Thanks Pascal, I have confirmed what you proposed as a workaround: I
replaced the following:
server.tomcat.accesslog.pattern=%h %l %u %t "%r" %s %b
with the following:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i %l %u %t "%r" %s %b
I.e., I replaced '%h' with '%{X-Forwarded-For}i'
There is a downside of the replacement that readers should be aware of:
With the replacement above, if the site is accessed from a host that is not
the load balancer (i.e., does not match the server.tomcat.internal-proxies
setting), the access log will report a hyphen '-' in place of the IP
address of the client. I.e., there will be no log information concerning
the IP address of the client connecting to the site.
Of course, rather than replacing '%h', one can add an additional field to
include both fields, such as the following:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i %h %l %u %t "%r" %s %b
Thank you for helping me to resolve this.
Cheers!
Carl
On Monday, January 6, 2020 at 4:11:59 PM UTC-5, Pascal Rigaux wrote:
>
> Nice investigation.
> Bug reproduced with plain spring-boot 2.2.2.RELEASE (*)
> It looks like a bug in spring-boot... or at least a difference with
> plain tomcat that could be documented...
>
> Fortunately, easy workaround:
>
> server.tomcat.accesslog.pattern=%{X-Forwarded-For}i ...
>
> cu
>
> (*) tested with https://github.com/spring-guides/gs-spring-boot.git
> launched with
> java -Dserver.tomcat.accesslog.pattern='%{X-Forwarded-For}i %a %h'
> -Dserver.tomcat.remote-ip-header='X-Forwarded-For'
> -Dserver.tomcat.accesslog.directory=`pwd`
> -Dserver.tomcat.accesslog.enabled=true -Dserver.port=8083 -jar
> target/gs-spring-boot-0.1.0.jar
>
> crdaudt <[email protected] <javascript:>> a écrit :
>
> > OK, I checked more closely -- the cas.log and cas_audit.log files are,
> > indeed responding to the RemoteIpValve setting (i.e., they are logging
> the
> > IP address of the client. The same is true for the gradle log file in
> > .gradle/daemon/5.6.3/daemon-<pid>.out.log. However, the tomcat
> > access_log.<date>.log file is still logging the IP address of the load
> > balancer. Is there a way to cause the access log to also record the IP
> > address of the client rather than the load balancer? For that matter,
> is
> > this a bad idea?
>
>
> --
> Pascal Rigaux
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/98fd2846-35f2-4dd8-9b21-833fad7df68b%40apereo.org.
