Hi,
We have been using RemoteIpValve in Tomcat 7 but it stopped working for us in
Tomcat 8. Our load balancer will set a header named "X-Cluster-Client-Ip" with
the client's IP as its value. We expect the client's IP value would be
overwritten as the "remoteAddr" but it is not. It is working for us currently
on Tomcat 7 but not on the server with Tomcat 8.
I even created a fresh VM and install fresh apache-tomcat-8.0.36 on Ubuntu and
added the following settings as a test:
<Engine>
.
.
.
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\"
remoteIpHeader="X-Cluster-Client-Ip"
/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t
"%r" %s %b" />
</Host>
</Engine>
I then use a browser plugin to set X-Cluster-Client-Ip header with value
"156.56.0.1" and GET the page /Home/Status on the same machine that is hosting
Tomcat. I got the following results from AccessLogValve:
192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 -
[27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274
%h is still showing my browser IP - 192.168.56.10
%{X-Cluster-Client-Ip}i correctly picks up the header value - 156.56.0.1
%a picks up my browser "Remote IP address" - 192.168.56.10
%A just picks up local IP - 127.0.1.1
I have other people verified this issue and we can't seem to figure out if we
are missing a configuration or if there is a bigger problem. We would
appreciate any aid you can give us.
Thank you,
Nubli
