Thank you, Chris, again for inputs. And sorry to circle back on this, late.
One related question is - does it make sense to use the patch attached in https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? And potentially, get it integrated into Tomcat versions? There are concerns from Mark about using the patch in its current state, but I see last comment (#24) on the issue and looks like there are some more points to be concluded. Thanks, Amit -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, May 10, 2023 4:21 PM To: users@tomcat.apache.org Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Amit, On 5/10/23 12:59, Amit Pande wrote: > Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. > https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency > which supports the proxy protocol. > > Since there is not much action on this > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830, does it imply that most > of the times Tomcat is running behind HTTP proxies and not TCP proxies? > Or does it mean that, Tomcat or applications running in Tomcat does not need > the remote client address information? I can't speak for anybody else, but I use Apache httpd as my reverse-proxy and I do terminate TLS. I also use it for load-balancing/fail-over, caching, some authorization, etc. I wouldn't be able to use a TCP load-balancer because I hide multiple services behind my reverse-proxy which run in different places. It's not just s dumb pass-through. Hope that helps, -chris > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Monday, May 8, 2023 3:40 PM > To: users@tomcat.apache.org > Subject: [External] Re: Supporting Proxy Protocol in Tomcat > > Amit, > > On 5/4/23 16:07, Amit Pande wrote: >> We have a similar requirement as mentioned in the below enhancement request. >> >> https://bz/. >> a%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b78720608 >> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C6381935061356 >> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3UFyiGJ9ZgtLqUzY9JM >> CK2MfwKN3OAOKdr6JmTUGkPw%3D&reserved=0 >> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit. >> P >> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422c4 >> c >> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZsb >> 3 >> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% >> 7 >> C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D&r >> e >> served=0 >> >> Is there any plan to add this support in Tomcat in future releases? > > Nothing at the moment that I know of. > > I thought that markt had looked at this a while back and said it didn't look > too difficult. It does require Tomcat to handle the stream directly and not > just rely on Java's SSLServerSocket. I thought that had been done at some > point, but it may not have. Handling the stream directly may have some other > advantages as well, though it definitely makes the code more complicated. > >> Also, since this was requested long time back and there is no update, >> are there any other alternatives to pass the client information from >> load balancer to Tomcat in situations where there is no SSL >> termination at load balancer? > You mean like a network load balancer where the lb is just proxying bytes and > not looking at the data at all? The PROXY protocol really is the best way to > do that, honestly. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
