You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Johan van den Berg <vd...@unisa.ac.za> on 2006/07/14 22:21:38 UTC
Patch to override request.getRemoteAddr if behind a reverse proxy
Hi
I'm totally new to hacking Tomcat, so excuse if I'm not following the
proper procedure, but needed to do this for our site that has a Tomcat
behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
The idea is basically to not use the TCP endpoint of Apache (which will
always point to the reverse proxy) to give the caller of
request.getRemoteAddr a valid IP, but rather retrieve it from a
configurable request header. In our case, we have hacked the Pound
loadbalancer to forward a request header called X-Pounded-For with each
request, and the value of this header is then used (if available) to
return the *real client IP to the caller of request.getRemoteAddr or
request.getRemoteHost.
Extract from server.xml:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
Let me know if it is of any use to anyone else!
Regards
--
Johan van den Berg
Technical Webmaster
University of South Africa
Cel: +27 73 201 3520
Tel: +27 12 429 2371
Registered Linux user number 390606
http://counter.li.org/
Re: Patch to override request.getRemoteAddr if behind a reverse proxy
Posted by Mladen Turk <mt...@apache.org>.
Filip Hanik - Dev Lists wrote:
> This is a question for the user list, it might be better for you to take
> the inquiries there, and you shouldn't need to hack tomcat for something
> like this.
> Simply create a filter, that wraps your HttpServletRequest in a
> HttpServletRequestWrapper,
>
> worst case you could create Valve that does it for you, either way, you
> can avoid changing tomcat code.
>
That's one solution.
The other would be to check the Apache directives,
and try to rewrite the headers.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Patch to override request.getRemoteAddr if behind a reverse
proxy
Posted by Johan van den Berg <vd...@unisa.ac.za>.
Then why was proxyPort and proxyName not done in a Valve or Filter? I
assumed that I should be following the same route that other, similar
requirements followed.
With regards to a Filter, what if I have 30 webapps, and each one needs
the correct request.getRemoteAddr? Could one map a filter globally over
all webapps in the same Tomcat?
Regards
Johan
On Fri, 2006-07-14 at 15:45 -0500, Filip Hanik - Dev Lists wrote:
> This is a question for the user list, it might be better for you to take
> the inquiries there, and you shouldn't need to hack tomcat for something
> like this.
> Simply create a filter, that wraps your HttpServletRequest in a
> HttpServletRequestWrapper,
>
> worst case you could create Valve that does it for you, either way, you
> can avoid changing tomcat code.
>
> Filip
>
> Johan van den Berg wrote:
> > Hi
> >
> > I'm totally new to hacking Tomcat, so excuse if I'm not following the
> > proper procedure, but needed to do this for our site that has a Tomcat
> > behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> > The idea is basically to not use the TCP endpoint of Apache (which will
> > always point to the reverse proxy) to give the caller of
> > request.getRemoteAddr a valid IP, but rather retrieve it from a
> > configurable request header. In our case, we have hacked the Pound
> > loadbalancer to forward a request header called X-Pounded-For with each
> > request, and the value of this header is then used (if available) to
> > return the *real client IP to the caller of request.getRemoteAddr or
> > request.getRemoteHost.
> >
> > Extract from server.xml:
> >
> > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> > enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
> >
> >
> > Let me know if it is of any use to anyone else!
> >
> > Regards
> >
> >
> > ------------------------------------------------------------------------
> >
> > Index: container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java
> > ===================================================================
> > --- container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (revision 421580)
> > +++ container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (working copy)
> > @@ -198,12 +198,23 @@
> > // Override if the proxyPort/proxyHost are set
> > String proxyName = connector.getProxyName();
> > int proxyPort = connector.getProxyPort();
> > + String proxyRemoteAddrHeader = connector.getProxyRemoteAddrHeader();
> > +
> > if (proxyPort != 0) {
> > req.setServerPort(proxyPort);
> > }
> > if (proxyName != null) {
> > req.serverName().setString(proxyName);
> > }
> > + if (proxyRemoteAddrHeader != null) {
> > + String remoteAddr = req.getHeader(proxyRemoteAddrHeader);
> > + if (remoteAddr != null) {
> > + req.remoteAddr().setString(remoteAddr);
> > + req.remoteHost().setString(remoteAddr);
> > + request.setRemoteAddr(remoteAddr);
> > + request.setRemoteHost(remoteAddr);
> > + }
> > + }
> >
> > // URI decoding
> > MessageBytes decodedURI = req.decodedURI();
> > Index: container/catalina/src/share/org/apache/catalina/connector/Connector.java
> > ===================================================================
> > --- container/catalina/src/share/org/apache/catalina/connector/Connector.java (revision 421580)
> > +++ container/catalina/src/share/org/apache/catalina/connector/Connector.java (working copy)
> > @@ -155,6 +155,14 @@
> > * the port number specified by the <code>port</code> property is used.
> > */
> > protected int proxyPort = 0;
> > +
> > +
> > + /**
> > + * The request header that should be use to populate the request object's
> > + * remoteAddr field. This is commonly used behind reverse proxy's that pass
> > + * the real client IP via a request header, such as <code>X-Pounded-For</code>.
