Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 74793 invoked from network); 15 Jul 2006 10:09:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Jul 2006 10:09:58 -0000 Received: (qmail 99408 invoked by uid 500); 15 Jul 2006 10:09:50 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 99345 invoked by uid 500); 15 Jul 2006 10:09:50 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 99334 invoked by uid 99); 15 Jul 2006 10:09:49 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Jul 2006 03:09:49 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [163.200.216.139] (HELO mail1.unisa.ac.za) (163.200.216.139) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Jul 2006 03:09:48 -0700 Received: from localhost (localhost [127.0.0.1]) by mail1.unisa.ac.za (Postfix) with ESMTP id CFD4EEAFDE for ; Sat, 15 Jul 2006 12:09:24 +0200 (SAST) Received: from mail1.unisa.ac.za ([127.0.0.1]) by localhost (mail1.unisa.ac.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14130-03 for ; Sat, 15 Jul 2006 12:09:24 +0200 (SAST) Received: from pc-2370336.unisa.ac.za (pc-2370336.unisa.ac.za [163.200.162.56]) by mail1.unisa.ac.za (Postfix) with ESMTP id 5E56DEAFD2 for ; Sat, 15 Jul 2006 12:09:24 +0200 (SAST) Subject: Re: Patch to override request.getRemoteAddr if behind a reverse proxy From: Johan van den Berg To: Tomcat Developers List In-Reply-To: <44B8026D.6070702@hanik.com> References: <1152908498.4201.15.camel@pc-2370336.unisa.ac.za> <44B8026D.6070702@hanik.com> Content-Type: text/plain Date: Sat, 15 Jul 2006 12:09:23 +0200 Message-Id: <1152958163.2766.3.camel@pc-2370336.unisa.ac.za> Mime-Version: 1.0 X-Mailer: Evolution 2.6.2 (2.6.2-1.fc5.5) Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unisa.ac.za X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Then why was proxyPort and proxyName not done in a Valve or Filter? I assumed that I should be following the same route that other, similar requirements followed. With regards to a Filter, what if I have 30 webapps, and each one needs the correct request.getRemoteAddr? Could one map a filter globally over all webapps in the same Tomcat? Regards Johan On Fri, 2006-07-14 at 15:45 -0500, Filip Hanik - Dev Lists wrote: > This is a question for the user list, it might be better for you to take > the inquiries there, and you shouldn't need to hack tomcat for something > like this. > Simply create a filter, that wraps your HttpServletRequest in a > HttpServletRequestWrapper, > > worst case you could create Valve that does it for you, either way, you > can avoid changing tomcat code. > > Filip > > Johan van den Berg wrote: > > Hi > > > > I'm totally new to hacking Tomcat, so excuse if I'm not following the > > proper procedure, but needed to do this for our site that has a Tomcat > > behind Apache (mod_jk), that sits behind a reverse proxy load balancer. > > The idea is basically to not use the TCP endpoint of Apache (which will > > always point to the reverse proxy) to give the caller of > > request.getRemoteAddr a valid IP, but rather retrieve it from a > > configurable request header. In our case, we have hacked the Pound > > loadbalancer to forward a request header called X-Pounded-For with each > > request, and the value of this header is then used (if available) to > > return the *real client IP to the caller of request.getRemoteAddr or > > request.getRemoteHost. > > > > Extract from server.xml: > > > > > > > enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> > > > > > > Let me know if it is of any use to anyone else! > > > > Regards > > > > > > ------------------------------------------------------------------------ > > > > Index: container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java > > =================================================================== > > --- container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (revision 421580) > > +++ container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (working copy) > > @@ -198,12 +198,23 @@ > > // Override if the proxyPort/proxyHost are set > > String proxyName = connector.getProxyName(); > > int proxyPort = connector.getProxyPort(); > > + String proxyRemoteAddrHeader = connector.getProxyRemoteAddrHeader(); > > + > > if (proxyPort != 0) { > > req.setServerPort(proxyPort); > > } > > if (proxyName != null) { > > req.serverName().setString(proxyName); > > } > > + if (proxyRemoteAddrHeader != null) { > > + String remoteAddr = req.getHeader(proxyRemoteAddrHeader); > > + if (remoteAddr != null) { > > + req.remoteAddr().setString(remoteAddr); > > + req.remoteHost().setString(remoteAddr); > > + request.setRemoteAddr(remoteAddr); > > + request.setRemoteHost(remoteAddr); > > + } > > + } > > > > // URI decoding > > MessageBytes decodedURI = req.decodedURI(); > > Index: container/catalina/src/share/org/apache/catalina/connector/Connector.java > > =================================================================== > > --- container/catalina/src/share/org/apache/catalina/connector/Connector.java (revision 421580) > > +++ container/catalina/src/share/org/apache/catalina/connector/Connector.java (working copy) > > @@ -155,6 +155,14 @@ > > * the port number specified by the port property is used. > > */ > > protected int proxyPort = 0; > > + > > + > > + /** > > + * The request header that should be use to populate the request object's > > + * remoteAddr field. This is commonly used behind reverse proxy's that pass > > + * the real client IP via a request header, such as X-Pounded-For. > > + */ > > + protected String proxyRemoteAddrHeader = null; > > > > > > /** > > @@ -732,6 +740,27 @@ > > setProperty("proxyPort", String.valueOf(proxyPort)); > > > > } > > + > > + /** > > + * Return the proxy remote address header value for this Connector. > > + */ > > + public String getProxyRemoteAddrHeader() { > > + > > + return (this.proxyRemoteAddrHeader); > > + > > + } > > + > > + /** > > + * Set the proxy remote address header value for this Connector. > > + * > > + * @param proxyRemoteAddrHeader The new proxy remote address header value > > + */ > > + public void setProxyRemoteAddrHeader(String proxyRemoteAddrHeader) { > > + > > + this.proxyRemoteAddrHeader = proxyRemoteAddrHeader; > > + setProperty("proxyRemoteAddrHeader", proxyRemoteAddrHeader); > > + > > + } > > > > > > /** > > > > > > ------------------------------------------------------------------------ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: dev-help@tomcat.apache.org > > ------------------------------------------------------------------------ > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.394 / Virus Database: 268.10.0/388 - Release Date: 7/13/2006 > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org