You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leon Rosenberg <ro...@gmail.com> on 2023/03/24 10:29:40 UTC
Can't get RemoteIpValve to work
Hi,
we have following setup
apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on
same host).
Connection is via apache mod_http/proxy.
Internal IP of the host is 10.138.0.3 (where httpd and docker are running).
In localhost_access log we see always 10.138.0.3 address. If going through
port 8080 directly, without httpd, we see the correct IP-Address.
We have added RemoteIpValve to server xml.
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
internalProxies="10\.138\.0\.3"/>
http config also has ProxyAddHeaders on, also I understand that to be
default anyway:
ProxyPass / http://10.138.0.3:8080/
ProxyPassReverse / http://10.138.0.3:8080/
ProxyErrorOverride Off
ProxyAddHeaders On
<Proxy *>
Require all granted
ProxyAddHeaders On
</Proxy>
When we print out all headers in a request, the X-Forwarded-For is missing,
so obviously tomcat does something with it, but doesn't trust the httpd? So
probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get
my head around it.
any help would be highly appreciated
kr
Leon
Re: Can't get RemoteIpValve to work
Posted by Leon Rosenberg <ro...@gmail.com>.
Thanks, yes I think my problem never was with the RemoteIpValve, and the
other project I copied configuration from actually didn't work despite me
thinking it did ;)
kr
Leon
On Wed, Mar 29, 2023 at 6:45 AM Mark Thomas <ma...@apache.org> wrote:
> On 28/03/2023 21:08, Leon Rosenberg wrote:
> > Sorry it took a little longer. Turns out that the actual RemoteIpValve
> > works correctly, but the *Access Log Valve *doesn't. We were
> > primarily looking into the localhost_access*logs, hence the confusion:
> >
> > Headers with RemoteIpValue on:
> > header: host; value: api.myhost.com
> > header: user-agent; value: PostmanRuntime/7.29.2
> > header: accept; value: */*
> > header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f
> > header: accept-encoding; value: gzip, deflate, br
> > header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22
> > header: x-forwarded-host; value: api.myhost.com
> > header: x-forwarded-server; value: api.myhost.com
> > header: connection; value: Keep-Alive
> >
> > remote host: 77.178.32.184
> > remote ip: 77.178.32.184
> >
> >
> > Headers with RemoteIpValue off:
> > header: host; value: api.myhost.com
> > header: user-agent; value: PostmanRuntime/7.29.2
> > header: accept; value: */*
> > header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96
> > header: accept-encoding; value: gzip, deflate, br
> > header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED
> > header: x-forwarded-for; value: 77.178.32.184
> > header: x-forwarded-host; value: api.myhost.com
> > header: x-forwarded-server; value: api.myhost.com
> > header: connection; value: Keep-Alive
> > remote host: 10.138.0.3
> > remote ip: 10.138.0.3
> >
> >
> > however, the AccessLogValue, which is configured as:
> >
> > <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
> > prefix="localhost_access_log" suffix=".txt"
> > pattern="%{X-Forwarded-For}i %a %l %u %t "%r"
> %s %b" />
> >
> > Prints the local address as %a. We added %{X-Forwarded-For}i as
> workaround,
> > so it works for now, but I'd expect %a to print the 'real' ip address
> > instead of the local one. Same config works on 8.5 interestingly enough.
>
> I think Konstantin mentioned this earlier in the thread. Look at the
> requestAttributesEnabled attribute for the AccessLogValve
>
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Can't get RemoteIpValve to work
Posted by Mark Thomas <ma...@apache.org>.
On 28/03/2023 21:08, Leon Rosenberg wrote:
> Sorry it took a little longer. Turns out that the actual RemoteIpValve
> works correctly, but the *Access Log Valve *doesn't. We were
> primarily looking into the localhost_access*logs, hence the confusion:
>
> Headers with RemoteIpValue on:
> header: host; value: api.myhost.com
> header: user-agent; value: PostmanRuntime/7.29.2
> header: accept; value: */*
> header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f
> header: accept-encoding; value: gzip, deflate, br
> header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22
> header: x-forwarded-host; value: api.myhost.com
> header: x-forwarded-server; value: api.myhost.com
> header: connection; value: Keep-Alive
>
> remote host: 77.178.32.184
> remote ip: 77.178.32.184
>
>
> Headers with RemoteIpValue off:
> header: host; value: api.myhost.com
> header: user-agent; value: PostmanRuntime/7.29.2
> header: accept; value: */*
> header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96
> header: accept-encoding; value: gzip, deflate, br
> header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED
> header: x-forwarded-for; value: 77.178.32.184
> header: x-forwarded-host; value: api.myhost.com
> header: x-forwarded-server; value: api.myhost.com
> header: connection; value: Keep-Alive
> remote host: 10.138.0.3
> remote ip: 10.138.0.3
>
>
> however, the AccessLogValue, which is configured as:
>
> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> prefix="localhost_access_log" suffix=".txt"
> pattern="%{X-Forwarded-For}i %a %l %u %t "%r" %s %b" />
>
> Prints the local address as %a. We added %{X-Forwarded-For}i as workaround,
> so it works for now, but I'd expect %a to print the 'real' ip address
> instead of the local one. Same config works on 8.5 interestingly enough.
