You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Johan van den Berg <vd...@unisa.ac.za> on 2006/07/17 11:52:20 UTC
Re: Patch to override request.getRemoteAddr if behind a reverse
proxy
Except that I have 5 servers, each having 20 different apps, some of
which are 3'rd party, so I *really* don't want to modify the app (closed
source).
This is a server infrastructure and configuration issue, none of which
any developer should ever be worried about...
Regards
Johan
On Mon, 2006-07-17 at 11:48 +0200, Ronald Klop wrote:
> On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List <us...@tomcat.apache.org> wrote:
> > Hi
> >
> > We needed to patch Tomcat for our site that has a Tomcat
> > behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> > The idea is basically to not use the TCP endpoint of Apache (which will
> > always point to the reverse proxy) to give the caller of
> > request.getRemoteAddr a valid IP, but rather retrieve it from a
> > configurable request header. In our case, we have hacked the Pound
> > loadbalancer to forward a request header called X-Pounded-For with each
> > request, and the value of this header is then used (if available) to
> > return the *real client IP to the caller of request.getRemoteAddr or
> > request.getRemoteHost.
> >
> > Extract from server.xml:
> >
> > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> > enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
> >
> >
> > Let me know if it is of any use to anyone else!
> >
> > Regards
> >
> > --
> > Johan van den Berg
> > Technical Webmaster
> > University of South Africa
> >
> > Cel: +27 73 201 3520
> > Tel: +27 12 429 2371
> >
> > Registered Linux user number 390606
> > http://counter.li.org/
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.orgHello,
>
> In stead of patching Tomcat, you can also make a util class/method like this.
>
> public final class ServletUtils {
> private static final String MY_TRUSTED_PROXY = "127.0.0.1";
> public static String getRemoteAddr(ServletRequest req) {
> String remoteIp = req.getRemoteAddr();
> if (remoteIp.equals(MY_TRUSTED_PROXY)) {
> String proxyIp = req.getHeader("X-Pounded-For");
> if (proxyip != null) {
> remoteIp = proxyip;
> }
> }
> return remoteIp;
> }
> }
>
>
> This makes your application know about your setup in stead of Tomcat. Much more flexible and much less problems when upgrading Tomcat.
> You can also put this in a Filter which wraps the ServletRequest with your own version. This keeps your application clean and it just uses the standard Servlet extendabilties.
>
> Ronald.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patch to override request.getRemoteAddr if behind a reverse
proxy
Posted by Johan van den Berg <vd...@unisa.ac.za>.
I'll accept as much, but understand that I just followed the same
approach that was taken with the proxyName and proxyPort parameters that
already solve a similar problem in Tomcat when sitting behind a reverse
proxy.
If that problem was solved with a Filter / Valve, I would have done the
same with my approach...
Regards
Johan
On Mon, 2006-07-17 at 12:08 +0200, Ronald Klop wrote:
> On Mon Jul 17 11:52:20 CEST 2006 Tomcat Users List
> <us...@tomcat.apache.org> wrote:
>
> Except that I have 5 servers, each having 20 different apps,
> some of
> which are 3'rd party, so I *really* don't want to modify the
> app (closed
> source).
>
> This is a server infrastructure and configuration issue, none
> of which
> any developer should ever be worried about...
>
> Regards
> Johan
>
> A Filter is really good to use in that case and if I remember
> correctly you can add it to conf/web.xml. Or you can create a Valve
> for Tomcat and put the code in there. Tomcat is already extendable
> without using patches.
>
> Ronald.
>
> On Mon, 2006-07-17 at 11:48 +0200, Ronald Klop wrote:
> > On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List
> <us...@tomcat.apache.org> wrote:
> > > Hi
> > >
> > > We needed to patch Tomcat for our site that has a Tomcat
> > > behind Apache (mod_jk), that sits behind a reverse proxy
> load balancer.
> > > The idea is basically to not use the TCP endpoint of
> Apache (which will
> > > always point to the reverse proxy) to give the caller of
> > > request.getRemoteAddr a valid IP, but rather retrieve it
> from a
> > > configurable request header. In our case, we have hacked
> the Pound
> > > loadbalancer to forward a request header called
> X-Pounded-For with each
> > > request, and the value of this header is then used (if
> available) to
> > > return the *real client IP to the caller of
> request.getRemoteAddr or
> > > request.getRemoteHost.
> > >
> > > Extract from server.xml:
> > >
> > > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > > <Connector port="8009"
> proxyRemoteAddrHeader="X-Pounded-For"
> > > enableLookups="false" redirectPort="8443"
> protocol="AJP/1.3" />
> > >
> > >
> > > Let me know if it is of any use to anyone else!
