> On Nov 27, 2024, at 17:08, Balazs Jantek <jant...@gmail.com> wrote: > > I am debugging a scenario where Tomcat 10.1.26 is working behind an > Application Gateway on Microsoft Azure. > > The webpage makes a request to /favicon.ico which goes through the > RemoteIpValve, which correctly identifies that the request is an > internal one, based on the beginning of the IPv4 address, but then > populates the http requests's remote address value with the header > "x-forwarded-for" received from Azure, which contains the port number > appended to the IP with a colon.
Leave it to Microsoft to violate standards (or at least standard practice) by adding a port number where it isn’t warranted. > This seems to break the internal web application, which assumes that > ServletRequest.getRemoteAddr() only contains the hostname/IP, but not > a port number. > > As far as I can see the value in x-forwarded-for is less defined, but > the value present in getRemoteAddr() is strictly something without > port number. > > Is this something that can be worked around with configuration, or > does it look like a bug worth fixing in the RemoteIpValve? There doesn’t appear to be anything in Tomcat to compensate for Azure’s bad behavior here, but you might be able to fix it in Application Gateway. I’ve never configured anything in Azure, but this web page seems to indicate that you could override the x-forwarded-for header by setting add_x_forwarded_for_proxy: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url ”The X-Forwarded-For client request header field with the client_ipvariable (see explanation later in this table) appended to it in the format IP1, IP2, IP3, and so on. If the X-Forwarded-For field isn't in the client request header, the add_x_forwarded_for_proxy variable is equal to the $client_ip variable. This variable is useful when you want to rewrite the X-Forwarded-For header set by Application Gateway so that the header contains only the IP address without the port information [emphasis added].” Look at the section titled "Remove port information from the X-Forwarded-For header” in the above web page for an example. So maybe… - Chuck
