RE: Tomcat 8 RemoteIpValve Issues
Hi Chuck, I downloaded the following package: http://www-us.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.tar.gz Simply unpackaged it and started it with /bin/catalina.sh. Nothing was done except setting up localhost context and added the RemoteIpValve section in server.xml This is done on a fresh install Ubuntu 16.04 LTS. It is working now since we added requestAttributesEnabled="true". I understand that this is supposed to be the default but it doesn't seem to be the case. -Nubli -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Monday, August 1, 2016 2:23 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: Tomcat 8 RemoteIpValve Issues > From: Kasa, Nubli [mailto:mmohd...@iu.edu] > Subject: RE: Tomcat 8 RemoteIpValve Issues > This doesn't seem to be the case with a fresh new install on Tomcat 8 > on Ubuntu. Our sysadmin also did a fresh install on Redhat with the same > result. Install of what? A real Tomcat from tomcat.apache.org, or a 3rd-party repackaged (and reconfigured) version? For the latter, you may need to consult with the 3rd party, since they've been known to change the defaults somewhat arbitrarily. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 8 RemoteIpValve Issues
> From: Kasa, Nubli [mailto:mmohd...@iu.edu] > Subject: RE: Tomcat 8 RemoteIpValve Issues > This doesn't seem to be the case with a fresh new install on Tomcat 8 on > Ubuntu. Our sysadmin > also did a fresh install on Redhat with the same result. Install of what? A real Tomcat from tomcat.apache.org, or a 3rd-party repackaged (and reconfigured) version? For the latter, you may need to consult with the 3rd party, since they've been known to change the defaults somewhat arbitrarily. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 8 RemoteIpValve Issues
Chris, This doesn't seem to be the case with a fresh new install on Tomcat 8 on Ubuntu. Our sysadmin also did a fresh install on Redhat with the same result. -Nubli -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Sunday, July 31, 2016 8:43 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nubli, On 7/28/16 3:30 PM, Kasa, Nubli wrote: > It seems that requestAttributesEnabled="true" is required in order to > make the valve work. Note that requestAttributesEnabled="true" is the default. Did you change that default? - -chris > -Original Message- From: abhij...@apple.com > [mailto:abhij...@apple.com] On Behalf Of Abhijit Das Sent: > Thursday, July 28, 2016 12:37 PM To: Tomcat Users List > <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues > > This is how it works for me in Tomcat 8.x (I have hashed out some > internal values) (some of my pattern may be redundant) > > 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. > typically the MIP or the SNIP. > > internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4" > remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by" > requestAttributesEnabled="true"/> > > directory="/var/xxx/yyy/zzz/logs" prefix=“application_access" > suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S > %{User-Agent}i %U %s %r %q %A %v %p %b %I %D" > requestAttributesEnabled="true" resolveHosts="false"/> > > And, this is my access log : > > [28/Jul/2016:09:33:57 -0700]- > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) > AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 > Safari/601.6.16 200 POST HTTP/1.1 instance IP> 443 181 http-nio-8443-exec-13 > 9 > > On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote: > > Hi, > > We have been using RemoteIpValve in Tomcat 7 but it stopped working > for us in Tomcat 8. Our load balancer will set a header named > "X-Cluster-Client-Ip" with the client's IP as its value. We expect the > client's IP value would be overwritten as the "remoteAddr" but it is > not. It is working for us currently on Tomcat 7 but not on the server > with Tomcat 8. > > I even created a fresh VM and install fresh apache-tomcat-8.0.36 on > Ubuntu and added the following settings as a test: > > . . . > > autoDeploy="true"> > > > > > internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\" > remoteIpHeader="X-Cluster-Client-Ip" /> > > > className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="localhost_access_log" suffix=".txt" > pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t %r > %s %b" /> > > > > I then use a browser plugin to set X-Cluster-Client-Ip header with > value "156.56.0.1" and GET the page /Home/Status on the same machine > that is hosting Tomcat. I got the following results from > AccessLogValve: > > 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - > [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 > > %h is still showing my browser IP - 192.168.56.10 > %{X-Cluster-Client-Ip}i correctly picks up the header value - > 156.56.0.1 %a picks up my browser "Remote IP address" - > 192.168.56.10 %A just picks up local IP - 127.0.1.1 > > I have other people verified this issue and we can't seem to figure > out if we are missing a configuration or if there is a bigger problem. > We would appreciate any aid you can give us. > > Thank you, Nubli > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAled8lkACgkQ9CaO5/Lv0PC2BgCgpUKmD7kMQS2FyKI2YOBCboG1 aTkAoIV6pvffdipdhjI9p0q1EiCUeTMN =BfdC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8 RemoteIpValve Issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nubli, On 7/28/16 3:30 PM, Kasa, Nubli wrote: > It seems that requestAttributesEnabled="true" is required in order > to make the valve work. Note that requestAttributesEnabled="true" is the default. Did you change that default? - -chris > -Original Message- From: abhij...@apple.com > [mailto:abhij...