> > >
> > > Regards
> > >
> > > --
> > > Johan van den Berg
> > > Technical Webmaster
> > > University of South Africa
> > >
> > > Cel: +27 73 201 3520
> > > Tel: +27 12 429 2371
> > >
> > > Registered Linux user number 390606
> > > http://counter.li.org/
> > >
> ---------------------------------------------------------------------
> > > To start a new topic, e-mail: users@tomcat.apache.org
> > > To unsubscribe, e-mail:
> users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail:
> users-help@tomcat.apache.orgHello,
> >
> > In stead of patching Tomcat, you can also make a util
> class/method like this.
> >
> > public final class ServletUtils {
> > private static final String MY_TRUSTED_PROXY = "127.0.0.1";
> > public static String getRemoteAddr(ServletRequest req) {
> > String remoteIp = req.getRemoteAddr();
> > if (remoteIp.equals(MY_TRUSTED_PROXY)) {
> > String proxyIp = req.getHeader("X-Pounded-For");
> > if (proxyip != null) {
> > remoteIp = proxyip;
> > }
> > }
> > return remoteIp;
> > }
> > }
> >
> >
> > This makes your application know about your setup in stead
> of Tomcat. Much more flexible and much less problems when
> upgrading Tomcat.
> > You can also put this in a Filter which wraps the
> ServletRequest with your own version. This keeps your
> application clean and it just uses the standard Servlet
> extendabilties.
> >
> > Ronald.
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patch to override request.getRemoteAddr if behind a reverse
proxy
Posted by Ronald Klop <ro...@base.nl>.
On Mon Jul 17 11:52:20 CEST 2006 Tomcat Users List <us...@tomcat.apache.org> wrote:
> Except that I have 5 servers, each having 20 different apps, some of
> which are 3'rd party, so I *really* don't want to modify the app (closed
> source).
>
> This is a server infrastructure and configuration issue, none of which
> any developer should ever be worried about...
>
> Regards
> Johan
A Filter is really good to use in that case and if I remember correctly you can add it to conf/web.xml. Or you can create a Valve for Tomcat and put the code in there. Tomcat is already extendable without using patches.
Ronald.
> On Mon, 2006-07-17 at 11:48 +0200, Ronald Klop wrote:
> > On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List <us...@tomcat.apache.org> wrote:
> > > Hi
> > >
> > > We needed to patch Tomcat for our site that has a Tomcat
> > > behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> > > The idea is basically to not use the TCP endpoint of Apache (which will
> > > always point to the reverse proxy) to give the caller of
> > > request.getRemoteAddr a valid IP, but rather retrieve it from a
> > > configurable request header. In our case, we have hacked the Pound
> > > loadbalancer to forward a request header called X-Pounded-For with each
> > > request, and the value of this header is then used (if available) to
> > > return the *real client IP to the caller of request.getRemoteAddr or
> > > request.getRemoteHost.
> > >
> > > Extract from server.xml:
> > >
> > > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > > <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> > > enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
> > >
> > >
> > > Let me know if it is of any use to anyone else!
> > >
> > > Regards
> > >
> > > --
> > > Johan van den Berg
> > > Technical Webmaster
> > > University of South Africa
> > >
> > > Cel: +27 73 201 3520
> > > Tel: +27 12 429 2371
> > >
> > > Registered Linux user number 390606
> > > http://counter.li.org/
> > > ---------------------------------------------------------------------
> > > To start a new topic, e-mail: users@tomcat.apache.org
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.orgHello,
> >
> > In stead of patching Tomcat, you can also make a util class/method like this.
> >
> > public final class ServletUtils {
> > private static final String MY_TRUSTED_PROXY = "127.0.0.1";
> > public static String getRemoteAddr(ServletRequest req) {
> > String remoteIp = req.getRemoteAddr();
> > if (remoteIp.equals(MY_TRUSTED_PROXY)) {
> > String proxyIp = req.getHeader("X-Pounded-For");
> > if (proxyip != null) {
> > remoteIp = proxyip;
> > }
> > }
> > return remoteIp;
> > }
> > }
> >
> >
> > This makes your application know about your setup in stead of Tomcat. Much more flexible and much less problems when upgrading Tomcat.
> > You can also put this in a Filter which wraps the ServletRequest with your own version. This keeps your application clean and it just uses the standard Servlet extendabilties.
> >
> > Ronald.
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>