I think Konstantin mentioned this earlier in the thread. Look at the
requestAttributesEnabled attribute for the AccessLogValve
https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't get RemoteIpValve to work
Posted by Leon Rosenberg <ro...@gmail.com>.
Sorry it took a little longer. Turns out that the actual RemoteIpValve
works correctly, but the *Access Log Valve *doesn't. We were
primarily looking into the localhost_access*logs, hence the confusion:
Headers with RemoteIpValue on:
header: host; value: api.myhost.com
header: user-agent; value: PostmanRuntime/7.29.2
header: accept; value: */*
header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f
header: accept-encoding; value: gzip, deflate, br
header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22
header: x-forwarded-host; value: api.myhost.com
header: x-forwarded-server; value: api.myhost.com
header: connection; value: Keep-Alive
remote host: 77.178.32.184
remote ip: 77.178.32.184
Headers with RemoteIpValue off:
header: host; value: api.myhost.com
header: user-agent; value: PostmanRuntime/7.29.2
header: accept; value: */*
header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96
header: accept-encoding; value: gzip, deflate, br
header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED
header: x-forwarded-for; value: 77.178.32.184
header: x-forwarded-host; value: api.myhost.com
header: x-forwarded-server; value: api.myhost.com
header: connection; value: Keep-Alive
remote host: 10.138.0.3
remote ip: 10.138.0.3
however, the AccessLogValue, which is configured as:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%{X-Forwarded-For}i %a %l %u %t "%r" %s %b" />
Prints the local address as %a. We added %{X-Forwarded-For}i as workaround,
so it works for now, but I'd expect %a to print the 'real' ip address
instead of the local one. Same config works on 8.5 interestingly enough.
Anyway, thanks for the help and sorry for the confusion.
kr
Leon
On Fri, Mar 24, 2023 at 7:54 PM Mark Thomas <ma...@apache.org> wrote:
> And if you dump out the headers and the value of
> ServletRequest.getRemoteAddr() with (and without for completeness) the
> RemoteIpValve ?
>
> Mark
>
>
> On 24/03/2023 14:09, Leon Rosenberg wrote:
> > Full log output (dumping out headers, without the valve):
> >
> > 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
> > 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
> > 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
> > 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
> > 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
> > 217.110.113.178
> > 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
> > api.myhost.net
> > 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
> > api.myhost.net
> > 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
> >
> >
> > 217.110.113.178 is my ip, so the value is correct.
> >
> > On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg <rosenberg.leon@gmail.com
> >
> > wrote:
> >
> >> yeah, interestingly enough removing ipvalve and adding access log magic,
> >> puts the X-Forwarded-For in the localhost_access.log ... but strange
> >> nevertheless.
> >>
> >> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
> >>
> >>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
> >>> can see exactly what headers Tomcat is seeing. Alternatively, since
> this
> >>> is over http, Wireshark or similar could help.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 24/03/2023 10:29, Leon Rosenberg wrote:
> >>>> Hi,
> >>>>
> >>>> we have following setup
> >>>> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> >>> (on
> >>>> same host).
> >>>> Connection is via apache mod_http/proxy.
> >>>>
> >>>> Internal IP of the host is 10.138.0.3 (where httpd and docker are
> >>> running).
> >>>> In localhost_access log we see always 10.138.0.3 address. If going
> >>> through
> >>>> port 8080 directly, without httpd, we see the correct IP-Address.
> >>>>
> >>>> We have added RemoteIpValve to server xml.
