How do we get Forwarded IP when using Reverse Proxy

gernotlg

Is there way to configure tomcat server to check for an XFF header and get the real IP address when using a reverse proxy ?

I did notice that all my logins were coming from the same IP address (using Login Notifications & Failed Login Notifications), which didn't bother me for now, but then when I accidently mistyped my password 3 times, it locked the system... but not just for me.. for anyone using the proper URL which runs through a reverse proxy.

I could still log in if I remote to the server, or any other PC on the server's LAN, but anything coming from the reverse proxy gets a message from awareIM that the System is Locked.... and then after the set time it all works again of course.

So it could be a real problem if AwareIM is not getting the Forwarded IP address from tomcat, and then a few failed logins (because someone forgot to put their glasses on) the entire system is in lock-down for new logins.

Does anyone have a tweak for the server to overcome this ?

Thanks
G

Jaymer

Caddy has a directive to forward the original IP.

gernotlg

I'm not using caddy. I looked into setting up the reverse proxy myself using caddy or nginx but until I get my head around those, I'm using a 3rd party : Sucuri. Which seems to do the job for now.

Their docs say the original IP is forwarded in the XFF header, and they give a heap of options for configuring your server... but not Tomcat.

One example which looks like it replaces the remote address... as follows..

if(isset($SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

But where would I put that ?

Jaymer

here's what I have in my server.xml:

<Host name="glcm.appssrvr.com" appBase="webapps" unpackWARs="true" autoDeploy="true">
	<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="glcm_access_log" suffix=".txt"
               pattern="%{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" />
	<Context path="" docBase="C:\AwareIM\Tomcat\webapps\glcm" debug="0" reloadable="true"/>
</Host>

gernotlg

Thanks Jaymer. Sorry for extremly delayed response. I only work on this part time.

So if anyone is interested.. this is what worked for me... in server.xml (IP addresses have been changed)

<Host name="localhost"  appBase="webapps" unpackWARs="true" autoDeploy="true" >
    <Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> 
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="awareim_access_log" suffix=".txt"
               pattern="%{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" />
</Host>

So basically... the RemoteIPValve tells the server that if the Remote IP is one of the IP's you've listed, then it will look for and use the Forwarded IP address.

----- What we're looking at : -----------------

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" > <<-- No idea what any of this means except 'localhost' needs to be your actual server in my case it is localhost

<Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> <<-- this is the important bit. The addresses are the IP addresses of the Reverse Proxy's firewall's (the IP's that will be accessing your server. If you're using a Reverse Proxy Service (like I am, as opposed to using say NGINX or Caddy), they will give you a list of addresses that you need to let through your own firewall: them's the one's). And then then you gotta put that last bit in 'trustedProxies' and basically just "proxy1|proxy2|proxy3... etc etc.

IP's are separated by: |

The annoying bit was, I can't work out how to specify an IP range, so you have to list every IP. In my case there are 12 IP addresses !!... Which also means I had to specify "proxy1|proxy2|....proxy12"

So I came up with this from a combination of Jaymer's reply, and looking up the actual Tomcat manual online, and if I recall there's a post on stackoverflow about it as well.