Getting Tomcat to use the X-Forwarded-For header

Wessel, Keith kwessel at
Fri Jul 3 02:27:18 UTC 2020


I've been operating our IdP behind load balancers that are kind enough to pass through the client's IP address as the source address instead of in the X-Forwarded-For header. As we begin a move to AWS with the Trusted Access Platform containers and an Amazon ALB, I now need to take an extra step to get Tomcat to use the X-Forwarded-For IP instead of the client IP (which is that of the ALB instead of the originating client). This is partly for logging of client IPs, but also for the access control facility.

I've tried adding this to the <host> block of Tomcat's server.xml with no change in behavior:

        <Valve className="org.apache.catalina.valves.RemoteIpValve" />

The IP that appears in the IdP logs is still that of the ALB.

Has anyone on this list found a way to get the originating client's IP instead of that of the load balancer inside the IdP when running Tomcat?


More information about the users mailing list