [ajp-nio-8013-exec-6]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_4_lg.png with
originalRemoteAddr '198.41.242.119'
15-Jun-2021 00:22:09.640 FINE [ajp-nio-8013-exec-24]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_5_lg.png with
originalRemoteAddr '198.41.242.153'
15-Jun-2021 00:22:09.651 FINE [ajp-nio-8013-exec-3]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-ext/firebase/firebase-messaging.js.map with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.666 FINE [ajp-nio-8013-exec-8]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-ext/firebase/firebase-app.js.map with originalRemoteAddr
'198.41.242.13'
On Tue, Jun 15, 2021 at 12:19 AM Leon Rosenberg <ro...@gmail.com>
wrote:
> ok, quick update: it didn't work with 198\.41\..* or .* at first, but it
> worked after I changed attribute name from trustedProxies to
> internalProxies.
> kr
> Leon
>
> On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg <ro...@gmail.com>
> wrote:
>
>>
>>
>> On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
>>> Leon,
>>>
>>> On 6/14/21 16:26, Leon Rosenberg wrote:
>>> > Thanks for the response Mark,
>>> >
>>> > quick question, do I have to add all cloudflare ips? They kindof
>>> > distributed along the world... Can I mark the thrustworthlyness by a
>>> header
>>> > instead?
>>> > kr
>>> > Leon
>>> >
>>> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote:
>>> >
>>> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
>>> >>> hi,
>>> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am
>>> trying to
>>> >>> "see" the user's ip in my logs. When I print out the headers I see
>>> that I
>>> >>> have headers in the request
>>> >>> CF-Connecting-IP
>>> >>> and
>>> >>> X-Forwarded-For
>>> >>> with real user's up, say 93.72.251.122. But when I make a request to
>>> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
>>> cloudflare's
>>> >>> ip address, not the real one.
>>> >>> I added to the server.xml the remoteipvalue in different
>>> configuration
>>> >> und
>>> >>> "Host", i.e.:
>>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> >>> remoteIpHeader="x-forwarded-for"
>>> >>> protocolHeader="x-forwarded-proto"
>>> >>> />
>>> >>>
>>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> >>> remoteIpHeader="X-Forwarded-For"
>>> >>> protocolHeader="X-Forwarded-Proto"
>>> >>> />
>>> >>>
>>> >>> or assuming for defaults:
>>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> >>> />
>>> >>>
>>> >>> or even:
>>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> >>> remoteIpHeader="CF-Connecting-IP"
>>> >>> />
>>> >>>
>>> >>> but none of them give me the getRemoteAddr properly. Is there a
>>> trick to
>>> >>> this configuration?
>>> >>
>>> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
>>> >> trustedProxies="162\.158.103\.188" should do the trick.
>>> >>
>>> >> There is debug logging in that Valve so you can set
>>> >>
>>> >> org.apache.catalina.valves.RemoteIpValve.level=FINE
>>> >>
>>> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which
>>> >> should help you see what is going on.
>>> >>
>>> >> Mark
>>>
>>> trustedProxies=".*" ??
>>>
>>>
>> Hi Chris,
>>
>>
>>> What happens if someone connects to your origin server directly? Would
>>> you trust an X-Forwarded-For header from them?
>>>
>>
>> That's an excellent question, Chris! I don't know the answer yet, the
>> only thing we need the ip for is to have something in case of
>> payment-fraud, and since you can't get any physical goods on this site I
>> guess it would be ok to trust it.
>> kr
>> leon
>>
>>
>>>
>>> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Leon Rosenberg <ro...@gmail.com>.
ok, quick update: it didn't work with 198\.41\..* or .* at first, but it
worked after I changed attribute name from trustedProxies to
internalProxies.
kr
Leon
On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg <ro...@gmail.com>
wrote:
>
>
> On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Leon,
>>
>> On 6/14/21 16:26, Leon Rosenberg wrote:
>> > Thanks for the response Mark,
>> >
>> > quick question, do I have to add all cloudflare ips? They kindof
>> > distributed along the world... Can I mark the thrustworthlyness by a
>> header
>> > instead?
