Chris, This doesn't seem to be the case with a fresh new install on Tomcat 8 on Ubuntu. Our sysadmin also did a fresh install on Redhat with the same result.
-Nubli -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Sunday, July 31, 2016 8:43 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nubli, On 7/28/16 3:30 PM, Kasa, Nubli wrote: > It seems that requestAttributesEnabled="true" is required in order to > make the valve work. Note that requestAttributesEnabled="true" is the default. Did you change that default? - -chris > -----Original Message----- From: abhij...@apple.com > [mailto:abhij...@apple.com] On Behalf Of Abhijit Das Sent: > Thursday, July 28, 2016 12:37 PM To: Tomcat Users List > <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues > > This is how it works for me in Tomcat 8.x (I have hashed out some > internal values) (some of my pattern may be redundant) > > 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. > typically the MIP or the SNIP. > > <Valve className="org.apache.catalina.valves.RemoteIpValve" > internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4" > remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by" > requestAttributesEnabled="true"/> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="/var/xxx/yyy/zzz/logs" prefix=“application_access" > suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S > %{User-Agent}i %U %s %r %q %A %v %p %b %I %D" > requestAttributesEnabled="true" resolveHosts="false"/> > > And, this is my access log : > > [28/Jul/2016:09:33:57 -0700] <client_IP> <userid> <url_accessed> - > <session_id> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) > AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 > Safari/601.6.16 <context> 200 POST <context> HTTP/1.1 <server > instance IP> <Server base URL/FQDN> 443 181 http-nio-8443-exec-13 > 9 > > On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote: > > Hi, > > We have been using RemoteIpValve in Tomcat 7 but it stopped working > for us in Tomcat 8. Our load balancer will set a header named > "X-Cluster-Client-Ip" with the client's IP as its value. We expect the > client's IP value would be overwritten as the "remoteAddr" but it is > not. It is working for us currently on Tomcat 7 but not on the server > with Tomcat 8. > > I even created a fresh VM and install fresh apache-tomcat-8.0.36 on > Ubuntu and added the following settings as a test: > > <Engine> . . . > > <Host name="localhost" appBase="webapps" unpackWARs="true" > autoDeploy="true"> > > <!-- SingleSignOn valve, share authentication between web applications > Documentation at: /docs/config/valve.html --> <!-- <Valve > className="org.apache.catalina.authenticator.SingleSignOn" > /> --> > > > <Valve className="org.apache.catalina.valves.RemoteIpValve" > internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\" > remoteIpHeader="X-Cluster-Client-Ip" /> > > > <!-- Access log processes all example. Documentation at: > /docs/config/valve.html Note: The pattern used is equivalent to using > pattern="common" --> <Valve > className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="localhost_access_log" suffix=".txt" > pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t "%r" > %s %b" /> > > </Host> </Engine> > > I then use a browser plugin to set X-Cluster-Client-Ip header with > value "156.56.0.1" and GET the page /Home/Status on the same machine > that is hosting Tomcat. I got the following results from > AccessLogValve: > > 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - > [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 > > %h is still showing my browser IP - 192.168.56.10 > %{X-Cluster-Client-Ip}i correctly picks up the header value - > 156.56.0.1 %a picks up my browser "Remote IP address" - > 192.168.56.10 %A just picks up local IP - 127.0.1.1 > > I have other people verified this issue and we can't seem to figure > out if we are missing a configuration or if there is a bigger problem. > We would appreciate any aid you can give us. > > Thank you, Nubli > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAled8lkACgkQ9CaO5/Lv0PC2BgCgpUKmD7kMQS2FyKI2YOBCboG1 aTkAoIV6pvffdipdhjI9p0q1EiCUeTMN =BfdC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org