How do we get Forwarded IP when using Reverse Proxy

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
gernotlg
Posts: 80
Joined: Fri Aug 27, 2021 1:24 am

How do we get Forwarded IP when using Reverse Proxy

Post by gernotlg »

Is there way to configure tomcat server to check for an XFF header and get the real IP address when using a reverse proxy ?

I did notice that all my logins were coming from the same IP address (using Login Notifications & Failed Login Notifications), which didn't bother me for now, but then when I accidently mistyped my password 3 times, it locked the system... but not just for me.. for anyone using the proper URL which runs through a reverse proxy.

I could still log in if I remote to the server, or any other PC on the server's LAN, but anything coming from the reverse proxy gets a message from awareIM that the System is Locked.... and then after the set time it all works again of course.

So it could be a real problem if AwareIM is not getting the Forwarded IP address from tomcat, and then a few failed logins (because someone forgot to put their glasses on) the entire system is in lock-down for new logins.

Does anyone have a tweak for the server to overcome this ?

Thanks
G
V8.8 / Windows / MySQL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: How do we get Forwarded IP when using Reverse Proxy

Post by Jaymer »

Caddy has a directive to forward the original IP.

Related to this:
https://developer.mozilla.org/en-US/doc ... /Forwarded
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
gernotlg
Posts: 80
Joined: Fri Aug 27, 2021 1:24 am

Re: How do we get Forwarded IP when using Reverse Proxy

Post by gernotlg »

I'm not using caddy. I looked into setting up the reverse proxy myself using caddy or nginx but until I get my head around those, I'm using a 3rd party : Sucuri. Which seems to do the job for now.

Their docs say the original IP is forwarded in the XFF header, and they give a heap of options for configuring your server... but not Tomcat.

One example which looks like it replaces the remote address... as follows..

if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

But where would I put that ?
V8.8 / Windows / MySQL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: How do we get Forwarded IP when using Reverse Proxy

Post by Jaymer »

here's what I have in my server.xml:

Code: Select all

<Host name="glcm.appssrvr.com" appBase="webapps" unpackWARs="true" autoDeploy="true">
	<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="glcm_access_log" suffix=".txt"
               pattern="%{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" />
	<Context path="" docBase="C:\AwareIM\Tomcat\webapps\glcm" debug="0" reloadable="true"/>
</Host>
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
gernotlg
Posts: 80
Joined: Fri Aug 27, 2021 1:24 am

Re: How do we get Forwarded IP when using Reverse Proxy

Post by gernotlg »

Thanks Jaymer. Sorry for extremly delayed response. I only work on this part time.

So if anyone is interested.. this is what worked for me... in server.xml (IP addresses have been changed)

Code: Select all

<Host name="localhost"  appBase="webapps" unpackWARs="true" autoDeploy="true" >
    <Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> 
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="awareim_access_log" suffix=".txt"
               pattern="%{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" />
</Host>
So basically... the RemoteIPValve tells the server that if the Remote IP is one of the IP's you've listed, then it will look for and use the Forwarded IP address.

----- What we're looking at : -----------------

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" > <<-- No idea what any of this means except 'localhost' needs to be your actual server in my case it is localhost

<Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> <<-- this is the important bit. The addresses are the IP addresses of the Reverse Proxy's firewall's (the IP's that will be accessing your server. If you're using a Reverse Proxy Service (like I am, as opposed to using say NGINX or Caddy), they will give you a list of addresses that you need to let through your own firewall: them's the one's). And then then you gotta put that last bit in 'trustedProxies' and basically just "proxy1|proxy2|proxy3... etc etc.

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="awareim_access_log" suffix=".txt" <<-- This is your log. Look at it to see if it's all working or not
pattern="%{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" /> <<-- Again... No Idea what any of this means
</Host>

---------------------------------------------------

IP's are separated by: |

The annoying bit was, I can't work out how to specify an IP range, so you have to list every IP. In my case there are 12 IP addresses !!... Which also means I had to specify "proxy1|proxy2|....proxy12"

So I came up with this from a combination of Jaymer's reply, and looking up the actual Tomcat manual online, and if I recall there's a post on stackoverflow about it as well.
V8.8 / Windows / MySQL
Post Reply