and to add a quick note to that, the log-output when I am using trustedProxies is "skip" for nearly everything:
15-Jun-2021 00:22:09.543 FINE [ajp-nio-8013-exec-23] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /api/v1/loginpixel/B:0BB57BE90B9C750FE773604354BF6E4D1920EF76D5500AE8673BD599D668983223A8666226FED1087E61D0E99A19F6EBEB8E64DB0BEE6BC3A5F20DCDC06FE4C27EFEE1B535C49367BCFB034E176AF8E40EE0A43F54C1D0D4DEFAAE38C9C2426DD6E585F2A7548076C577D291011712E3BDEEE4D8DCBAE7D5B7A144B0B06011E9 with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-7] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /photos/b/EA01F2D2BB616202A4F4A55E650D684D/300/ with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-9] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /photos/d/1390B1ED751C81B39B21785D818F4570/300/ with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-18] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-int/js/extRegUpdatePassword.js with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.547 FINE [ajp-nio-8013-exec-15] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-int/js/websocket/websocket.js with originalRemoteAddr '198.41.242.49' 15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-16] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /photos/d/531BD3EA43EC8662E9BA9967689AEEBC/300/ with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.548 FINE [ajp-nio-8013-exec-12] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-int/img/avatars/no_avatar_woman_1_lg.png with originalRemoteAddr '198.41.242.73' 15-Jun-2021 00:22:09.549 FINE [ajp-nio-8013-exec-6] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-int/img/avatars/no_avatar_woman_4_lg.png with originalRemoteAddr '198.41.242.119' 15-Jun-2021 00:22:09.640 FINE [ajp-nio-8013-exec-24] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-int/img/avatars/no_avatar_woman_5_lg.png with originalRemoteAddr '198.41.242.153' 15-Jun-2021 00:22:09.651 FINE [ajp-nio-8013-exec-3] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-ext/firebase/firebase-messaging.js.map with originalRemoteAddr '198.41.242.13' 15-Jun-2021 00:22:09.666 FINE [ajp-nio-8013-exec-8] org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for request /static-ext/firebase/firebase-app.js.map with originalRemoteAddr '198.41.242.13' On Tue, Jun 15, 2021 at 12:19 AM Leon Rosenberg <rosenberg.l...@gmail.com> wrote: > ok, quick update: it didn't work with 198\.41\..* or .* at first, but it > worked after I changed attribute name from trustedProxies to > internalProxies. > kr > Leon > > On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg <rosenberg.l...@gmail.com> > wrote: > >> >> >> On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Leon, >>> >>> On 6/14/21 16:26, Leon Rosenberg wrote: >>> > Thanks for the response Mark, >>> > >>> > quick question, do I have to add all cloudflare ips? They kindof >>> > distributed along the world... Can I mark the thrustworthlyness by a >>> header >>> > instead? >>> > kr >>> > Leon >>> > >>> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote: >>> > >>> >> On 14/06/2021 17:01, Leon Rosenberg wrote: >>> >>> hi, >>> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am >>> trying to >>> >>> "see" the user's ip in my logs. When I print out the headers I see >>> that I >>> >>> have headers in the request >>> >>> CF-Connecting-IP >>> >>> and >>> >>> X-Forwarded-For >>> >>> with real user's up, say 93.72.251.122. But when I make a request to >>> >>> request.getRemoteAddr() it returns 162.158.103.188 which is >>> cloudflare's >>> >>> ip address, not the real one. >>> >>> I added to the server.xml the remoteipvalue in different >>> configuration >>> >> und >>> >>> "Host", i.e.: >>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >>> >>> remoteIpHeader="x-forwarded-for" >>> >>> protocolHeader="x-forwarded-proto" >>> >>> /> >>> >>> >>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >>> >>> remoteIpHeader="X-Forwarded-For" >>> >>> protocolHeader="X-Forwarded-Proto" >>> >>> /> >>> >>> >>> >>> or assuming for defaults: >>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >>> >>> /> >>> >>> >>> >>> or even: >>> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >>> >>> remoteIpHeader="CF-Connecting-IP" >>> >>> /> >>> >>> >>> >>> but none of them give me the getRemoteAddr properly. Is there a >>> trick to >>> >>> this configuration? >>> >> >>> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting >>> >> trustedProxies="162\.158.103\.188" should do the trick. >>> >> >>> >> There is debug logging in that Valve so you can set >>> >> >>> >> org.apache.catalina.valves.RemoteIpValve.level=FINE >>> >> >>> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which >>> >> should help you see what is going on. >>> >> >>> >> Mark >>> >>> trustedProxies=".*" ?? >>> >>> >> Hi Chris, >> >> >>> What happens if someone connects to your origin server directly? Would >>> you trust an X-Forwarded-For header from them? >>> >> >> That's an excellent question, Chris! I don't know the answer yet, the >> only thing we need the ip for is to have something in case of >> payment-fraud, and since you can't get any physical goods on this site I >> guess it would be ok to trust it. >> kr >> leon >> >> >>> >>> -chris >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>>