On 10/12/2010 13:03, Brett Delle Grazie wrote: > Hi, > > We're using: > RHEL5 (fully up to date) > Tomcat 6.0.29 (from apache.org) > JVM 1.6.0_22 > > We use HAproxy (1.4.8) as a front end to Tomcat, HAproxy uses the 'option > forwardfor' which adds an additional X-Forwarded-For header > to the request. > > Everything works fine except if the client has an X-Forwarded-For header > _already_ in the request (perhaps due to Squid in forward proxy on client > side). > > Thus offending request looks like: > > Headers (fake IP addresses used): > X-Forwarded-For: 192.168.0.4 (client side added) > ... (some other headers) ... > X-Forwarded-For: 224.212.128.2 (added by HAproxy - this is the actual IP of > the client's squid proxy). > ... (some other headers) ... > > Now Tomcat's RemoteIP valve doesn't appear to handle this situation > correctly - it returns 192.168.0.4 instead of the expected 224.212.128.2 > > Should HAproxy be extending the existing header to: > e.g. X-Forwarded-For: 192.168.0.4, 224.212.128.2 > > Or should Tomcat's RemoteIP valve handle this situation?
It isn't absolutely clear since I can't find a precise enough definition of the X-Forwarded-For header but the implication is that Tomcat should handle this. Currently it doesn't. > I'm also not sure which situation is 'correct' according to standards > anyway... The problem is Tomcat is only looking at the first X-Forwarded-For header when it should probably be looking at both. Please create a bugzilla entry for this and someone will hopefully take a look. Mark > > Any ideas? > > Thanks, > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