>> > kr
>> > Leon
>> >
>> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote:
>> >
>> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
>> >>> hi,
>> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am
>> trying to
>> >>> "see" the user's ip in my logs. When I print out the headers I see
>> that I
>> >>> have headers in the request
>> >>> CF-Connecting-IP
>> >>> and
>> >>> X-Forwarded-For
>> >>> with real user's up, say 93.72.251.122. But when I make a request to
>> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
>> cloudflare's
>> >>> ip address, not the real one.
>> >>> I added to the server.xml the remoteipvalue in different configuration
>> >> und
>> >>> "Host", i.e.:
>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> >>> remoteIpHeader="x-forwarded-for"
>> >>> protocolHeader="x-forwarded-proto"
>> >>> />
>> >>>
>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> >>> remoteIpHeader="X-Forwarded-For"
>> >>> protocolHeader="X-Forwarded-Proto"
>> >>> />
>> >>>
>> >>> or assuming for defaults:
>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> >>> />
>> >>>
>> >>> or even:
>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> >>> remoteIpHeader="CF-Connecting-IP"
>> >>> />
>> >>>
>> >>> but none of them give me the getRemoteAddr properly. Is there a trick
>> to
>> >>> this configuration?
>> >>
>> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
>> >> trustedProxies="162\.158.103\.188" should do the trick.
>> >>
>> >> There is debug logging in that Valve so you can set
>> >>
>> >> org.apache.catalina.valves.RemoteIpValve.level=FINE
>> >>
>> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which
>> >> should help you see what is going on.
>> >>
>> >> Mark
>>
>> trustedProxies=".*" ??
>>
>>
> Hi Chris,
>
>
>> What happens if someone connects to your origin server directly? Would
>> you trust an X-Forwarded-For header from them?
>>
>
> That's an excellent question, Chris! I don't know the answer yet, the only
> thing we need the ip for is to have something in case of payment-fraud, and
> since you can't get any physical goods on this site I guess it would be ok
> to trust it.
> kr
> leon
>
>
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Leon Rosenberg <ro...@gmail.com>.
On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Leon,
>
> On 6/14/21 16:26, Leon Rosenberg wrote:
> > Thanks for the response Mark,
> >
> > quick question, do I have to add all cloudflare ips? They kindof
> > distributed along the world... Can I mark the thrustworthlyness by a
> header
> > instead?
> > kr
> > Leon
> >
> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
> >>> hi,
> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying
> to
> >>> "see" the user's ip in my logs. When I print out the headers I see
> that I
> >>> have headers in the request
> >>> CF-Connecting-IP
> >>> and
> >>> X-Forwarded-For
> >>> with real user's up, say 93.72.251.122. But when I make a request to
> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
> cloudflare's
> >>> ip address, not the real one.
> >>> I added to the server.xml the remoteipvalue in different configuration
> >> und
> >>> "Host", i.e.:
> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >>> remoteIpHeader="x-forwarded-for"
> >>> protocolHeader="x-forwarded-proto"
> >>> />
> >>>
> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >>> remoteIpHeader="X-Forwarded-For"
> >>> protocolHeader="X-Forwarded-Proto"
> >>> />
> >>>
> >>> or assuming for defaults:
> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >>> />
> >>>
> >>> or even:
> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >>> remoteIpHeader="CF-Connecting-IP"
> >>> />
> >>>
> >>> but none of them give me the getRemoteAddr properly. Is there a trick
> to
> >>> this configuration?
> >>
> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
> >> trustedProxies="162\.158.103\.188" should do the trick.
> >>
> >> There is debug logging in that Valve so you can set
> >>
> >> org.apache.catalina.valves.RemoteIpValve.level=FINE
> >>
> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which
> >> should help you see what is going on.
> >>
> >> Mark
>
> trustedProxies=".*" ??
>
>
Hi Chris,
> What happens if someone connects to your origin server directly? Would
> you trust an X-Forwarded-For header from them?
>
That's an excellent question, Chris! I don't know the answer yet, the only
thing we need the ip for is to have something in case of payment-fraud, and
since you can't get any physical goods on this site I guess it would be ok
to trust it.
kr
leon
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Leon,
On 6/14/21 16:26, Leon Rosenberg wrote:
> Thanks for the response Mark,
>
> quick question, do I have to add all cloudflare ips? They kindof
> distributed along the world... Can I mark the thrustworthlyness by a header
> instead?
