Is there way to configure tomcat server to check for an XFF header and get the real IP address when using a reverse proxy ?
I did notice that all my logins were coming from the same IP address (using Login Notifications & Failed Login Notifications), which didn't bother me for now, but then when I accidently mistyped my password 3 times, it locked the system... but not just for me.. for anyone using the proper URL which runs through a reverse proxy.
I could still log in if I remote to the server, or any other PC on the server's LAN, but anything coming from the reverse proxy gets a message from awareIM that the System is Locked.... and then after the set time it all works again of course.
So it could be a real problem if AwareIM is not getting the Forwarded IP address from tomcat, and then a few failed logins (because someone forgot to put their glasses on) the entire system is in lock-down for new logins.
Does anyone have a tweak for the server to overcome this ?
Thanks
G
How do we get Forwarded IP when using Reverse Proxy
How do we get Forwarded IP when using Reverse Proxy
V8.8 / Windows / MySQL
Re: How do we get Forwarded IP when using Reverse Proxy
Caddy has a directive to forward the original IP.
Related to this:
https://developer.mozilla.org/en-US/doc ... /Forwarded
Related to this:
https://developer.mozilla.org/en-US/doc ... /Forwarded
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: How do we get Forwarded IP when using Reverse Proxy
I'm not using caddy. I looked into setting up the reverse proxy myself using caddy or nginx but until I get my head around those, I'm using a 3rd party : Sucuri. Which seems to do the job for now.
Their docs say the original IP is forwarded in the XFF header, and they give a heap of options for configuring your server... but not Tomcat.
One example which looks like it replaces the remote address... as follows..
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
But where would I put that ?
Their docs say the original IP is forwarded in the XFF header, and they give a heap of options for configuring your server... but not Tomcat.
One example which looks like it replaces the remote address... as follows..
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
But where would I put that ?
V8.8 / Windows / MySQL
Re: How do we get Forwarded IP when using Reverse Proxy
here's what I have in my server.xml:
Code: Select all
<Host name="glcm.appssrvr.com" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="glcm_access_log" suffix=".txt"
pattern="%{x-forwarded-for}i %l %u %t "%r" %s %b" />
<Context path="" docBase="C:\AwareIM\Tomcat\webapps\glcm" debug="0" reloadable="true"/>
</Host>
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: How do we get Forwarded IP when using Reverse Proxy
Thanks Jaymer. Sorry for extremly delayed response. I only work on this part time.
So if anyone is interested.. this is what worked for me... in server.xml (IP addresses have been changed)
So basically... the RemoteIPValve tells the server that if the Remote IP is one of the IP's you've listed, then it will look for and use the Forwarded IP address.
----- What we're looking at : -----------------
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" > <<-- No idea what any of this means except 'localhost' needs to be your actual server in my case it is localhost
<Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> <<-- this is the important bit. The addresses are the IP addresses of the Reverse Proxy's firewall's (the IP's that will be accessing your server. If you're using a Reverse Proxy Service (like I am, as opposed to using say NGINX or Caddy), they will give you a list of addresses that you need to let through your own firewall: them's the one's). And then then you gotta put that last bit in 'trustedProxies' and basically just "proxy1|proxy2|proxy3... etc etc.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="awareim_access_log" suffix=".txt" <<-- This is your log. Look at it to see if it's all working or not
pattern="%{x-forwarded-for}i %l %u %t "%r" %s %b" /> <<-- Again... No Idea what any of this means
</Host>
---------------------------------------------------
IP's are separated by: |
The annoying bit was, I can't work out how to specify an IP range, so you have to list every IP. In my case there are 12 IP addresses !!... Which also means I had to specify "proxy1|proxy2|....proxy12"
So I came up with this from a combination of Jaymer's reply, and looking up the actual Tomcat manual online, and if I recall there's a post on stackoverflow about it as well.
So if anyone is interested.. this is what worked for me... in server.xml (IP addresses have been changed)
Code: Select all
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" >
<Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" />
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="awareim_access_log" suffix=".txt"
pattern="%{x-forwarded-for}i %l %u %t "%r" %s %b" />
</Host>
----- What we're looking at : -----------------
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" > <<-- No idea what any of this means except 'localhost' needs to be your actual server in my case it is localhost
<Valve className="org.apache.catalina.valves.RemoteIpValve"internalProxies="123.456.789.876|456.789.012.345" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" trustedProxies="proxy1|proxy2" /> <<-- this is the important bit. The addresses are the IP addresses of the Reverse Proxy's firewall's (the IP's that will be accessing your server. If you're using a Reverse Proxy Service (like I am, as opposed to using say NGINX or Caddy), they will give you a list of addresses that you need to let through your own firewall: them's the one's). And then then you gotta put that last bit in 'trustedProxies' and basically just "proxy1|proxy2|proxy3... etc etc.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="awareim_access_log" suffix=".txt" <<-- This is your log. Look at it to see if it's all working or not
pattern="%{x-forwarded-for}i %l %u %t "%r" %s %b" /> <<-- Again... No Idea what any of this means
</Host>
---------------------------------------------------
IP's are separated by: |
The annoying bit was, I can't work out how to specify an IP range, so you have to list every IP. In my case there are 12 IP addresses !!... Which also means I had to specify "proxy1|proxy2|....proxy12"
So I came up with this from a combination of Jaymer's reply, and looking up the actual Tomcat manual online, and if I recall there's a post on stackoverflow about it as well.
V8.8 / Windows / MySQL