It's spelled out right in the docs, that header is consumed as decoded by httpd, and the effective remote IP address is what it decoded. If you want it seen by Tomcat, don't do that.
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#processing On Mon, Sep 23, 2019, 12:45 John Pyeatt <[email protected]> wrote: > I have tried everything and I can't get Apache (2.4.39) to pass the > X-Forwarded-For header to my tomcat (8.5) instance. > > I have apache listening on port 8081 and bound to the public IP address as > a reverse proxy to a backend tomcat instance which is also bound to 8081 > but on 127.0.0.1. > My apache instance has the following modules loaded: > > proxy_module (shared) > proxy_connect_module (shared) > proxy_ajp_module (shared) > proxy_http_module (shared) > proxy_wstunnel_module (shared) > remoteip_module (shared) > > Here is my virtualhost stanza > <VirtualHost _default_:8081> > ProxyPreserveHost On > ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin > RemoteIPHeader X-Forwarded-For > RemoteIPInternalProxy 127.0.0.0/8 > <Location /MYAPP/admin> > ProxyAddHeaders On > ProxyPassReverse /MYAPP/admin > # Only allow ?cmd=spkr > RewriteEngine On > RewriteCond %{QUERY_STRING} !cmd=spkr > RewriteRule .* - [F] > </Location> > </VirtualHost> > > According to the doc > https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders > ProxyAddHeaders > On should do the trick. > > I've done a packet capture to see if the X-Forwarded-For header is being > generated by Apache but dropped on the floor in Tomcat and I'm not seeing > X-Forwarded-For header coming from Apache. > > The slightly weird thing is that my tomcat app is also listening on port > 5678 using AJP and that works if I change to ProxyPass /MYAPP/admin ajp:// > 127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my > tomcat app correctly return the IP address of my client. I find it very > hard to believe that proxy_ajp_module works fine and proxy_http_module > somehow has a bug in it. So I must be missing some magic apache > configuration setting. > > > -- > John Pyeatt > Software Developer > (608) 661-1184 | [email protected] > > [image: Singlewire-Logo-Sigstr.png] <http://www.singlewire.com> > www.singlewire.com | Twitter <https://twitter.com/singlewire> | Facebook > <https://www.facebook.com/Singlewire> | LinkedIn > <https://www.linkedin.com/company/singlewire-software> > > *Keeping people safe and informed. Everywhere, every time.* > > [image: Singlewire Software Blog] > <http://sigstr.singlewire.com/uc/579ba738825be90c72438731> > <http://sigstr.singlewire.com/uc/579ba738825be90c72438731/watermark> >
