On 31/03/2020 07:26, Frank Tornack wrote: > Hello all, > > I currently have a problem with Tomcat7, or rather a colleague has it. > Personally I would like to help him, but I can't find the error myself. > We already asked the question on stackoverflow.com and got a good hint, > but unfortunately no solving. So I would like to ask for help and > support here. I think I am violating the directive of asking a double > question, but it is important to me personally to help this colleague. > Therefore I am at least honest, the question can also be found at the > link: > https://stackoverflow.com/questions/60827540/tomcat-x-forwarded-for-doesnt-work-with-load-balancer
Which at least enables us to find the one key piece of information missing in this question, the version of Tomcat being used: 7.0.76 > We run a software that uses Tomcat as application server behind a load > balancer. Now we would like to record the initial address of the > requests and not the IP of the load balancer. We have used these 3 > websites for the setup, but unfortunately it does not work. The IPs of > the loadbalancers are still written to the access log. > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/AccessLogValve.html > https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve > > We used the following configuration for access logging and remote > valve: > <Valve className="org.apache.catalina.valves.RemoteIpValve" > internalProxies="xxx\.xxx\.xxx\.7|xxx\.xxx\.xxx\.8|xxx\.xxx\.xxx\.9" r > emoteIpHeader="X-Forwarded-For" /> The remoteIpHeader setting is unnecessary. That is the default. > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="access_log." suffix=".log" > pattern="%{org.apache.catalina.AccessLog.RemoteAddr}r %l %u %t > "%r" %s %b" > requestAttributesEnabled="true" /> That isn't correct. You only need to add requestAttributesEnabled="true" to the default AccessLogValve. It will handle looking up the correct attributes. You don't need to modify the pattern. I also confirmed that the Valve order doesn't matter. > The request header 'X-Forwarded-For' > was set and load balancer was analyzed via wireshark and Request Dumper > Filter. We can see the header in both. However we still only get the IP > of the load balancer and not the IP of the remote client. The IP > adresses of the config have already been checked and they are correct. You can add "... %{X-Forwarded-For}i ..." to the pattern attribute of the AccessLog valve to confirm that Tomcat sees this header value. I've tested this locally with the latest 7.0.x and everything works as expected. I also don't recall any changes / bugs in this area recently. A quick scan of the changelog does identify various improvements and fixes since 7.0.76 but none that immediately jump out as likely to cause this simple configuration to fail. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org