ok, quick update: it didn't work with 198\.41\..* or .* at first, but it worked after I changed attribute name from trustedProxies to internalProxies. kr Leon
On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg <rosenberg.l...@gmail.com> wrote: > > > On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Leon, >> >> On 6/14/21 16:26, Leon Rosenberg wrote: >> > Thanks for the response Mark, >> > >> > quick question, do I have to add all cloudflare ips? They kindof >> > distributed along the world... Can I mark the thrustworthlyness by a >> header >> > instead? >> > kr >> > Leon >> > >> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas <ma...@apache.org> wrote: >> > >> >> On 14/06/2021 17:01, Leon Rosenberg wrote: >> >>> hi, >> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am >> trying to >> >>> "see" the user's ip in my logs. When I print out the headers I see >> that I >> >>> have headers in the request >> >>> CF-Connecting-IP >> >>> and >> >>> X-Forwarded-For >> >>> with real user's up, say 93.72.251.122. But when I make a request to >> >>> request.getRemoteAddr() it returns 162.158.103.188 which is >> cloudflare's >> >>> ip address, not the real one. >> >>> I added to the server.xml the remoteipvalue in different configuration >> >> und >> >>> "Host", i.e.: >> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >> >>> remoteIpHeader="x-forwarded-for" >> >>> protocolHeader="x-forwarded-proto" >> >>> /> >> >>> >> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >> >>> remoteIpHeader="X-Forwarded-For" >> >>> protocolHeader="X-Forwarded-Proto" >> >>> /> >> >>> >> >>> or assuming for defaults: >> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >> >>> /> >> >>> >> >>> or even: >> >>> <Valve className="org.apache.catalina.valves.RemoteIpValve" >> >>> remoteIpHeader="CF-Connecting-IP" >> >>> /> >> >>> >> >>> but none of them give me the getRemoteAddr properly. Is there a trick >> to >> >>> this configuration? >> >> >> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting >> >> trustedProxies="162\.158.103\.188" should do the trick. >> >> >> >> There is debug logging in that Valve so you can set >> >> >> >> org.apache.catalina.valves.RemoteIpValve.level=FINE >> >> >> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which >> >> should help you see what is going on. >> >> >> >> Mark >> >> trustedProxies=".*" ?? >> >> > Hi Chris, > > >> What happens if someone connects to your origin server directly? Would >> you trust an X-Forwarded-For header from them? >> > > That's an excellent question, Chris! I don't know the answer yet, the only > thing we need the ip for is to have something in case of payment-fraud, and > since you can't get any physical goods on this site I guess it would be ok > to trust it. > kr > leon > > >> >> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
