Hi, We're using: RHEL5 (fully up to date) Tomcat 6.0.29 (from apache.org) JVM 1.6.0_22
We use HAproxy (1.4.8) as a front end to Tomcat, HAproxy uses the 'option forwardfor' which adds an additional X-Forwarded-For header to the request. Everything works fine except if the client has an X-Forwarded-For header _already_ in the request (perhaps due to Squid in forward proxy on client side). Thus offending request looks like: Headers (fake IP addresses used): X-Forwarded-For: 192.168.0.4 (client side added) ... (some other headers) ... X-Forwarded-For: 224.212.128.2 (added by HAproxy - this is the actual IP of the client's squid proxy). ... (some other headers) ... Now Tomcat's RemoteIP valve doesn't appear to handle this situation correctly - it returns 192.168.0.4 instead of the expected 224.212.128.2 Should HAproxy be extending the existing header to: e.g. X-Forwarded-For: 192.168.0.4, 224.212.128.2 Or should Tomcat's RemoteIP valve handle this situation? I'm also not sure which situation is 'correct' according to standards anyway... Any ideas? Thanks, -- Best Regards, Brett Delle Grazie