> >>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >>>> remoteIpHeader="X-Forwarded-For"
> >>>> protocolHeader="X-Forwarded-Proto"
> >>>> internalProxies="10\.138\.0\.3"/>
> >>>>
> >>>> http config also has ProxyAddHeaders on, also I understand that to be
> >>>> default anyway:
> >>>> ProxyPass / http://10.138.0.3:8080/
> >>>> ProxyPassReverse / http://10.138.0.3:8080/
> >>>> ProxyErrorOverride Off
> >>>> ProxyAddHeaders On
> >>>> <Proxy *>
> >>>> Require all granted
> >>>> ProxyAddHeaders On
> >>>> </Proxy>
> >>>>
> >>>> When we print out all headers in a request, the X-Forwarded-For is
> >>> missing,
> >>>> so obviously tomcat does something with it, but doesn't trust the
> >>> httpd? So
> >>>> probably the line internalProxies="10\.138\.0\.3" is wrong, bug I
> can't
> >>> get
> >>>> my head around it.
> >>>>
> >>>> any help would be highly appreciated
> >>>> kr
> >>>> Leon
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Can't get RemoteIpValve to work
Posted by Mark Thomas <ma...@apache.org>.
And if you dump out the headers and the value of
ServletRequest.getRemoteAddr() with (and without for completeness) the
RemoteIpValve ?
Mark
On 24/03/2023 14:09, Leon Rosenberg wrote:
> Full log output (dumping out headers, without the valve):
>
> 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
> 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
> 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
> 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
> 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
> 217.110.113.178
> 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
> api.myhost.net
> 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
> api.myhost.net
> 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
>
>
> 217.110.113.178 is my ip, so the value is correct.
>
> On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg <ro...@gmail.com>
> wrote:
>
>> yeah, interestingly enough removing ipvalve and adding access log magic,
>> puts the X-Forwarded-For in the localhost_access.log ... but strange
>> nevertheless.
>>
>> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
>>
>>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
>>> can see exactly what headers Tomcat is seeing. Alternatively, since this
>>> is over http, Wireshark or similar could help.
>>>
>>> Mark
>>>
>>>
>>> On 24/03/2023 10:29, Leon Rosenberg wrote:
>>>> Hi,
>>>>
>>>> we have following setup
>>>> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
>>> (on
>>>> same host).
>>>> Connection is via apache mod_http/proxy.
>>>>
>>>> Internal IP of the host is 10.138.0.3 (where httpd and docker are
>>> running).
>>>> In localhost_access log we see always 10.138.0.3 address. If going
>>> through
>>>> port 8080 directly, without httpd, we see the correct IP-Address.
>>>>
>>>> We have added RemoteIpValve to server xml.
>>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>>> remoteIpHeader="X-Forwarded-For"
>>>> protocolHeader="X-Forwarded-Proto"
>>>> internalProxies="10\.138\.0\.3"/>
>>>>
>>>> http config also has ProxyAddHeaders on, also I understand that to be
>>>> default anyway:
>>>> ProxyPass / http://10.138.0.3:8080/
>>>> ProxyPassReverse / http://10.138.0.3:8080/
>>>> ProxyErrorOverride Off
>>>> ProxyAddHeaders On
>>>> <Proxy *>
>>>> Require all granted
>>>> ProxyAddHeaders On
>>>> </Proxy>
>>>>
>>>> When we print out all headers in a request, the X-Forwarded-For is
>>> missing,
>>>> so obviously tomcat does something with it, but doesn't trust the
>>> httpd? So
>>>> probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
>>> get
>>>> my head around it.
>>>>
>>>> any help would be highly appreciated
>>>> kr
>>>> Leon
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't get RemoteIpValve to work
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Leon,
On 3/24/23 10:09, Leon Rosenberg wrote:
> Full log output (dumping out headers, without the valve):
>
> 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
> 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
> 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
> 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
> 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
> 217.110.113.178
> 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
> api.myhost.net
> 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
> api.myhost.net
> 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
> n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
So you have x-forwarded-host set to "api.myhost.net" but you are using
IP-allowing 10.something. Maybe you need to IP-allow "api.myhost.net".
Or maybe you want to set httpd to send an IP instead of a hostname? Or
maybe you need to enable DNS resolution on Tomcat? Or maybe
api.myhost.net resolves to the public-IP of the reverse-proxy?
> 217.110.113.178 is my ip, so the value is correct.
Good.
