Re: Tomcat 8 RemoteIpValve Issues

[Abhijit Das]

This is how it works for me in Tomcat 8.x (I have hashed out some internal 
values) (some of my pattern may be redundant)

1.2.3.4 will be your LB IP, the IP that is used to talk to the server. 
typically the MIP or the SNIP.

                <Valve className="org.apache.catalina.valves.RemoteIpValve"
                  internalProxies="1\.2\.3\.4"
                  trustedProxies="1\.2\.3\.4"
                  remoteIpHeader="X-Forwarded-For"
                  proxiesHeader="x-forwarded-by"
                  requestAttributesEnabled="true"/>

                <Valve className="org.apache.catalina.valves.AccessLogValve"
                  directory="/var/xxx/yyy/zzz/logs"
                  prefix=“application_access"
                  suffix=".log"
                  pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S 
%{User-Agent}i %U %s %r %q %A %v %p %b %I %D"
                  requestAttributesEnabled="true"
                  resolveHosts="false"/>

And, this is my access log :

[28/Jul/2016:09:33:57 -0700] <client_IP> <userid> <url_accessed> - <session_id> 
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.16 (KHTML, 
like Gecko) Version/9.1.1 Safari/601.6.16 <context> 200 POST <context> HTTP/1.1 
 <server instance IP> <Server base URL/FQDN> 443 181 http-nio-8443-exec-13 9

On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote:

Hi,

We have been using RemoteIpValve in Tomcat 7 but it stopped working for us in 
Tomcat 8. Our load balancer will set a header named "X-Cluster-Client-Ip" with 
the client's IP as its value. We expect the client's IP value would be 
overwritten as the "remoteAddr" but it is not. It is working for us currently 
on Tomcat 7 but not on the server with Tomcat 8.

I even created a fresh VM and install fresh apache-tomcat-8.0.36 on Ubuntu and 
added the following settings as a test:

<Engine>
.
.
.

<Host name="localhost"  appBase="webapps"
           unpackWARs="true" autoDeploy="true">

       <!-- SingleSignOn valve, share authentication between web applications
            Documentation at: /docs/config/valve.html -->
       <!--
       <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
       -->


       <Valve className="org.apache.catalina.valves.RemoteIpValve"
              internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\"
              remoteIpHeader="X-Cluster-Client-Ip"
             />


       <!-- Access log processes all example.
            Documentation at: /docs/config/valve.html
            Note: The pattern used is equivalent to using pattern="common" -->
       <Valve className="org.apache.catalina.valves.AccessLogValve" 
directory="logs"
              prefix="localhost_access_log" suffix=".txt"
              pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t 
&quot;%r&quot; %s %b" />

     </Host>
</Engine>

I then use a browser plugin to set X-Cluster-Client-Ip header with value 
"156.56.0.1" and GET the page /Home/Status on the same machine that is hosting 
Tomcat. I got the following results from AccessLogValve:

192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - 
[27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274

%h is still showing my browser IP - 192.168.56.10
%{X-Cluster-Client-Ip}i correctly picks up the header value - 156.56.0.1
%a picks up my browser "Remote IP address" - 192.168.56.10
%A just picks up local IP - 127.0.1.1

I have other people verified this issue and we can't seem to figure out if we 
are missing a configuration or if there is a bigger problem. We would 
appreciate any aid you can give us.

Thank you,
Nubli