Abhijit, Thank you for your prompt reply. It seems that requestAttributesEnabled="true" is required in order to make the valve work. Thanks again for your help!
-Nubli -----Original Message----- From: abhij...@apple.com [mailto:abhij...@apple.com] On Behalf Of Abhijit Das Sent: Thursday, July 28, 2016 12:37 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues This is how it works for me in Tomcat 8.x (I have hashed out some internal values) (some of my pattern may be redundant) 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. typically the MIP or the SNIP. <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4" remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by" requestAttributesEnabled="true"/> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/var/xxx/yyy/zzz/logs" prefix=“application_access" suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S %{User-Agent}i %U %s %r %q %A %v %p %b %I %D" requestAttributesEnabled="true" resolveHosts="false"/> And, this is my access log : [28/Jul/2016:09:33:57 -0700] <client_IP> <userid> <url_accessed> - <session_id> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.16 <context> 200 POST <context> HTTP/1.1 <server instance IP> <Server base URL/FQDN> 443 181 http-nio-8443-exec-13 9 On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote: Hi, We have been using RemoteIpValve in Tomcat 7 but it stopped working for us in Tomcat 8. Our load balancer will set a header named "X-Cluster-Client-Ip" with the client's IP as its value. We expect the client's IP value would be overwritten as the "remoteAddr" but it is not. It is working for us currently on Tomcat 7 but not on the server with Tomcat 8. I even created a fresh VM and install fresh apache-tomcat-8.0.36 on Ubuntu and added the following settings as a test: <Engine> . . . <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\" remoteIpHeader="X-Cluster-Client-Ip" /> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t "%r" %s %b" /> </Host> </Engine> I then use a browser plugin to set X-Cluster-Client-Ip header with value "156.56.0.1" and GET the page /Home/Status on the same machine that is hosting Tomcat. I got the following results from AccessLogValve: 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 %h is still showing my browser IP - 192.168.56.10 %{X-Cluster-Client-Ip}i correctly picks up the header value - 156.56.0.1 %a picks up my browser "Remote IP address" - 192.168.56.10 %A just picks up local IP - 127.0.1.1 I have other people verified this issue and we can't seem to figure out if we are missing a configuration or if there is a bigger problem. We would appreciate any aid you can give us. Thank you, Nubli
