Re: Finding the Apache httpd IP address when AJP is used

Wed, 29 Apr 2015 07:42:56 -0700 

As a P.S. :
Maybe you should also look at this, to see if it would fit your needs :
http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html


André Warnier wrote:

Paul Klinkenberg wrote:

Hi Tomcat users!
I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml <https://github.com/utdream/mod_cfml>
One of the features I wanted to add, is adding an IP restriction in the valve (see github <https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-(
My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? 

My server.xml is:

<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> 
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory" 
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> 
            <Valve
                className="mod_cfml.core"
                loggingEnabled="true"
                waitForContext="10"
                maxContexts="9999"
                timeBetweenContexts="0"
                scanClassPaths="false"
                allowedIPs="127.0.0.1,192.168.1.52" />
      </Host>
    </Engine>
  </Service>
</Server>

Thanks in advance for your time!

Kind regards,

Paul Klinkenberg
The Netherlands
p.s. I asked this question, in other wording, on SackOverflow.com <http://sackoverflow.com/> as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp <http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp> 



Hi.
With Apache httpd and mod_jk as front-end, you have (at least) 2 options :
- set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a "JkEnvVar" value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a "request attribute" corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector.
Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. 

Is that enough info to get you started ?
Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to