Konstantin,
On 5/5/26 2:39 PM, Konstantin Kolinko wrote:
вт, 5 мая 2026 г. в 19:42, Christopher Schultz <[email protected]>:
Mark,
On 5/5/26 11:04 AM, Mark Thomas wrote:
On 02/05/2026 16:27, Christopher Schultz wrote:
All,
I've got an odd situation where some requests arriving in my
application are claiming to come from 127.0.0.1 as the remote IP address.
I'm calling HttpServletRequest.getRemoteAddr and storing it in the
user's session. I'm an admin, so I can see this attribute in users'
sessions and very rarely I'm seeing that it's set to 127.0.0.1.
My setup is:
AWS ALB -> httpd [mod_jk] -> [stunnel] -> Tomcat [AjpNioProtocol]
This does not require high load. All httpd and Tomcat instances are
configured identically. And this happens very rarely, but enough that
I have noticed it and I'd like to understand what might be happening.
An interview with ChatGPT yielded this comment:
"
AJP is not resilient to partial/ambiguous reads across a tunneled TCP
stream. If anything about framing or connection reuse gets even
slightly out of sync, Tomcat will still process the request—but
silently fall back to 127.0.0.1.
"
Yeah, that looks like nonsense.
I assume that it isn't at all possible that the request has been made by
127.0.0.1 (the machine where httpd is running)?
Correct, 127.0.0.1 would be *either* the httpd instance (forwarded over
AJP) or the Tomcat server itself. Neither are likely, as the users are
always coming through a load-balancer which is forwarding the user's
real IP, and it should be forwarded all the way through.
This reminds me of a January 2026 thread on users@httpd, titled
"Server querying OPTIONS to itself?"
https://lists.apache.org/thread/4c078mzb1zfy6rohb1bty4z545d8dnwl
That thread mentioned the following two references:
https://serverfault.com/questions/543355/options-http-1-0-in-access-log
https://cwiki.apache.org/confluence/display/httpd/InternalDummyConnection
A HTTPD making some dummy connections to itself. Those can be
distinguished by looking at the "User-Agent" header value that
includes a string "(internal dummy connection)".
(The discussion on users@httpd and serverfault questions both mention
"OPTIONS *" requests,
and I think that those are unlikely to be forwarded to Tomcat,
but the HTTPD Wiki page does not say anything about them being
"OPTIONS" requests.)
Even if they were forwarded to Tomcat, they wouldn't (or really
shouldn't!) have any user's session information in them to link them to
a logged-in user's session. I'm seeing these IPs captured in a user's
session by a filter which just grabs the remote IP and stores it in the
session.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
