tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ronald Klop <ronald-mailingl...@base.nl>
Subject Re: Patch to override request.getRemoteAddr if behind a reverse proxy
Date Mon, 17 Jul 2006 09:48:02 GMT
On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List <users@tomcat.apache.org> wrote:
> Hi
> 
> We needed to patch Tomcat for our site that has a Tomcat
> behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
> The idea is basically to not use the TCP endpoint of Apache (which will
> always point to the reverse proxy) to give the caller of
> request.getRemoteAddr a valid IP, but rather retrieve it from a
> configurable request header. In our case, we have hacked the Pound
> loadbalancer to forward a request header called X-Pounded-For with each
> request, and the value of this header is then used (if available) to
> return the *real client IP to the caller of request.getRemoteAddr or
> request.getRemoteHost.
> 
> Extract from server.xml:
> 
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
> 
> 
> Let me know if it is of any use to anyone else!
> 
> Regards
> 
> -- 
> Johan van den Berg
> Technical Webmaster
> University of South Africa
> 
> Cel: +27 73 201 3520
> Tel: +27 12 429 2371
> 
> Registered Linux user number 390606
> http://counter.li.org/
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.orgHello,

In stead of patching Tomcat, you can also make a util class/method like this.

public final class ServletUtils {
    private static final String MY_TRUSTED_PROXY = "127.0.0.1";
    public static String getRemoteAddr(ServletRequest req) {
       String remoteIp = req.getRemoteAddr();
       if (remoteIp.equals(MY_TRUSTED_PROXY)) {
           String proxyIp = req.getHeader("X-Pounded-For");
           if (proxyip != null) {
              remoteIp = proxyip;
           }
       }
       return remoteIp;
    }
}


This makes your application know about your setup in stead of Tomcat. Much more flexible and
much less problems when upgrading Tomcat.
You can also put this in a Filter which wraps the ServletRequest with your own version. This
keeps your application clean and it just uses the standard Servlet extendabilties.

Ronald.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message