RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

Whittaker, Geoffrey Fri, 25 Apr 2014 07:01:43 -0700

I figured out what was going on.

My problem was a miscommunication between me and the guy who configured the 
netscaler.  He setup the x-forwarded-for on the wrong vip.   Once that was 
corrected, the filter worked.  In the end however, I removed the filter and put 
the valve in place so that the native tomcat logs could take advantage of the 
information as well.


For the next lucky contestant trying to figure this out, my config is this:

In the host section of server.xml I added the code below.  It's right above the 
AccessLogValve for convenience.
<Valve className="org.apache.catalina.valves.RemoteIpValve"
                internalProxies="xxx\.xxx\.xxx\.xxx"
                remoteIpHeader="x-forwarded-for"  />

And to get the AccessLogValve to read the header I added 
requestAttributesEnabled.

<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
                prefix="localhost_access_log." suffix=".txt"
                pattern="combined"
                requestAttributesEnabled="true"   />


If anyone else agrees that it's a worthwhile addition, I can try to add this to 
the wiki on the clustering page.  It seems like a logical addition to me.


Thanks for all your help.

Geoff

From: Ourada, John [mailto:[email protected]]
Sent: Wednesday, April 23, 2014 12:21 PM
To: [email protected]
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

As far as I am aware, that is what is happening here.

-John

From: Ben Branch [mailto:[email protected]]
Sent: Wednesday, April 23, 2014 11:16 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Geoff,

I did not.  I have a suspicion that my problem isn't the CAS configuration, but 
how our Load Balancer is configured.  From my reading on the X-Forwarded-For 
HTTP Header, the X-Forwarded-For header can only be modified if it is a non-ssl 
connection.  To insert the properly formed X-Forwarded-For Header into an SSL 
connection,  you would need to terminate the SSL connection at the Load 
Balancer, insert the new HTTP Header and then have the Load Balancer 
re-establish the SSL connection.  In order to achieve this, you would need to 
upload both your public and private SSL keys to the load balancer.  This is my 
simple understanding after spending quite a bit of time researching the matter.

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | 
www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know."  - Socrates

From: Whittaker, Geoffrey [mailto:[email protected]]
Sent: Tuesday, April 22, 2014 3:08 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

@[email protected]<mailto:[email protected]>

Did you ever get this resolved?  I tried to use the same setup and from what I 
can find online, that should work.  But, I'm still getting the netscaler IP in 
the logs.

Geoff

From: Ourada, John [mailto:[email protected]]
Sent: Thursday, April 17, 2014 9:41 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address


For us, our security team wants to log all access to the system not just 
authentication attempts. Their is logging that occurs at the tomcat layer for 
that already so the valve made sense.



The same type of change is done for other systems including iis, apache.



-john



-John



Sent from Moxier Mail

(http://www.moxier.com)





----- Original Message -----

From: "Whittaker, Geoffrey" 
<[email protected]<mailto:[email protected]>>

To: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>

Sent: 04/17/2014 7:12 AM

Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address




I have access to the entire system.  But, I'm only knowledgable to enough to be 
dangerous.  I don't want to introduce something that has security consequences 
downstream.

Geoff

From: Jérôme LELEU [mailto:[email protected]]
Sent: Thursday, April 17, 2014 4:09 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, it depends on your organization, habits... Maybe you don't have access 
to the Tomcat configuration and your ops don't want to setup the Valve: you 
need to update ClientInfoThreadLocalFilter...
Personally, I'm a developer, I like to work at the application level.
Best regards,
Jérôme



2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey 
<[email protected]<mailto:[email protected]>>:
What is the best practice for accomplishing this task?

Geoff

From: Jérôme LELEU [mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, April 15, 2014 11:13 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, the Tomcat Valve is not a good idea as the header is moved to the IP 
address and deleted. If you use the Tomcat Valve, you don't need any specific 
configuration in your filter...
Best,
Jérôme


2014-04-15 17:00 GMT+02:00 Ourada, John 
<[email protected]<mailto:[email protected]>>:
In my case, I did it in the tomcat server.xml
Ip addresses redacted.

          <Valve        className="org.apache.catalina.valves.RemoteIpValve"
                        internalProxies="x.x.x.*"
                        remoteIpHeader="x-forwarded-for"

                        protocolHeader="x-forwarded-proto"
    />
From: Jérôme LELEU [mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, April 15, 2014 2:36 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch <[email protected]<mailto:[email protected]>>:
All,

Recently attempted to configure Inspektr to try and capture the client ip 
address out of the X-Fowarded-For Header.  After making this change and 
restarting the services, I'm still seeing the client IP address of the load 
balancer instead of the actual client IP.  This is what I added to my web.xml:

<filter>
                <filter-name>CAS Client Info Logging Filter</filter-name>
                
<filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class>
                        <init-param>
                        <param-name>alternativeIpAddressHeader</param-name>
                        <param-value>X-Forwarded-For</param-value>
                        </init-param>
</filter>

Is there anything else I need to do?  Or should I contact my network guys and 
begin troubleshooting at the load balancer?

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | 
www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know."  - Socrates


**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information. Any unauthorized 
disclosure or use of this information is prohibited.

--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--



You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information. Any unauthorized 
disclosure or use of this information is prohibited.



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

Reply via email to