6

i have several Tomcat servers, behind a NetScaler load-balancer, which does SSL offloading. i've added the following line to server.xml on all of them:

     <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />

this works in all but 2 (identical) servers. i'm trying to get it to work on those two.

i've sniffed the traffic, and it contains the x-forwarded-proto header, with a value of https, as it should be. the returned result for request.getHeader("x-forwarded-proto") is https. however, request.getScheme() returns http and request.isSecure() returns false.

how can i get the remoteIpValve working?

thanks.

boazg
  • 61
  • 1
  • 2

1 Answers1

7

What's the remote IP of the load balancer?

The IP address of the connecting device (the load balancer, in this case) must be in the internalProxies configuration, otherwise the translations to the remote address, scheme, port, and request security are not applied.

By default, localhost and most of the RFC1918 ranges are allowed (except 172.16/12). If your proxy's IP when connecting to the tomcat server is not in one of those ranges, you'll need to configure the internalProxies setting to allow your load balancer.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • The clarification on the `172.16/12` IP range not being included in the regex was extremely helpful. That tidbit is buried in the tomcat docs. – stevevls Nov 16 '16 at 17:53