@[email protected]<mailto:[email protected]>
Did you ever get this resolved? I tried to use the same setup and from what I can find online, that should work. But, I'm still getting the netscaler IP in the logs. Geoff From: Ourada, John [mailto:[email protected]] Sent: Thursday, April 17, 2014 9:41 AM To: [email protected] Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address For us, our security team wants to log all access to the system not just authentication attempts. Their is logging that occurs at the tomcat layer for that already so the valve made sense. The same type of change is done for other systems including iis, apache. -john -John Sent from Moxier Mail (http://www.moxier.com) ----- Original Message ----- From: "Whittaker, Geoffrey" <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Sent: 04/17/2014 7:12 AM Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address I have access to the entire system. But, I'm only knowledgable to enough to be dangerous. I don't want to introduce something that has security consequences downstream. Geoff From: Jérôme LELEU [mailto:[email protected]] Sent: Thursday, April 17, 2014 4:09 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address Hi, In fact, it depends on your organization, habits... Maybe you don't have access to the Tomcat configuration and your ops don't want to setup the Valve: you need to update ClientInfoThreadLocalFilter... Personally, I'm a developer, I like to work at the application level. Best regards, Jérôme 2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey <[email protected]<mailto:[email protected]>>: What is the best practice for accomplishing this task? Geoff From: Jérôme LELEU [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, April 15, 2014 11:13 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address Hi, In fact, the Tomcat Valve is not a good idea as the header is moved to the IP address and deleted. If you use the Tomcat Valve, you don't need any specific configuration in your filter... Best, Jérôme 2014-04-15 17:00 GMT+02:00 Ourada, John <[email protected]<mailto:[email protected]>>: In my case, I did it in the tomcat server.xml Ip addresses redacted. <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="x.x.x.*" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" /> From: Jérôme LELEU [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, April 15, 2014 2:36 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address Hi, It looks good to me. No way to ouput incoming headers with a Tomcat Valve or Apache layer? Before contacting network guys... Best regards, J2rôme 2014-04-14 19:28 GMT+02:00 Ben Branch <[email protected]<mailto:[email protected]>>: All, Recently attempted to configure Inspektr to try and capture the client ip address out of the X-Fowarded-For Header. After making this change and restarting the services, I'm still seeing the client IP address of the load balancer instead of the actual client IP. This is what I added to my web.xml: <filter> <filter-name>CAS Client Info Logging Filter</filter-name> <filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class> <init-param> <param-name>alternativeIpAddressHeader</param-name> <param-value>X-Forwarded-For</param-value> </init-param> </filter> Is there anything else I need to do? Or should I contact my network guys and begin troubleshooting at the load balancer? Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/> "I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know." - Socrates **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
