tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Delle Grazie <>
Subject RemoteIP valve and multiple X-Forwarded-For headers
Date Fri, 10 Dec 2010 13:03:54 GMT

We're using:
RHEL5 (fully up to date)
Tomcat 6.0.29 (from
JVM 1.6.0_22

We use HAproxy (1.4.8) as a front end to Tomcat, HAproxy uses the 'option
forwardfor' which adds an additional X-Forwarded-For header
to the request.

Everything works fine except if the client has an X-Forwarded-For header
_already_ in the request (perhaps due to Squid in forward proxy on client

Thus offending request looks like:

Headers (fake IP addresses used):
X-Forwarded-For:  (client side added)
... (some other headers) ...
X-Forwarded-For: (added by HAproxy - this is the actual IP of
the client's squid proxy).
... (some other headers) ...

Now Tomcat's RemoteIP valve doesn't appear to handle this situation
correctly - it returns instead of the expected

Should HAproxy be extending the existing header to:
e.g. X-Forwarded-For:,

Or should Tomcat's RemoteIP valve handle this situation?

I'm also not sure which situation is 'correct' according to standards

Any ideas?


Best Regards,

Brett Delle Grazie

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message