> > + */
> > + protected String proxyRemoteAddrHeader = null;
> >
> >
> > /**
> > @@ -732,6 +740,27 @@
> > setProperty("proxyPort", String.valueOf(proxyPort));
> >
> > }
> > +
> > + /**
> > + * Return the proxy remote address header value for this Connector.
> > + */
> > + public String getProxyRemoteAddrHeader() {
> > +
> > + return (this.proxyRemoteAddrHeader);
> > +
> > + }
> > +
> > + /**
> > + * Set the proxy remote address header value for this Connector.
> > + *
> > + * @param proxyRemoteAddrHeader The new proxy remote address header value
> > + */
> > + public void setProxyRemoteAddrHeader(String proxyRemoteAddrHeader) {
> > +
> > + this.proxyRemoteAddrHeader = proxyRemoteAddrHeader;
> > + setProperty("proxyRemoteAddrHeader", proxyRemoteAddrHeader);
> > +
> > + }
> >
> >
> > /**
> >
> >
> > ------------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> > ------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.10.0/388 - Release Date: 7/13/2006
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Patch to override request.getRemoteAddr if behind a reverse proxy
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
This is a question for the user list, it might be better for you to take
the inquiries there, and you shouldn't need to hack tomcat for something
like this.
Simply create a filter, that wraps your HttpServletRequest in a
HttpServletRequestWrapper,
worst case you could create Valve that does it for you, either way, you
can avoid changing tomcat code.
Filip
Johan van den Berg wrote:
> Hi
>
> I'm totally new to hacking Tomcat, so excuse if I'm not following the
> proper procedure, but needed to do this for our site that has a Tomcat
> behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> The idea is basically to not use the TCP endpoint of Apache (which will
> always point to the reverse proxy) to give the caller of
> request.getRemoteAddr a valid IP, but rather retrieve it from a
> configurable request header. In our case, we have hacked the Pound
> loadbalancer to forward a request header called X-Pounded-For with each
> request, and the value of this header is then used (if available) to
> return the *real client IP to the caller of request.getRemoteAddr or
> request.getRemoteHost.
>
> Extract from server.xml:
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>
>
> Let me know if it is of any use to anyone else!
>
> Regards
>
>
> ------------------------------------------------------------------------
>
> Index: container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java
> ===================================================================
> --- container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (revision 421580)
> +++ container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (working copy)
> @@ -198,12 +198,23 @@
> // Override if the proxyPort/proxyHost are set
> String proxyName = connector.getProxyName();
> int proxyPort = connector.getProxyPort();
> + String proxyRemoteAddrHeader = connector.getProxyRemoteAddrHeader();
> +
> if (proxyPort != 0) {
> req.setServerPort(proxyPort);
> }
> if (proxyName != null) {
> req.serverName().setString(proxyName);
> }
> + if (proxyRemoteAddrHeader != null) {
> + String remoteAddr = req.getHeader(proxyRemoteAddrHeader);
> + if (remoteAddr != null) {
> + req.remoteAddr().setString(remoteAddr);
> + req.remoteHost().setString(remoteAddr);
> + request.setRemoteAddr(remoteAddr);
> + request.setRemoteHost(remoteAddr);
> + }
> + }
>
> // URI decoding
> MessageBytes decodedURI = req.decodedURI();
> Index: container/catalina/src/share/org/apache/catalina/connector/Connector.java
> ===================================================================
> --- container/catalina/src/share/org/apache/catalina/connector/Connector.java (revision 421580)
> +++ container/catalina/src/share/org/apache/catalina/connector/Connector.java (working copy)
> @@ -155,6 +155,14 @@
> * the port number specified by the <code>port</code> property is used.
> */
> protected int proxyPort = 0;
> +
> +
> + /**
> + * The request header that should be use to populate the request object's
> + * remoteAddr field. This is commonly used behind reverse proxy's that pass
> + * the real client IP via a request header, such as <code>X-Pounded-For</code>.
> + */
> + protected String proxyRemoteAddrHeader = null;
>
>
> /**
> @@ -732,6 +740,27 @@
> setProperty("proxyPort", String.valueOf(proxyPort));
>
> }
> +
> + /**
> + * Return the proxy remote address header value for this Connector.
> + */
> + public String getProxyRemoteAddrHeader() {
> +
> + return (this.proxyRemoteAddrHeader);
> +
> + }
> +
> + /**
> + * Set the proxy remote address header value for this Connector.
> + *
> + * @param proxyRemoteAddrHeader The new proxy remote address header value
> + */
> + public void setProxyRemoteAddrHeader(String proxyRemoteAddrHeader) {
> +
> + this.proxyRemoteAddrHeader = proxyRemoteAddrHeader;
> + setProperty("proxyRemoteAddrHeader", proxyRemoteAddrHeader);
> +
> + }
>
>
> /**
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.10.0/388 - Release Date: 7/13/2006
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org