tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan van den Berg <vdb...@unisa.ac.za>
Subject Re: Patch to override request.getRemoteAddr if behind a reverse proxy
Date Mon, 17 Jul 2006 09:52:20 GMT
Except that I have 5 servers, each having 20 different apps, some of
which are 3'rd party, so I *really* don't want to modify the app (closed
source).

This is a server infrastructure and configuration issue, none of which
any developer should ever be worried about...

Regards
Johan

On Mon, 2006-07-17 at 11:48 +0200, Ronald Klop wrote:
> On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List <users@tomcat.apache.org> wrote:
> > Hi
> > 
> > We needed to patch Tomcat for our site that has a Tomcat
> > behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> > The idea is basically to not use the TCP endpoint of Apache (which will
> > always point to the reverse proxy) to give the caller of
> > request.getRemoteAddr a valid IP, but rather retrieve it from a
> > configurable request header. In our case, we have hacked the Pound
> > loadbalancer to forward a request header called X-Pounded-For with each
> > request, and the value of this header is then used (if available) to
> > return the *real client IP to the caller of request.getRemoteAddr or
> > request.getRemoteHost.
> > 
> > Extract from server.xml:
> > 
> > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> > enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
> > 
> > 
> > Let me know if it is of any use to anyone else!
> > 
> > Regards
> > 
> > -- 
> > Johan van den Berg
> > Technical Webmaster
> > University of South Africa
> > 
> > Cel: +27 73 201 3520
> > Tel: +27 12 429 2371
> > 
> > Registered Linux user number 390606
> > http://counter.li.org/
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.orgHello,
> 
> In stead of patching Tomcat, you can also make a util class/method like this.
> 
> public final class ServletUtils {
>     private static final String MY_TRUSTED_PROXY = "127.0.0.1";
>     public static String getRemoteAddr(ServletRequest req) {
>        String remoteIp = req.getRemoteAddr();
>        if (remoteIp.equals(MY_TRUSTED_PROXY)) {
>            String proxyIp = req.getHeader("X-Pounded-For");
>            if (proxyip != null) {
>               remoteIp = proxyip;
>            }
>        }
>        return remoteIp;
>     }
> }
> 
> 
> This makes your application know about your setup in stead of Tomcat. Much more flexible
and much less problems when upgrading Tomcat.
> You can also put this in a Filter which wraps the ServletRequest with your own version.
This keeps your application clean and it just uses the standard Servlet extendabilties.
> 
> Ronald.
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message