Nick,
Just wanted to confirm that the threads you linked to provided the solution.
The following code, added to system.xml, is what populated the IP address field
with the source IP, instead of proxy IP, in the log:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="access"
suffix=".log"
pattern="%{X-Forwarded-For}i %l %u %t "%r" %s %b"
rotatable="false" />
Many thanks for your help.
Dave
________________________________
From: Guacamole <[email protected]>
Sent: Friday, September 19, 2025 3:08 PM
To: [email protected] <[email protected]>
Subject: Re: Client IP handling
Hi Nick,
That seems to be the piece that was missing. I'll try it. Thank you!
Dave
________________________________
From: Nick Couchman <[email protected]>
Sent: Friday, September 19, 2025 9:50 AM
To: [email protected] <[email protected]>
Subject: Re: Client IP handling
On Thu, Sep 18, 2025 at 11:44 PM Guacamole
<[email protected]<mailto:[email protected]>> wrote:
I am running the latest Guacamole Docker image behind a reverse proxy (Pangolin
stack) that correctly sets the X-Forwarded-For header. Whether I configure the
RemoteIpValve via an environment variable in docker-compose.yml or via a valve
definition in server.xml, it works as expected in the Guacamole web UI, where,
for example, the client's public IP is displayed correctly in the 'Active
Sessions' UI. But the Tomcat access log (using LogbackAccessValve) only logs
the proxy's internal IP. Why is the application seeing the correct IP while
the access log is not?
Hello, Dave,
This sounds like more of a Tomcat issue than a Guacamole issue, so you might
have better success asking this question on the Tomcat mailing list. I did come
across the following information with a quick Internet search:
https://stackoverflow.com/questions/48103673/how-to-log-client-ip-and-x-forwarded-for-ip-in-tomcat-access-log#48180469
https://codingtechroom.com/question/how-to-log-client-ip-and-x-forwarded-for-ip-in-tomcat-access-log
-Nick
