tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Delle Grazie <brett.dellegra...@gmail.com>
Subject RemoteIP valve and multiple X-Forwarded-For headers
Date Fri, 10 Dec 2010 13:03:54 GMT
Hi,

We're using:
RHEL5 (fully up to date)
Tomcat 6.0.29 (from apache.org)
JVM 1.6.0_22

We use HAproxy (1.4.8) as a front end to Tomcat, HAproxy uses the 'option
forwardfor' which adds an additional X-Forwarded-For header
to the request.

Everything works fine except if the client has an X-Forwarded-For header
_already_ in the request (perhaps due to Squid in forward proxy on client
side).

Thus offending request looks like:

Headers (fake IP addresses used):
X-Forwarded-For: 192.168.0.4  (client side added)
... (some other headers) ...
X-Forwarded-For: 224.212.128.2 (added by HAproxy - this is the actual IP of
the client's squid proxy).
... (some other headers) ...

Now Tomcat's RemoteIP valve doesn't appear to handle this situation
correctly - it returns 192.168.0.4 instead of the expected 224.212.128.2

Should HAproxy be extending the existing header to:
e.g. X-Forwarded-For: 192.168.0.4, 224.212.128.2

Or should Tomcat's RemoteIP valve handle this situation?

I'm also not sure which situation is 'correct' according to standards
anyway...

Any ideas?

Thanks,

-- 
Best Regards,

Brett Delle Grazie

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message