Mark,
On 5/5/26 11:04 AM, Mark Thomas wrote:
On 02/05/2026 16:27, Christopher Schultz wrote:
All,
I've got an odd situation where some requests arriving in my
application are claiming to come from 127.0.0.1 as the remote IP address.
I'm calling HttpServletRequest.getRemoteAddr and storing it in the
user's session. I'm an admin, so I can see this attribute in users'
sessions and very rarely I'm seeing that it's set to 127.0.0.1.
My setup is:
AWS ALB -> httpd [mod_jk] -> [stunnel] -> Tomcat [AjpNioProtocol]
This does not require high load. All httpd and Tomcat instances are
configured identically. And this happens very rarely, but enough that
I have noticed it and I'd like to understand what might be happening.
An interview with ChatGPT yielded this comment:
"
AJP is not resilient to partial/ambiguous reads across a tunneled TCP
stream. If anything about framing or connection reuse gets even
slightly out of sync, Tomcat will still process the request—but
silently fall back to 127.0.0.1.
"
Yeah, that looks like nonsense.
I assume that it isn't at all possible that the request has been made by
127.0.0.1 (the machine where httpd is running)?
Correct, 127.0.0.1 would be *either* the httpd instance (forwarded over
AJP) or the Tomcat server itself. Neither are likely, as the users are
always coming through a load-balancer which is forwarding the user's
real IP, and it should be forwarded all the way through.
Honestly, I think that ChatGPT has grabbed on to the idea that "httpd
and Tomcat are fine, so it must be stunnel" which seems odd to me, but
I'm wondering about its comment.
My expectation is that if "something is wrong" then mod_jk will kill
the request. Or maybe Tomcat will. Or both.
I see no correlation with errors in my mod_jk.log file (which has very
few if any errors).
Any suggestions for what might be happening? I can't reproduce this
myself but I control everything in the stack except for the AWS ALB
(which I can configure, but obviously, I can't directly-instrument in
the way that I could, say, httpd, Tomcat, or my own application).
The remote address is held in a MessageBytes object which is reset to
NULL on a new request so it looks like something is setting it
explicitly to "127.0.0.1".
That makes me think it is something in httpd/mod_jk rather than Tomcat.
I think I'd start by looking at the access logs for the requests in
question in httpd and see which IP is logged there.
I can do that, but lining things up with requests to Tomcat might not be
obvious. I think I'll have to set up the unique request identifier stuff
Rainer added (somewhat) recently.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
