Getting Tomcat to use the X-Forwarded-For header

Brian Moon bmoon at scu.edu
Fri Jul 3 03:44:04 UTC 2020 

Hello Keith,

We are in the midst of migrating to GCP ourselves, so I had to deal with
this just last week.  Below is how we've configured the RemoteIpValve:

<Valve className="org.apache.catalina.valves.RemoteIpValve"

 internalProxies="130\.211\.[0-3]\.\d{1,3}|35\.191\.\d{1,3}\.\d{1,3}|34\.9[6-9]\.\d{1,3}\.\d{1,3}"
       remoteIpHeader="X-Forwarded-For"
       remoteIpProxiesHeader="X-Forwarded-By"
       protocolHeader="X-Forwarded-Proto" />

All of the internal proxies listed there are GCP specific, so you will need
to update that list with the internal proxies for the AWS ALB..

More information about configuring that valve can be found here:
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

Cheers!

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University


On Thu, Jul 2, 2020 at 7:27 PM Wessel, Keith <kwessel at illinois.edu> wrote:

> All,
>
> I've been operating our IdP behind load balancers that are kind enough to
> pass through the client's IP address as the source address instead of in
> the X-Forwarded-For header. As we begin a move to AWS with the Trusted
> Access Platform containers and an Amazon ALB, I now need to take an extra
> step to get Tomcat to use the X-Forwarded-For IP instead of the client IP
> (which is that of the ALB instead of the originating client). This is
> partly for logging of client IPs, but also for the access control facility.
>
> I've tried adding this to the <host> block of Tomcat's server.xml with no
> change in behavior:
>
>         <Valve className="org.apache.catalina.valves.RemoteIpValve" />
>
> The IP that appears in the IdP logs is still that of the ALB.
>
> Has anyone on this list found a way to get the originating client's IP
> instead of that of the load balancer inside the IdP when running Tomcat?
>
> Thanks,
> Keith
>
> --
> For Consortium Member technical support, see
> https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!MLMg-p0Z!SZ8SFws3ujdjmL3MqgQ1I9trbhjbYA9S2T2fSgdcGqatKzPe_JL6GKyZVw5X$
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200702/bc3428f3/attachment.htm>

More information about the users mailing list