-chris
> On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg <ro...@gmail.com>
> wrote:
>
>> yeah, interestingly enough removing ipvalve and adding access log magic,
>> puts the X-Forwarded-For in the localhost_access.log ... but strange
>> nevertheless.
>>
>> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
>>
>>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
>>> can see exactly what headers Tomcat is seeing. Alternatively, since this
>>> is over http, Wireshark or similar could help.
>>>
>>> Mark
>>>
>>>
>>> On 24/03/2023 10:29, Leon Rosenberg wrote:
>>>> Hi,
>>>>
>>>> we have following setup
>>>> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
>>> (on
>>>> same host).
>>>> Connection is via apache mod_http/proxy.
>>>>
>>>> Internal IP of the host is 10.138.0.3 (where httpd and docker are
>>> running).
>>>> In localhost_access log we see always 10.138.0.3 address. If going
>>> through
>>>> port 8080 directly, without httpd, we see the correct IP-Address.
>>>>
>>>> We have added RemoteIpValve to server xml.
>>>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>>> remoteIpHeader="X-Forwarded-For"
>>>> protocolHeader="X-Forwarded-Proto"
>>>> internalProxies="10\.138\.0\.3"/>
>>>>
>>>> http config also has ProxyAddHeaders on, also I understand that to be
>>>> default anyway:
>>>> ProxyPass / http://10.138.0.3:8080/
>>>> ProxyPassReverse / http://10.138.0.3:8080/
>>>> ProxyErrorOverride Off
>>>> ProxyAddHeaders On
>>>> <Proxy *>
>>>> Require all granted
>>>> ProxyAddHeaders On
>>>> </Proxy>
>>>>
>>>> When we print out all headers in a request, the X-Forwarded-For is
>>> missing,
>>>> so obviously tomcat does something with it, but doesn't trust the
>>> httpd? So
>>>> probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
>>> get
>>>> my head around it.
>>>>
>>>> any help would be highly appreciated
>>>> kr
>>>> Leon
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't get RemoteIpValve to work
Posted by Leon Rosenberg <ro...@gmail.com>.
Full log output (dumping out headers, without the valve):
6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
217.110.113.178
6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
api.myhost.net
6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
api.myhost.net
6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
217.110.113.178 is my ip, so the value is correct.
On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg <ro...@gmail.com>
wrote:
> yeah, interestingly enough removing ipvalve and adding access log magic,
> puts the X-Forwarded-For in the localhost_access.log ... but strange
> nevertheless.
>
> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
>
>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
>> can see exactly what headers Tomcat is seeing. Alternatively, since this
>> is over http, Wireshark or similar could help.
>>
>> Mark
>>
>>
>> On 24/03/2023 10:29, Leon Rosenberg wrote:
>> > Hi,
>> >
>> > we have following setup
>> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
>> (on
>> > same host).
>> > Connection is via apache mod_http/proxy.
>> >
>> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
>> running).
>> > In localhost_access log we see always 10.138.0.3 address. If going
>> through
>> > port 8080 directly, without httpd, we see the correct IP-Address.
>> >
>> > We have added RemoteIpValve to server xml.
>> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> > remoteIpHeader="X-Forwarded-For"
>> > protocolHeader="X-Forwarded-Proto"
>> > internalProxies="10\.138\.0\.3"/>
>> >
>> > http config also has ProxyAddHeaders on, also I understand that to be
>> > default anyway:
>> > ProxyPass / http://10.138.0.3:8080/
>> > ProxyPassReverse / http://10.138.0.3:8080/
>> > ProxyErrorOverride Off
>> > ProxyAddHeaders On
>> > <Proxy *>
>> > Require all granted
>> > ProxyAddHeaders On
>> > </Proxy>
>> >
>> > When we print out all headers in a request, the X-Forwarded-For is
>> missing,
>> > so obviously tomcat does something with it, but doesn't trust the
>> httpd? So
>> > probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
>> get
>> > my head around it.
>> >
>> > any help would be highly appreciated
>> > kr
>> > Leon
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
Re: Can't get RemoteIpValve to work
Posted by Leon Rosenberg <ro...@gmail.com>.
yeah, interestingly enough removing ipvalve and adding access log magic,
puts the X-Forwarded-For in the localhost_access.log ... but strange
nevertheless.
On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
> can see exactly what headers Tomcat is seeing. Alternatively, since this
> is over http, Wireshark or similar could help.
>
> Mark
>
>
> On 24/03/2023 10:29, Leon Rosenberg wrote:
> > Hi,
> >
> > we have following setup
> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> (on
> > same host).
