Hi
We needed to patch Tomcat for our site that has a Tomcat
behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
The idea is basically to not use the TCP endpoint of Apache (which will
always point to the reverse proxy) to give the caller of
request.getRemoteAddr a valid IP, but rather retrieve it from a
configurable request header. In our case, we have hacked the Pound
loadbalancer to forward a request header called X-Pounded-For with each
request, and the value of this header is then used (if available) to
return the *real client IP to the caller of request.getRemoteAddr or
request.getRemoteHost.
Extract from server.xml:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
Let me know if it is of any use to anyone else!
Regards
--
Johan van den Berg
Technical Webmaster
University of South Africa
Cel: +27 73 201 3520
Tel: +27 12 429 2371
Registered Linux user number 390606
http://counter.li.org/
Index: container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (revision 421580)
+++ container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java (working copy)
@@ -198,12 +198,23 @@
// Override if the proxyPort/proxyHost are set
String proxyName = connector.getProxyName();
int proxyPort = connector.getProxyPort();
+ String proxyRemoteAddrHeader = connector.getProxyRemoteAddrHeader();
+
if (proxyPort != 0) {
req.setServerPort(proxyPort);
}
if (proxyName != null) {
req.serverName().setString(proxyName);
}
+ if (proxyRemoteAddrHeader != null) {
+ String remoteAddr = req.getHeader(proxyRemoteAddrHeader);
+ if (remoteAddr != null) {
+ req.remoteAddr().setString(remoteAddr);
+ req.remoteHost().setString(remoteAddr);
+ request.setRemoteAddr(remoteAddr);
+ request.setRemoteHost(remoteAddr);
+ }
+ }
// URI decoding
MessageBytes decodedURI = req.decodedURI();
Index: container/catalina/src/share/org/apache/catalina/connector/Connector.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/connector/Connector.java (revision 421580)
+++ container/catalina/src/share/org/apache/catalina/connector/Connector.java (working copy)
@@ -155,6 +155,14 @@
* the port number specified by the <code>port</code> property is used.
*/
protected int proxyPort = 0;
+
+
+ /**
+ * The request header that should be use to populate the request object's
+ * remoteAddr field. This is commonly used behind reverse proxy's that pass
+ * the real client IP via a request header, such as <code>X-Pounded-For</code>.
+ */
+ protected String proxyRemoteAddrHeader = null;
/**
@@ -732,6 +740,27 @@
setProperty("proxyPort", String.valueOf(proxyPort));
}
+
+ /**
+ * Return the proxy remote address header value for this Connector.
+ */
+ public String getProxyRemoteAddrHeader() {
+
+ return (this.proxyRemoteAddrHeader);
+
+ }
+
+ /**
+ * Set the proxy remote address header value for this Connector.
+ *
+ * @param proxyRemoteAddrHeader The new proxy remote address header value
+ */
+ public void setProxyRemoteAddrHeader(String proxyRemoteAddrHeader) {
+
+ this.proxyRemoteAddrHeader = proxyRemoteAddrHeader;
+ setProperty("proxyRemoteAddrHeader", proxyRemoteAddrHeader);
+
+ }
/**
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
