Leon,
On 3/24/23 10:09, Leon Rosenberg wrote:
Full log output (dumping out headers, without the valve):
6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
217.110.113.178
6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
api.myhost.net
6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
api.myhost.net
6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
So you have x-forwarded-host set to "api.myhost.net" but you are using
IP-allowing 10.something. Maybe you need to IP-allow "api.myhost.net".
Or maybe you want to set httpd to send an IP instead of a hostname? Or
maybe you need to enable DNS resolution on Tomcat? Or maybe
api.myhost.net resolves to the public-IP of the reverse-proxy?
> 217.110.113.178 is my ip, so the value is correct.
Good.
-chris
On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg <rosenberg.l...@gmail.com>
wrote:
yeah, interestingly enough removing ipvalve and adding access log magic,
puts the X-Forwarded-For in the localhost_access.log ... but strange
nevertheless.
On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas <ma...@apache.org> wrote:
Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
can see exactly what headers Tomcat is seeing. Alternatively, since this
is over http, Wireshark or similar could help.
Mark
On 24/03/2023 10:29, Leon Rosenberg wrote:
Hi,
we have following setup
apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
(on
same host).
Connection is via apache mod_http/proxy.
Internal IP of the host is 10.138.0.3 (where httpd and docker are
running).
In localhost_access log we see always 10.138.0.3 address. If going
through
port 8080 directly, without httpd, we see the correct IP-Address.
We have added RemoteIpValve to server xml.
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
internalProxies="10\.138\.0\.3"/>
http config also has ProxyAddHeaders on, also I understand that to be
default anyway:
ProxyPass / http://10.138.0.3:8080/
ProxyPassReverse / http://10.138.0.3:8080/
ProxyErrorOverride Off
ProxyAddHeaders On
<Proxy *>
Require all granted
ProxyAddHeaders On
</Proxy>
When we print out all headers in a request, the X-Forwarded-For is
missing,
so obviously tomcat does something with it, but doesn't trust the
httpd? So
probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
get
my head around it.
any help would be highly appreciated
kr
Leon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
