Can't get X-Forwarded-For to be passed through to app with apache reverse proxy (Apache Users)

I have tried everything and I can't get Apache (2.4.39) to pass the X-Forwarded-For header to my tomcat (8.5) instance.

I have apache listening on port 8081 and bound to the public IP address as a reverse proxy to a backend tomcat instance which is also bound to 8081 but on 127.0.0.1.

My apache instance has the following modules loaded:

proxy_module (shared)
proxy_connect_module (shared)
proxy_ajp_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)

remoteip_module (shared)

Here is my virtualhost stanza

<VirtualHost _default_:8081>
ProxyPreserveHost On
ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.0/8
<Location /MYAPP/admin>
ProxyAddHeaders On
ProxyPassReverse /MYAPP/admin
# Only allow ?cmd=spkr
RewriteEngine On
RewriteCond %{QUERY_STRING} !cmd=spkr
RewriteRule .* - [F]
</Location>
</VirtualHost>

According to the doc https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders ProxyAddHeaders On should do the trick.

I've done a packet capture to see if the X-Forwarded-For header is being generated by Apache but dropped on the floor in Tomcat and I'm not seeing X-Forwarded-For header coming from Apache.

The slightly weird thing is that my tomcat app is also listening on port 5678 using AJP and that works if I change to ProxyPass /MYAPP/admin ajp://127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my tomcat app correctly return the IP address of my client. I find it very hard to believe that proxy_ajp_module works fine and proxy_http_module somehow has a bug in it. So I must be missing some magic apache configuration setting.

John Pyeatt
Software Developer
(608) 661-1184 | john.pyeatt@xxxxxxxxxxxxxx

www.singlewire.com | Twitter | Facebook | LinkedIn

Keeping people safe and informed. Everywhere, every time.