> kr
> Leon
>
> On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote:
>
>> On 14/06/2021 17:01, Leon Rosenberg wrote:
>>> hi,
>>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
>>> "see" the user's ip in my logs. When I print out the headers I see that I
>>> have headers in the request
>>> CF-Connecting-IP
>>> and
>>> X-Forwarded-For
>>> with real user's up, say 93.72.251.122. But when I make a request to
>>> request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
>>> ip address, not the real one.
>>> I added to the server.xml the remoteipvalue in different configuration
>> und
>>> "Host", i.e.:
>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> remoteIpHeader="x-forwarded-for"
>>> protocolHeader="x-forwarded-proto"
>>> />
>>>
>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> remoteIpHeader="X-Forwarded-For"
>>> protocolHeader="X-Forwarded-Proto"
>>> />
>>>
>>> or assuming for defaults:
>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> />
>>>
>>> or even:
>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>> remoteIpHeader="CF-Connecting-IP"
>>> />
>>>
>>> but none of them give me the getRemoteAddr properly. Is there a trick to
>>> this configuration?
>>
>> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
>> trustedProxies="162\.158.103\.188" should do the trick.
>>
>> There is debug logging in that Valve so you can set
>>
>> org.apache.catalina.valves.RemoteIpValve.level=FINE
>>
>> in $CATALINA_BASE/conf/logging.properties to get debug logging which
>> should help you see what is going on.
>>
>> Mark
trustedProxies=".*" ??
What happens if someone connects to your origin server directly? Would
you trust an X-Forwarded-For header from them?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Leon Rosenberg <ro...@gmail.com>.
Thanks for the response Mark,
quick question, do I have to add all cloudflare ips? They kindof
distributed along the world... Can I mark the thrustworthlyness by a header
instead?
kr
Leon
On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote:
> On 14/06/2021 17:01, Leon Rosenberg wrote:
> > hi,
> > I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
> > "see" the user's ip in my logs. When I print out the headers I see that I
> > have headers in the request
> > CF-Connecting-IP
> > and
> > X-Forwarded-For
> > with real user's up, say 93.72.251.122. But when I make a request to
> > request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
> > ip address, not the real one.
> > I added to the server.xml the remoteipvalue in different configuration
> und
> > "Host", i.e.:
> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
> > remoteIpHeader="x-forwarded-for"
> > protocolHeader="x-forwarded-proto"
> > />
> >
> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
> > remoteIpHeader="X-Forwarded-For"
> > protocolHeader="X-Forwarded-Proto"
> > />
> >
> > or assuming for defaults:
> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
> > />
> >
> > or even:
> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
> > remoteIpHeader="CF-Connecting-IP"
> > />
> >
> > but none of them give me the getRemoteAddr properly. Is there a trick to
> > this configuration?
>
> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
> trustedProxies="162\.158.103\.188" should do the trick.
>
> There is debug logging in that Valve so you can set
>
> org.apache.catalina.valves.RemoteIpValve.level=FINE
>
> in $CATALINA_BASE/conf/logging.properties to get debug logging which
> should help you see what is going on.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration
Posted by Mark Thomas <ma...@apache.org>.
On 14/06/2021 17:01, Leon Rosenberg wrote:
> hi,
> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
> "see" the user's ip in my logs. When I print out the headers I see that I
> have headers in the request
> CF-Connecting-IP
> and
> X-Forwarded-For
> with real user's up, say 93.72.251.122. But when I make a request to
> request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
> ip address, not the real one.
> I added to the server.xml the remoteipvalue in different configuration und
> "Host", i.e.:
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> remoteIpHeader="x-forwarded-for"
> protocolHeader="x-forwarded-proto"
> />
>
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> remoteIpHeader="X-Forwarded-For"
> protocolHeader="X-Forwarded-Proto"
> />
>
> or assuming for defaults:
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> />
>
> or even:
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> remoteIpHeader="CF-Connecting-IP"
> />
>
> but none of them give me the getRemoteAddr properly. Is there a trick to
> this configuration?
You need to tell Tomcat that 162.158.103.188 is trusted. Setting
trustedProxies="162\.158.103\.188" should do the trick.
There is debug logging in that Valve so you can set
org.apache.catalina.valves.RemoteIpValve.level=FINE
in $CATALINA_BASE/conf/logging.properties to get debug logging which
should help you see what is going on.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org