Re: Tomcat and IP transparency
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ilya, On 7/31/13 3:11 PM, Ilya Kazakevich wrote: > They may use RemoteIpValve to fetch "real" ip from > "x-forwarded-for" and set it to "remote_addr" where getRemoteAddr > will get it. +1 Assuming you can "modify" the webapp by inserting a Valve, you can use it to do exactly what you want to do: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR+l8/AAoJEBzwKT+lPKRY1oEQAIBga6U1jQdOXA217pVaZ9K5 6e6LRVuZfebUwztrHdN64MiHglGdtIOLOB+yZC4pCd3yvH+PfaHOZdyKrEY7osoI aXBBy40S1u+1YQGvovfVhMRO4UUUs7S5jxkQNlvHtib7VVoILUBfHDf0cW2tilRf SPAwvn3p1DeAuNq/m+VruRNDwHD270j9+OO0TSh+rWR6TK2XaSNIJ6eb4hWdmvPV CoISQpadS8l4XawW09wrKKq7EN0WOrhKgj9o2U4fIQfayX8T3rvaLu1LQpHunEWV Z9Cs3eliP09Uxhi2VWov5cx2mf9pxtLu3p+0400s/9MqHjutT6rkEOyuvs7BPtRD JJ3wlrWY3Ah9SrFxHKv7FdJ5ycS5BX9+x+KzvIuuBUTDg/nB7Uz2aF1AwSzws2lI 5YSkw+5dRpnZqz2GY3W8gYwLjSLImYuPgJhWCiel/6I13HcwFllseR9GqxWXx0Zj g0ChufG/WtVusH/uBcAt5FTUNfepiMBaYjjsZfG2VR7PQT64U3GqcHmeIf+OzOUH oEIknGvozRWMytqGs8ZZ934vtX2mMkwqkpvlMS1sfor7KLDLWtIDEIR56DrXpecp 02y85wHZkf3FiPHR2QhDYKwWnhGg+3vknogPBgtWsgv6gLd130+jv/gBnlGzJC6T H2gbsz1RLKEWvVEITxSb =BAxw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat and IP transparency
Hello Joan, I fear I have to disappoint you. If I understand you correctly you want to manipulate the packets on the IP level, setting the source ip address to the ip address of the originator of the packet, similar to what a loadbalancer would do. It is possible technically, but it's a very different kind of soup compared to http proxy and really hard to implement in java, just because native access to the network interface isn't something java was made for. And since it's not unfamiliar to the attack vector known as IP Spoofing, it will only work in close distance (network-wise). But last time I was programming something on ip leveI is about 15 years ago, so I may be wrong. However, you other side, should be able to retrieve the contents of the X-FORWARDED-FOR header and return it in the getRemoteAddress call to its application. At least tomcat would do. So the question is, how much access do you have to your blackbox? If you have access to the machine you could do it with apache httpd and mod_proxy or mod_proxy_ajp. If not I would ask the provider of the blackbox, how they handle proxies in general (and if they do it at all). I they support some kind of proxy behavior, all you need to do is mimic one, if not... well find another provider ;-) It sounds a bit like SEO, and there are a lot of SEO providers with better tech ;-) regards Leon On Wed, Jul 31, 2013 at 9:04 PM, Joan Balagueró Ventus Proxy < joan.balagu...@ventusproxy.com> wrote: > Hello, > > > > I already asked this question to the Apache HttpClient Forum. They don't > know if this is possible with java/Tomcat. > > > > I have developed a proxy servlet with an xml cache, running in a Tomcat > 6.0.37 on Linux Centos6.4. > > > > When the incoming xml request (sent from an external client) is not found > in > the proxy cache, I use HttpClient 4.2.5 to create a new http request and > redirect it to the provider application servers to get the xml response. > > > > So far, everything worked ok with all our clients. But now we've a provider > that needs ip transparency. Then, the request created by httpclient needs > to > carry the origin ip address (that from the external client), not the proxy > ip. My proxy gets correctly the external IP (using > request.getRemoteAddr()), > but when the provider application reads the IP provided by the http client > using request.getRemoteAddr(), they obviously get the proxy IP. > > > > The provider software is a blackbox, then reading ips with > 'request.getRemoteAddr()' is something that they cannot change now. > Therefore, things like adding a 'X-Forwarded-for' header cannot be > implemented in this scenario. > > > > Is it possible tot achieve this at Tomcat level? Has anyone found an > scenario like this? > > > > Thanks in advance, > > Joan. > >
RE: Tomcat and IP transparency
Hello, They may use RemoteIpValve to fetch "real" ip from "x-forwarded-for" and set it to "remote_addr" where getRemoteAddr will get it. Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com "Develop with pleasure!" >-Original Message- >From: Joan Balagueró Ventus Proxy >[mailto:joan.balagu...@ventusproxy.com] >Sent: Wednesday, July 31, 2013 11:05 PM >To: users@tomcat.apache.org >Subject: Tomcat and IP transparency > >Hello, > > > >I already asked this question to the Apache HttpClient Forum. They don't >know if this is possible with java/Tomcat. > > > >I have developed a proxy servlet with an xml cache, running in a Tomcat >6.0.37 on Linux Centos6.4. > > > >When the incoming xml request (sent from an external client) is not found in >the proxy cache, I use HttpClient 4.2.5 to create a new http request and >redirect it to the provider application servers to get the xml response. > > > >So far, everything worked ok with all our clients. But now we've a provider >that needs ip transparency. Then, the request created by httpclient needs to >carry the origin ip address (that from the external client), not the proxy ip. >My proxy gets correctly the external IP (using request.getRemoteAddr()), but >when the provider application reads the IP provided by the http client using >request.getRemoteAddr(), they obviously get the proxy IP. > > > >The provider software is a blackbox, then reading ips with >'request.getRemoteAddr()' is something that they cannot change now. >Therefore, things like adding a 'X-Forwarded-for' header cannot be >implemented in this scenario. > > > >Is it possible tot achieve this at Tomcat level? Has anyone found an scenario >like this? > > > >Thanks in advance, > >Joan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org