On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> Leon, > > On 6/14/21 16:26, Leon Rosenberg wrote: > > Thanks for the response Mark, > > > > quick question, do I have to add all cloudflare ips? They kindof > > distributed along the world... Can I mark the thrustworthlyness by a > header > > instead? > > kr > > Leon > > > > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote: > > > >> On 14/06/2021 17:01, Leon Rosenberg wrote: > >>> hi, > >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying > to > >>> "see" the user's ip in my logs. When I print out the headers I see > that I > >>> have headers in the request > >>> CF-Connecting-IP > >>> and > >>> X-Forwarded-For > >>> with real user's up, say 93.72.251.122. But when I make a request to > >>> request.getRemoteAddr() it returns 162.158.103.188 which is > cloudflare's > >>> ip address, not the real one. > >>> I added to the server.xml the remoteipvalue in different configuration > >> und > >>> "Host", i.e.: > >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" > >>> remoteIpHeader="x-forwarded-for" > >>> protocolHeader="x-forwarded-proto" > >>> /> > >>> > >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" > >>> remoteIpHeader="X-Forwarded-For" > >>> protocolHeader="X-Forwarded-Proto" > >>> /> > >>> > >>> or assuming for defaults: > >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" > >>> /> > >>> > >>> or even: > >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" > >>> remoteIpHeader="CF-Connecting-IP" > >>> /> > >>> > >>> but none of them give me the getRemoteAddr properly. Is there a trick > to > >>> this configuration? > >> > >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting > >> trustedProxies="162\.158.103\.188" should do the trick. > >> > >> There is debug logging in that Valve so you can set > >> > >> org.apache.catalina.valves.RemoteIpValve.level=FINE > >> > >> in $CATALINA_BASE/conf/logging.properties to get debug logging which > >> should help you see what is going on. > >> > >> Mark > > trustedProxies=".*" ?? > > Hi Chris, > What happens if someone connects to your origin server directly? Would > you trust an X-Forwarded-For header from them? > That's an excellent question, Chris! I don't know the answer yet, the only thing we need the ip for is to have something in case of payment-fraud, and since you can't get any physical goods on this site I guess it would be ok to trust it. kr leon > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