> > Connection is via apache mod_http/proxy.
> >
> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
> running).
> > In localhost_access log we see always 10.138.0.3 address. If going
> through
> > port 8080 directly, without httpd, we see the correct IP-Address.
> >
> > We have added RemoteIpValve to server xml.
> > <Valve className="org.apache.catalina.valves.RemoteIpValve"
> > remoteIpHeader="X-Forwarded-For"
> > protocolHeader="X-Forwarded-Proto"
> > internalProxies="10\.138\.0\.3"/>
> >
> > http config also has ProxyAddHeaders on, also I understand that to be
> > default anyway:
> > ProxyPass / http://10.138.0.3:8080/
> > ProxyPassReverse / http://10.138.0.3:8080/
> > ProxyErrorOverride Off
> > ProxyAddHeaders On
> > <Proxy *>
> > Require all granted
> > ProxyAddHeaders On
> > </Proxy>
> >
> > When we print out all headers in a request, the X-Forwarded-For is
> missing,
> > so obviously tomcat does something with it, but doesn't trust the httpd?
> So
> > probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
> get
> > my head around it.
> >
> > any help would be highly appreciated
> > kr
> > Leon
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Can't get RemoteIpValve to work
Posted by Mark Thomas <ma...@apache.org>.
Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
can see exactly what headers Tomcat is seeing. Alternatively, since this
is over http, Wireshark or similar could help.
Mark
On 24/03/2023 10:29, Leon Rosenberg wrote:
> Hi,
>
> we have following setup
> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on
> same host).
> Connection is via apache mod_http/proxy.
>
> Internal IP of the host is 10.138.0.3 (where httpd and docker are running).
> In localhost_access log we see always 10.138.0.3 address. If going through
> port 8080 directly, without httpd, we see the correct IP-Address.
>
> We have added RemoteIpValve to server xml.
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> remoteIpHeader="X-Forwarded-For"
> protocolHeader="X-Forwarded-Proto"
> internalProxies="10\.138\.0\.3"/>
>
> http config also has ProxyAddHeaders on, also I understand that to be
> default anyway:
> ProxyPass / http://10.138.0.3:8080/
> ProxyPassReverse / http://10.138.0.3:8080/
> ProxyErrorOverride Off
> ProxyAddHeaders On
> <Proxy *>
> Require all granted
> ProxyAddHeaders On
> </Proxy>
>
> When we print out all headers in a request, the X-Forwarded-For is missing,
> so obviously tomcat does something with it, but doesn't trust the httpd? So
> probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get
> my head around it.
>
> any help would be highly appreciated
> kr
> Leon
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't get RemoteIpValve to work
Posted by Leon Rosenberg <ro...@gmail.com>.
Hi Konstantin,
Server version: Apache Tomcat/9.0.64
Server built: Jun 2 2022 19:08:46 UTC
Server number: 9.0.64.0
OS Name: Linux
OS Version: 5.4.0-1092-gcp
Architecture: amd64
JVM Version: 1.8.0_332-b09
JVM Vendor: Temurin
kr
Leon
On Fri, Mar 24, 2023 at 1:17 PM Konstantin Kolinko <kn...@gmail.com>
wrote:
> пт, 24 мар. 2023 г. в 13:30, Leon Rosenberg <ro...@gmail.com>:
> >
> > Hi,
> >
> > we have following setup
> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> (on
> > same host).
> > Connection is via apache mod_http/proxy.
> >
> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
> running).
> > In localhost_access log we see always 10.138.0.3 address.
>
> Your version of Tomcat = ?
>
> If access log is all that you care about, you should note that the default
> value
> of requestAttributesEnabled attribute of AccessLogValve is false.
>
>
> https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Access_Log_Valve
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Can't get RemoteIpValve to work
Posted by Konstantin Kolinko <kn...@gmail.com>.
пт, 24 мар. 2023 г. в 13:30, Leon Rosenberg <ro...@gmail.com>:
>
> Hi,
>
> we have following setup
> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on
> same host).
> Connection is via apache mod_http/proxy.
>
> Internal IP of the host is 10.138.0.3 (where httpd and docker are running).
> In localhost_access log we see always 10.138.0.3 address.
Your version of Tomcat = ?
If access log is all that you care about, you should note that the default value
of requestAttributesEnabled attribute of AccessLogValve is false.
https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Access_Log_Valve
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org