Re: Patch to override request.getRemoteAddr if behind a reverse proxy

Mon, 17 Jul 2006 02:48:42 -0700 

On Sat Jul 15 13:38:47 CEST 2006 Tomcat Users List <users@tomcat.apache.org> 
wrote:

Hi

We needed to patch Tomcat for our site that has a Tomcat
behind Apache (mod_jk), that sits behind a reverse proxy load balancer.
The idea is basically to not use the TCP endpoint of Apache (which will
always point to the reverse proxy) to give the caller of
request.getRemoteAddr a valid IP, but rather retrieve it from a
configurable request header. In our case, we have hacked the Pound
loadbalancer to forward a request header called X-Pounded-For with each
request, and the value of this header is then used (if available) to
return the *real client IP to the caller of request.getRemoteAddr or
request.getRemoteHost.

Extract from server.xml:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" proxyRemoteAddrHeader="X-Pounded-For"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />


Let me know if it is of any use to anyone else!

Regards

--
Johan van den Berg
Technical Webmaster
University of South Africa

Cel: +27 73 201 3520
Tel: +27 12 429 2371

Registered Linux user number 390606
http://counter.li.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED],


In stead of patching Tomcat, you can also make a util class/method like this.

public final class ServletUtils {
   private static final String MY_TRUSTED_PROXY = "127.0.0.1";
   public static String getRemoteAddr(ServletRequest req) {
      String remoteIp = req.getRemoteAddr();
      if (remoteIp.equals(MY_TRUSTED_PROXY)) {
          String proxyIp = req.getHeader("X-Pounded-For");
          if (proxyip != null) {
             remoteIp = proxyip;
          }
      }
      return remoteIp;
   }
}


This makes your application know about your setup in stead of Tomcat. Much more 
flexible and much less problems when upgrading Tomcat.
You can also put this in a Filter which wraps the ServletRequest with your own 
version. This keeps your application clean and it just uses the standard 
Servlet extendabilties.

Ronald.

Reply via email to