Hello Christopher, Using a Remote IP Filtering Valve/Servlet Filter can be a bit tricky with a proxy or a load balancer because, by default, you loose the actual remote ip and just get the IP of the proxy or load balancer.
However, these proxies and load balancer (Apache mod_proxy, F5 Big IP, Alteon, Squid, etc) add an HTTP Header commomly named X-Forwarded-For (or X-Client-IP) to transmit the actual remote IP. Apache Httpd will integrate the mod_remoteip (http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html) module to handle X-Forwarded-For header at the Apache Httpd layer. Here are two java ports of mod_remoteip to handle X-Forwarded-For at the Tomcat level with a valve and at the WAR level with a servlet filter : RemoteIpValve (http://code.google.com/p/xebia-france/wiki/RemoteIpValve) and XForwardedFilter (http://code.google.com/p/xebia-france/wiki/XForwardedFilter). In addition to handle X-Forwarded-For, they also integrate X-Forwarded-Proto (http or https). Thanks to this, request.getRemoteAddr(), request.getRemoteHost(), request.isSecure(), request.getScheme() and request.getServerPort() will expose the values transmitted by X-Forwarded-For and X-Forwarded-Proto rather than the values of the preceding proxy / load balancer. For your need, preceding the RemoteAddrValve by the RemoteIpValve would allow you to get the actual client IP, The RemoteIpValve has been proposed to the Tomcat project as Bug 47330 - proposal : port of mod_remoteip in Tomcat as RemoteIpValve (https://issues.apache.org/bugzilla/show_bug.cgi?id=47330) . Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr cyri...@cyrilleleclerc.com http://blog.xebia.fr On Mon, Oct 5, 2009 at 12:43 PM, Elli Albek <e...@sustainlane.com> wrote: > > ----- Original Message ----- > From: Christopher Schultz <ch...@christopherschultz.net> > To: Tomcat Users List <users@tomcat.apache.org> > Sent: Fri, 2 Oct 2009 07:32:06 -0700 (PDT) > Subject: Re: Cannot set remote address in valve (Tomcat 5.5) > > > >> 2. There are other valves like request filters that cannot work without the > >> correct IP, as well as custom login valve. > > > > Filters should be OK providing they are defined in the right order. > > > Aren't all Valves always called before Filters? > > To be more specific, i was referring to a "request filter" that is > implemented as a valve, not as a servlet filter. One is shipped with tomcat > already for filtering IPs. That valve does not work behind a load balancer or > a reverse proxy. > > E > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
