Good morning all, the answers are [inline].
With kind regards Frank Am Dienstag, den 31.03.2020, 15:47 +0100 schrieb Mark Thomas: > On 31/03/2020 07:26, Frank Tornack wrote: > > Hello all, > > > > I currently have a problem with Tomcat7, or rather a colleague has > > it. > > Personally I would like to help him, but I can't find the error > > myself. > > We already asked the question on stackoverflow.com and got a good > > hint, > > but unfortunately no solving. So I would like to ask for help and > > support here. I think I am violating the directive of asking a > > double > > question, but it is important to me personally to help this > > colleague. > > Therefore I am at least honest, the question can also be found at > > the > > link: > > https://stackoverflow.com/questions/60827540/tomcat-x-forwarded-for-doesnt-work-with-load-balancer > > Which at least enables us to find the one key piece of information > missing in this question, the version of Tomcat being used: 7.0.76 Sorry I forgot to include this information in the mail. > > > We run a software that uses Tomcat as application server behind a > > load > > balancer. Now we would like to record the initial address of the > > requests and not the IP of the load balancer. We have used these 3 > > websites for the setup, but unfortunately it does not work. The IPs > > of > > the loadbalancers are still written to the access log. > > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html > > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/AccessLogValve.html > > https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve > > > > We used the following configuration for access logging and remote > > valve: > > <Valve className="org.apache.catalina.valves.RemoteIpValve" > > internalProxies="xxx\.xxx\.xxx\.7|xxx\.xxx\.xxx\.8|xxx\.xxx\.xxx\.9 > > " r > > emoteIpHeader="X-Forwarded-For" /> > > The remoteIpHeader setting is unnecessary. That is the default. The way I understand you, it shouldn't bother? I had added it because I was not sure about the capitalization. > > > <Valve className="org.apache.catalina.valves.AccessLogValve" > > directory="logs" > > prefix="access_log." suffix=".log" > > pattern="%{org.apache.catalina.AccessLog.RemoteAddr}r %l %u %t > > "%r" %s %b" > > requestAttributesEnabled="true" /> > > That isn't correct. You only need to add > requestAttributesEnabled="true" > to the default AccessLogValve. It will handle looking up the correct > attributes. You don't need to modify the pattern. I already worked with a modified log layout before the change. I only changed the %{org.apache.catalina.AccessLog.RemoteAddr}r. So would I have to replace %{org.apache.catalina.AccessLog.RemoteAddr}r with a %a? > > I also confirmed that the Valve order doesn't matter. So not like many on the Internet claim it matters? > > > The request header 'X-Forwarded-For' > > was set and load balancer was analyzed via wireshark and Request > > Dumper > > Filter. We can see the header in both. However we still only get > > the IP > > of the load balancer and not the IP of the remote client. The IP > > adresses of the config have already been checked and they are > > correct. > > You can add "... %{X-Forwarded-For}i ..." to the pattern attribute of > the AccessLog valve to confirm that Tomcat sees this header value. In the beginning we tested it with Wireshark, later with a RequestDumper in the Tomcat. In both we saw the header. > > I've tested this locally with the latest 7.0.x and everything works > as > expected. I also don't recall any changes / bugs in this area > recently. > > A quick scan of the changelog does identify various improvements and > fixes since 7.0.76 but none that immediately jump out as likely to > cause > this simple configuration to fail. Thanks for looking into it. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