@apple.com] On Behalf Of Abhijit Das Sent: > Thursday, July 28, 2016 12:37 PM To: Tomcat Users List > <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve > Issues > > This is how it works for me in Tomcat 8.x (I have hashed out some > internal values) (some of my pattern may be redundant) > > 1.2.3.4 will be your LB IP, the IP that is used to talk to the > server. typically the MIP or the SNIP. > > internalProxies="1\.2\.3\.4" trustedProxies="1\.2\.3\.4" > remoteIpHeader="X-Forwarded-For" proxiesHeader="x-forwarded-by" > requestAttributesEnabled="true"/> > > directory="/var/xxx/yyy/zzz/logs" prefix=“application_access" > suffix=".log" pattern="%t %h %{X-AUSERNAME}o %{Referer}i %l %S > %{User-Agent}i %U %s %r %q %A %v %p %b %I %D" > requestAttributesEnabled="true" resolveHosts="false"/> > > And, this is my access log : > > [28/Jul/2016:09:33:57 -0700]- > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) > AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 > Safari/601.6.16 200 POST HTTP/1.1 instance IP> 443 181 http-nio-8443-exec-13 > 9 > > On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote: > > Hi, > > We have been using RemoteIpValve in Tomcat 7 but it stopped working > for us in Tomcat 8. Our load balancer will set a header named > "X-Cluster-Client-Ip" with the client's IP as its value. We expect > the client's IP value would be overwritten as the "remoteAddr" but > it is not. It is working for us currently on Tomcat 7 but not on > the server with Tomcat 8. > > I even created a fresh VM and install fresh apache-tomcat-8.0.36 on > Ubuntu and added the following settings as a test: > > . . . > > autoDeploy="true"> > > > > > internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\" > remoteIpHeader="X-Cluster-Client-Ip" /> > > > className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="localhost_access_log" suffix=".txt" > pattern="%h %{X-Cluster-Client-Ip}i %a %A %l %H %u %t > %r %s %b" /> > > > > I then use a browser plugin to set X-Cluster-Client-Ip header with > value "156.56.0.1" and GET the page /Home/Status on the same > machine that is hosting Tomcat. I got the following results from > AccessLogValve: > > 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - > [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 > > %h is still showing my browser IP - 192.168.56.10 > %{X-Cluster-Client-Ip}i correctly picks up the header value - > 156.56.0.1 %a picks up my browser "Remote IP address" - > 192.168.56.10 %A just picks up local IP - 127.0.1.1 > > I have other people verified this issue and we can't seem to figure > out if we are missing a configuration or if there is a bigger > problem. We would appreciate any aid you can give us. > > Thank you, Nubli > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAled8lkACgkQ9CaO5/Lv0PC2BgCgpUKmD7kMQS2FyKI2YOBCboG1 aTkAoIV6pvffdipdhjI9p0q1EiCUeTMN =BfdC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 8 RemoteIpValve Issues
Abhijit, Thank you for your prompt reply. It seems that requestAttributesEnabled="true" is required in order to make the valve work. Thanks again for your help! -Nubli -Original Message- From: abhij...@apple.com [mailto:abhij...@apple.com] On Behalf Of Abhijit Das Sent: Thursday, July 28, 2016 12:37 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat 8 RemoteIpValve Issues This is how it works for me in Tomcat 8.x (I have hashed out some internal values) (some of my pattern may be redundant) 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. typically the MIP or the SNIP. And, this is my access log : [28/Jul/2016:09:33:57 -0700]- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.16 200 POST HTTP/1.1 443 181 http-nio-8443-exec-13 9 On Jul 28, 2016, at 9:23 AM, Kasa, Nubli <mmohd...@iu.edu> wrote: Hi, We have been using RemoteIpValve in Tomcat 7 but it stopped working for us in Tomcat 8. Our load balancer will set a header named "X-Cluster-Client-Ip" with the client's IP as its value. We expect the client's IP value would be overwritten as the "remoteAddr" but it is not. It is working for us currently on Tomcat 7 but not on the server with Tomcat 8. I even created a fresh VM and install fresh apache-tomcat-8.0.36 on Ubuntu and added the following settings as a test: . . . I then use a browser plugin to set X-Cluster-Client-Ip header with value "156.56.0.1" and GET the page /Home/Status on the same machine that is hosting Tomcat. I got the following results from AccessLogValve: 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 %h is still showing my browser IP - 192.168.56.10 %{X-Cluster-Client-Ip}i correctly picks up the header value - 156.56.0.1 %a picks up my browser "Remote IP address" - 192.168.56.10 %A just picks up local IP - 127.0.1.1 I have other people verified this issue and we can't seem to figure out if we are missing a configuration or if there is a bigger problem. We would appreciate any aid you can give us. Thank you, Nubli
Re: Tomcat 8 RemoteIpValve Issues
This is how it works for me in Tomcat 8.x (I have hashed out some internal values) (some of my pattern may be redundant) 1.2.3.4 will be your LB IP, the IP that is used to talk to the server. typically the MIP or the SNIP. And, this is my access log : [28/Jul/2016:09:33:57 -0700]- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.16 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.16 200 POST HTTP/1.1 443 181 http-nio-8443-exec-13 9 On Jul 28, 2016, at 9:23 AM, Kasa, Nubliwrote: Hi, We have been using RemoteIpValve in Tomcat 7 but it stopped working for us in Tomcat 8. Our load balancer will set a header named "X-Cluster-Client-Ip" with the client's IP as its value. We expect the client's IP value would be overwritten as the "remoteAddr" but it is not. It is working for us currently on Tomcat 7 but not on the server with Tomcat 8. I even created a fresh VM and install fresh apache-tomcat-8.0.36 on Ubuntu and added the following settings as a test: . . . I then use a browser plugin to set X-Cluster-Client-Ip header with value "156.56.0.1" and GET the page /Home/Status on the same machine that is hosting Tomcat. I got the following results from AccessLogValve: 192.168.56.10 156.56.0.1 192.168.56.10 127.0.1.1 - HTTP/1.1 - [27/Jul/2016:16:59:11 -0400] "GET /Home/Status HTTP/1.1" 200 12274 %h is still showing my browser IP - 192.168.56.10 %{X-Cluster-Client-Ip}i correctly picks up the header value - 156.56.0.1 %a picks up my browser "Remote IP address" - 192.168.56.10 %A just picks up local IP - 127.0.1.1 I have other people verified this issue and we can't seem to figure out if we are missing a configuration or if there is a bigger problem. We would appreciate any aid you can give us. Thank you, Nubli