Re: Finding the Apache httpd IP address when AJP is used

Wed, 29 Apr 2015 07:33:10 -0700 

Paul Klinkenberg wrote:

Hi Tomcat users!

I have been working on an update for a Tomcat valve called mod_cfml. The 
project aims to provide automatic web context creation in Tomcat, when coming 
from a frontend webserver.
The live code base can be found at https://github.com/utdream/mod_cfml 
<https://github.com/utdream/mod_cfml>
One of the features I wanted to add, is adding an IP restriction in the valve (see github <https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. 
I have been digging around quite a lot, but have not been able to find the 
Apache httpd IP address :-(

My question is hopefully simple to answer: can I retrieve the IP address which 
called the AJP connector, from within the valve?

My server.xml is:

<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" 
SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" 
/>
  <Listener 
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" 
/>
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost" appBase="webapps" unpackWARs="true" 
autoDeploy="true">
            <Valve
                className="mod_cfml.core"
                loggingEnabled="true"
                waitForContext="10"
                maxContexts="9999"
                timeBetweenContexts="0"
                scanClassPaths="false"
                allowedIPs="127.0.0.1,192.168.1.52" />
      </Host>
    </Engine>
  </Service>
</Server>

Thanks in advance for your time!

Kind regards,

Paul Klinkenberg
The Netherlands

p.s. I asked this question, in other wording, on SackOverflow.com 
<http://sackoverflow.com/> as well. I hope I have better luck here ;-)
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
 
<http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp>



Hi.
With Apache httpd and mod_jk as front-end, you have (at least) 2 options :
- set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a "JkEnvVar" value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a "request attribute" corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector.
Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. 

Is that enough info to get you started ?
Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to