пн, 23 сент. 2019 г. в 20:45, John Pyeatt <john.pyeatt@xxxxxxxxxxxxxx>: > > I have tried everything and I can't get Apache (2.4.39) to pass the X-Forwarded-For header to my tomcat (8.5) instance. > > I have apache listening on port 8081 and bound to the public IP address as a reverse proxy to a backend tomcat instance which is also bound to 8081 but on 127.0.0.1. > My apache instance has the following modules loaded: > > proxy_module (shared) > proxy_connect_module (shared) > proxy_ajp_module (shared) > proxy_http_module (shared) > proxy_wstunnel_module (shared) > remoteip_module (shared) > > Here is my virtualhost stanza > <VirtualHost _default_:8081> > ProxyPreserveHost On > ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin > RemoteIPHeader X-Forwarded-For > RemoteIPInternalProxy 127.0.0.0/8 > <Location /MYAPP/admin> > ProxyAddHeaders On > ProxyPassReverse /MYAPP/admin > # Only allow ?cmd=spkr > RewriteEngine On > RewriteCond %{QUERY_STRING} !cmd=spkr > RewriteRule .* - [F] > </Location> > </VirtualHost> > > According to the doc https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders ProxyAddHeaders On should do the trick. > > I've done a packet capture to see if the X-Forwarded-For header is being generated by Apache but dropped on the floor in Tomcat and I'm not seeing X-Forwarded-For header coming from Apache. > What is your configuration in Apache Tomcat? If you expect HttpServletRequest,getRemoteAddr() to get the value from the X-Forwarded-For header, you must have a valve (org.apache.catalina.valves.RemoteIpValve) configured in your web application (in its META-INF/context.xml file) on in an upper level in request processing chain (in Host element in server.xml file) in Apache Tomcat configuration, alternatively the work can be done with a filter (org.apache.catalina.filters.RemoteIpFilter) in the WEB-INF/web.xml file of your web application. https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_IP_Valve https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Remote_IP_Filter IIRC both RemoteIpValve and RemoteIpFilter hide the X-Forwarded-For header once they have processed it, so you won't see it in your web application, but you may see it in access log if you configure it to write out that header (as access logging happens at an earlier/outer state of request processing chain). See tables "before/after" in the documentation for the valve and filter. > The slightly weird thing is that my tomcat app is also listening on port 5678 using AJP and that works if I change to ProxyPass /MYAPP/admin ajp://127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my tomcat app correctly return the IP address of my client. I find it very hard to believe that proxy_ajp_module works fine and proxy_http_module somehow has a bug in it. So I must be missing some magic apache configuration setting. In case of AJP protocol, the remote IP address is transmitted as part of the protocol packet and does to require configuration at Tomcat side. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx