tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan van den Berg <vdb...@unisa.ac.za>
Subject Re: Patch to override request.getRemoteAddr if behind a reverse proxy
Date Mon, 17 Jul 2006 10:31:57 GMT
I'll accept as much, but understand that I just followed the same
approach that was taken with the proxyName and proxyPort parameters that
already solve a similar problem in Tomcat when sitting behind a reverse
proxy.

If that problem was solved with a Filter / Valve, I would have done the
same with my approach...

Regards
Johan

On Mon, 2006-07-17 at 12:08 +0200, Ronald Klop wrote:
> On Mon Jul 17 11:52:20 CEST 2006 Tomcat Users List
> <users@tomcat.apache.org> wrote:
> 
>         Except that I have 5 servers, each having 20 different apps,
>         some of
>         which are 3'rd party, so I *really* don't want to modify the
>         app (closed
>         source).
>         
>         This is a server infrastructure and configuration issue, none
>         of which
>         any developer should ever be worried about...
>         
>         Regards
>         Johan
> 
> A Filter is really good to use in that case and if I remember
> correctly you can add it to conf/web.xml. Or you can create a Valve
> for Tomcat and put the code in there. Tomcat is already extendable
> without using patches.
> 
> Ronald.
> 
>         On Mon, 2006-07-17 at 11:48 +0200, Ronald Klop wrote:
>         > On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List
>         <users@tomcat.apache.org> wrote:
>         > > Hi
>         > > 
>         > > We needed to patch Tomcat for our site that has a Tomcat
>         > > behind Apache (mod_jk), that sits behind a reverse proxy
>         load balancer.
>         > > The idea is basically to not use the TCP endpoint of
>         Apache (which will
>         > > always point to the reverse proxy) to give the caller of
>         > > request.getRemoteAddr a valid IP, but rather retrieve it
>         from a
>         > > configurable request header. In our case, we have hacked
>         the Pound
>         > > loadbalancer to forward a request header called
>         X-Pounded-For with each
>         > > request, and the value of this header is then used (if
>         available) to
>         > > return the *real client IP to the caller of
>         request.getRemoteAddr or
>         > > request.getRemoteHost.
>         > > 
>         > > Extract from server.xml:
>         > > 
>         > > <!-- Define an AJP 1.3 Connector on port 8009 -->
>         > > <Connector port="8009"
>         proxyRemoteAddrHeader="X-Pounded-For"
>         > > enableLookups="false" redirectPort="8443"
>         protocol="AJP/1.3" />
>         > > 
>         > > 
>         > > Let me know if it is of any use to anyone else!
>         > > 
>         > > Regards
>         > > 
>         > > -- 
>         > > Johan van den Berg
>         > > Technical Webmaster
>         > > University of South Africa
>         > > 
>         > > Cel: +27 73 201 3520
>         > > Tel: +27 12 429 2371
>         > > 
>         > > Registered Linux user number 390606
>         > > http://counter.li.org/
>         > >
>         ---------------------------------------------------------------------
>         > > To start a new topic, e-mail: users@tomcat.apache.org
>         > > To unsubscribe, e-mail:
>         users-unsubscribe@tomcat.apache.org
>         > > For additional commands, e-mail:
>         users-help@tomcat.apache.orgHello,
>         > 
>         > In stead of patching Tomcat, you can also make a util
>         class/method like this.
>         > 
>         > public final class ServletUtils {
>         > private static final String MY_TRUSTED_PROXY = "127.0.0.1";
>         > public static String getRemoteAddr(ServletRequest req) {
>         > String remoteIp = req.getRemoteAddr();
>         > if (remoteIp.equals(MY_TRUSTED_PROXY)) {
>         > String proxyIp = req.getHeader("X-Pounded-For");
>         > if (proxyip != null) {
>         > remoteIp = proxyip;
>         > }
>         > }
>         > return remoteIp;
>         > }
>         > }
>         > 
>         > 
>         > This makes your application know about your setup in stead
>         of Tomcat. Much more flexible and much less problems when
>         upgrading Tomcat.
>         > You can also put this in a Filter which wraps the
>         ServletRequest with your own version. This keeps your
>         application clean and it just uses the standard Servlet
>         extendabilties.
>         > 
>         > Ronald.
>         > 
>         
>         
>         ---------------------------------------------------------------------
>         To start a new topic, e-mail: users@tomcat.apache.org
>         To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>         For additional commands, e-mail: users-help@tomcat.apache.org
>         
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message