2

I have a Grails App and I am looking to lock it down by ip so that only a number of IP ranges can access the application. I have used the Spring Security command within Config to achieve this:

grails.plugins.springsecurity.ipRestrictions

Then when running the App in the cloud (Jelastic) even though I am on one of the IP's I listed it doesn’t let me access the areas I want. I then put some code in the app shown below to pull back the address of the Client and it shows the address of maybe the cloud proxy server instead of the Client using the App:

request.getRemoteAddr()

I think that it wont let me access the areas I want as its reading my IP as the IP of the cloud proxy, I have also tried running the commands below to see if any of them return my actual IP, however they were all null :S

request.getHeader("X-Forwarded-For");  

request.getHeader("Proxy-Client-IP");  

request.getHeader("WL-Proxy-Client-IP") 

request.getHeader("HTTP_CLIENT_IP")

request.getHeader("HTTP_X_FORWARDED_FOR")

I just need to know if there is some way of restricting this application down in the cloud by Client IP instead of it using the IP of the Cloud Proxy? Thanks in advance

rdmueller
  • 10,742
  • 10
  • 69
  • 126
user723858
  • 1,017
  • 3
  • 23
  • 45

4 Answers4

4

All requests to Jelastic instances are coming through infrastructure global Resolver.

So, you are right, request.getRemoteAddr() returns IP of Resolver and it's not recognized by your allowed list.

Workaround for this is purchasing external IP for your app server in Jelastic. In this case all requests will come directly to your instance.

I also recommend you get on board the dedicated Jelastic Community in order to share your experience and get help from others.

TheBlackBenzKid
  • 26,324
  • 41
  • 139
  • 209
0

Have you configured a nginx instance in front of your tomcat? I am not sure if there are any jelastic specifics, but you have to configure nginx so that it passes the ip to the proxied service, see http://wiki.nginx.org/HttpRealIpModule

You could e.g. set a custom header, if you don't want to overwrite the defaults:

proxy_set_header X-Real-IP $remote_addr;
Nicholas
  • 5,770
  • 1
  • 20
  • 30
0

Have you tried dumping the headers you actually get in your app?

On Cloudfoundry.com I can see that I get 'x-forwarded-for'

class HeaderController {

def headerTest = {

    def headerNames = request.headerNames.collect{ it }

    headerNames.each {
        render "$it : ${request.getHeader(it)}\n"
    }

    render "Remote addr : ${request.getRemoteAddr()}\n"
    render "Forward addr : ${request.getHeader('x-forwarded-for' )}\n"

}
}
anders.norgaard
  • 1,062
  • 13
  • 23
0

In Jelastic cloud 'x-forwarded-for' displays your IP as well.

As a follow up I suggest you to check the related topic on Jelastic Community

So supposedly you'd have to set your IP restriction config in a way that it checks the value of 'x-forwarded-for'.