[users@httpd] Can't get X-Forwarded-For to be passed through to app with apache reverse proxy

Mon, 23 Sep 2019 10:45:57 -0700 

I have tried everything and I can't get Apache (2.4.39) to pass the
X-Forwarded-For header to my tomcat (8.5) instance.

I have apache listening on port 8081 and bound to the public IP address as
a reverse proxy to a backend tomcat instance which is also bound to 8081
but on 127.0.0.1.
My apache instance has the following modules loaded:

 proxy_module (shared)
 proxy_connect_module (shared)
 proxy_ajp_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 remoteip_module (shared)

Here is my virtualhost stanza
<VirtualHost _default_:8081>
    ProxyPreserveHost On
    ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 127.0.0.0/8
    <Location /MYAPP/admin>
        ProxyAddHeaders On
        ProxyPassReverse /MYAPP/admin
        # Only allow ?cmd=spkr
        RewriteEngine On
        RewriteCond %{QUERY_STRING} !cmd=spkr
        RewriteRule .* - [F]
    </Location>
</VirtualHost>

According to the doc
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders
ProxyAddHeaders
On should do the trick.

I've done a packet capture to see if the X-Forwarded-For header is being
generated by Apache but dropped on the floor in Tomcat and I'm not seeing
X-Forwarded-For header coming from Apache.

The slightly weird thing is that my tomcat app is also listening on port
5678 using AJP and that works if I change to ProxyPass /MYAPP/admin ajp://
127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my
tomcat app correctly return the IP address of my client. I find it very
hard to believe that proxy_ajp_module works fine and proxy_http_module
somehow has a bug in it. So I must be missing some magic apache
configuration setting.


-- 
John Pyeatt
Software Developer
(608) 661-1184 | john.pye...@singlewire.com

[image: Singlewire-Logo-Sigstr.png] <http://www.singlewire.com>
www.singlewire.com | Twitter <https://twitter.com/singlewire> | Facebook
<https://www.facebook.com/Singlewire> | LinkedIn
<https://www.linkedin.com/company/singlewire-software>

*Keeping people safe and informed. Everywhere, every time.*

[image: Singlewire Software Blog]
<http://sigstr.singlewire.com/uc/579ba738825be90c72438731>
<http://sigstr.singlewire.com/uc/579ba738825be90c72438731/watermark>

Reply via email to