Re: request.getRemoteAddr() vs. request.getHeader("REMOTE_ADDR")

Tue, 10 Mar 2009 09:07:43 -0700 

Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 3/6/2009 2:03 PM, Mark Thomas wrote:

Bing Zheng wrote:

The tomcat server (version 5.5.23) is behind a load balancer.  If I
use request.getRemoteAddr(), it returns the load balancer's ip.  If I
use request.getHeader("REMOTE_ADDR"), it returns the correct client IP
address.  Is this a known bug?  Thanks.

Nope, it is expected behaviour.


Is it? From the javadoc for javax.servlet.ServletRequest:

"Returns the Internet Protocol (IP) address of the client or last proxy
that sent the request. For HTTP servlets, same as the value of the CGI
variable REMOTE_ADDR."

I would think that if
!request.getRemoteAddr().equals(request.getHeader("REMOTE_ADDR")) then
something has gone wrong.

Perhaps a load-balancer doesn't count as a proxy under this definition?
I'd be nice if someone in the know would elaborate, because I would also like to get to the bottom of this. 

Logically, a webserver application could find out (through its webserver)
- the client IP address from the connection on which this request is arriving. In case the request has been relayed by a proxy, load balancer or whatever, this would however be the address of said intermediate agent ('s host), who is the one making the real TCP connection to the webserver. 
OR
- the client IP address as indicated by a request HTTP header.
(And subsequently and possibly translated into a CGI environment variable, if the server sets this up). 
This one may, or may not, be the IP address of the original client.
Unless I am mistaken, I seem to remember that there exists for instance a parameter in mod_jk, which allows to specify if the client IP address forwarded by Apache to Tomcat should be the original client address (or at least the IP address which Apache believes to be the client), or the IP address of the front_end Apache server itself.
On the base of this, there seems to exist little doubt about what request.getHeader("REMOTE_ADDR") does return (although there can still be speculation about the content), but where does request.getRemoteAddr() really get its data ? 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to