tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Date Mon, 21 Dec 2009 03:40:28 GMT

"Mark Thomas" <> wrote in message
> On 20/12/2009 16:04, André Warnier wrote:
>> In other words : it seems that quite early in the request process, a
>> decision is taken to *replace* the remote IP address as obtained from
>> the socket, by the ultimate IP of the client for which this proxy
>> request is being processed.  This casts a doubt on the ability of even a
>> servlet filter to obtain the IP address of the proxy server which has
>> the real connection with Tomcat.
>> All a bit beyond my dabbling capabilities, I'm afraid.
> This is one of those times where the solution will depend on the
> protocol you are using.

Exactly.  The AJP/1.3 protocol doesn't consider itself to be a proxy (and 
anyone old enough to remember it's predecessor mod_jserv will see why), but 
rather an integration of Tomcat with the native server (more like 
mod_fcgid).    This means that last hop is considered to be the native 
server.  The protocol itself is even transport agnostic, and in the past it 
has been possible to run Tomcat inside of IIS/Apache or even to use Unix 

> The AJP connectors will report the client's IP address so you need an
> alternative solution. Using the "request.secret" attribute is probably
> the simplest fix although keep in mind that AJP is clear text so the
> secret might not be that secret.

Yes, AJP/1.3 assumes that the connection between the native server and the 
Tomcat server is secured, so that if someone can sniff AJP/1.3 packets it 
means that the system is already badly compromised.

If using mod_jk, then yes, the 'secret' is the simplest way to go.  If using 
mod_proxy_ajp, then you need to head on over to submit a patch for httpd to 
add this configuration option (most of the active developers of 
mod_proxy_ajp lurk on this list if you need help, but dev@httpd.a.o is the 
official list for this).

The table of 'names' for the two supported protocols is:

Name                 HTTP/1.1 

serverName        Host header 
Host header
remoteName       last proxy server (or client if no proxies) 
last proxy server before native server (or client)
localName          The name the connector is bound to                  name 
of native server (i.e. the ServerName)

Which gives a third option to the OP, which is to use the useIPVHosts="true" 
option on the <Connector ... />, and only configure <Host .../>s for the 
ones that he wants to allow to connect (and the default Host just returns 
404 to every request).

> The HTTP connectors will report the proxy's IP address so the
> RemoteAddressValve can be used.
> Note in Tomcat 7:
> - where the RemoteIpValve is available you would need to make sure that
> the RemoteAddressVlave was earlier in the pipeline than the RemoteIpValve
> - you have the option of using Valves or Filters for this functionality
> HTH,
> Mark
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message