"Mark Thomas" <ma...@apache.org> wrote in message news:4b2e4e77.3000...@apache.org... > On 20/12/2009 16:04, André Warnier wrote: >> In other words : it seems that quite early in the request process, a >> decision is taken to *replace* the remote IP address as obtained from >> the socket, by the ultimate IP of the client for which this proxy >> request is being processed. This casts a doubt on the ability of even a >> servlet filter to obtain the IP address of the proxy server which has >> the real connection with Tomcat. >> >> >> All a bit beyond my dabbling capabilities, I'm afraid. > > This is one of those times where the solution will depend on the > protocol you are using. >
Exactly. The AJP/1.3 protocol doesn't consider itself to be a proxy (and anyone old enough to remember it's predecessor mod_jserv will see why), but rather an integration of Tomcat with the native server (more like mod_fcgid). This means that last hop is considered to be the native server. The protocol itself is even transport agnostic, and in the past it has been possible to run Tomcat inside of IIS/Apache or even to use Unix Sockets. > The AJP connectors will report the client's IP address so you need an > alternative solution. Using the "request.secret" attribute is probably > the simplest fix although keep in mind that AJP is clear text so the > secret might not be that secret. > Yes, AJP/1.3 assumes that the connection between the native server and the Tomcat server is secured, so that if someone can sniff AJP/1.3 packets it means that the system is already badly compromised. If using mod_jk, then yes, the 'secret' is the simplest way to go. If using mod_proxy_ajp, then you need to head on over to submit a patch for httpd to add this configuration option (most of the active developers of mod_proxy_ajp lurk on this list if you need help, but d...@httpd.a.o is the official list for this). The table of 'names' for the two supported protocols is: Name HTTP/1.1 AJP/1.3 serverName Host header Host header remoteName last proxy server (or client if no proxies) last proxy server before native server (or client) localName The name the connector is bound to name of native server (i.e. the ServerName) Which gives a third option to the OP, which is to use the useIPVHosts="true" option on the <Connector ... />, and only configure <Host .../>s for the ones that he wants to allow to connect (and the default Host just returns 404 to every request). > The HTTP connectors will report the proxy's IP address so the > RemoteAddressValve can be used. > Note in Tomcat 7: > - where the RemoteIpValve is available you would need to make sure that > the RemoteAddressVlave was earlier in the pipeline than the RemoteIpValve > - you have the option of using Valves or Filters for this functionality > > HTH, > > Mark > > > > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
