tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kasa, Nubli" <mmohd...@iu.edu>
Subject RE: Tomcat 8 RemoteIpValve Issues
Date Mon, 01 Aug 2016 17:39:52 GMT
Chris,

  This doesn't seem to be the case with a fresh new install on Tomcat 8 on Ubuntu. Our sysadmin
also did a fresh install on Redhat with the same result.

-Nubli

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Sunday, July 31, 2016 8:43 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat 8 RemoteIpValve Issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nubli,

On 7/28/16 3:30 PM, Kasa, Nubli wrote:
> It seems that requestAttributesEnabled="true" is required in order to 
> make the valve work.

Note that requestAttributesEnabled="true" is the default. Did you change that default?

- -chris

> -----Original Message----- From: abhijitd@apple.com 
> [mailto:abhijitd@apple.com] On Behalf Of Abhijit Das Sent:
> Thursday, July 28, 2016 12:37 PM To: Tomcat Users List 
> <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues
> 
> This is how it works for me in Tomcat 8.x (I have hashed out some 
> internal values) (some of my pattern may be redundant)
> 
> 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. 
> typically the MIP or the SNIP.
> 
> <Valve className="org.apache.catalina.valves.RemoteIpValve" 
> internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4" 
> remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by" 
> requestAttributesEnabled="true"/>
> 
> <Valve className="org.apache.catalina.valves.AccessLogValve" 
> directory="/var/xxx/yyy/zzz/logs" prefix=“application_access" 
> suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S 
> %{User-Agent}i %U %s %r %q %A %v %p %b %I %D"
> requestAttributesEnabled="true" resolveHosts="false"/>
> 
> And, this is my access log :
> 
> [28/Jul/2016:09:33:57 -0700] <client_IP> <userid> <url_accessed> -

> <session_id> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
> AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1
> Safari/601.6.16 <context> 200 POST <context> HTTP/1.1  <server 
> instance IP> <Server base URL/FQDN> 443 181 http-nio-8443-exec-13
> 9
> 
> On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohdkas@iu.edu> wrote:
> 
> Hi,
> 
> We have been using RemoteIpValve in Tomcat 7 but it stopped working 
> for us in Tomcat 8. Our load balancer will set a header named 
> "X-Cluster-Client-Ip" with the client's IP as its value. We expect the 
> client's IP value would be overwritten as the "remoteAddr" but it is 
> not. It is working for us currently on Tomcat 7 but not on the server 
> with Tomcat 8.
> 
> I even created a fresh VM and install fresh apache-tomcat-8.0.36 on 
> Ubuntu and added the following settings as a test:
> 
> <Engine> . . .
> 
> <Host name="localhost"  appBase="webapps" unpackWARs="true"
> autoDeploy="true">
> 
> <!-- SingleSignOn valve, share authentication between web applications 
> Documentation at: /docs/config/valve.html --> <!-- <Valve 
> className="org.apache.catalina.authenticator.SingleSignOn"
> /> -->
> 
> 
> <Valve className="org.apache.catalina.valves.RemoteIpValve" 
> internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\" 
> remoteIpHeader="X-Cluster-Client-Ip" />
> 
> 
> <!-- Access log processes all example. Documentation at:
> /docs/config/valve.html Note: The pattern used is equivalent to using 
> pattern="common" --> <Valve 
> className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" prefix="localhost_access_log" suffix=".txt" 
> pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t &quot;%r&quot; 
> %s %b" />
> 
> </Host> </Engine>
> 
> I then use a browser plugin to set X-Cluster-Client-Ip header with 
> value "156.56.0.1" and GET the page /Home/Status on the same machine 
> that is hosting Tomcat. I got the following results from
> AccessLogValve:
> 
> 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 -
> [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274
> 
> %h is still showing my browser IP - 192.168.56.10 
> %{X-Cluster-Client-Ip}i correctly picks up the header value -
> 156.56.0.1 %a picks up my browser "Remote IP address" -
> 192.168.56.10 %A just picks up local IP - 127.0.1.1
> 
> I have other people verified this issue and we can't seem to figure 
> out if we are missing a configuration or if there is a bigger problem. 
> We would appreciate any aid you can give us.
> 
> Thank you, Nubli
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAled8lkACgkQ9CaO5/Lv0PC2BgCgpUKmD7kMQS2FyKI2YOBCboG1
aTkAoIV6pvffdipdhjI9p0q1EiCUeTMN
=BfdC
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message