1

I am using Linode NodeBalancers to load balancers my 2 tomcat servers (to serve https request ), one of our business requirements is to able to capture ClientIP for fingerprinting + other purpose.

However, I can't seems to get the NodeBalancers to pass the Client IP via x-forwarded-for, Linode support also have no idea how to do so on Tomcat Configuration?

Here's portion of my Tomcat Configuration (server.xml)

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="myKeyStore" 
           keystorePass="myKeyStorePassword"
           compression="on"
           compressableMimeType="text/html,text/xml,text/css,text/javascript"
           compressionMinSize="1024"
             maxPostSize="5097152"
           clientAuth="false" sslProtocol="TLS" />
  <Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for"
       protocolHeader="x-forwarded-proto"
       protocolHeaderHttpsValue="https"
  />
James Khoo
  • 1,209
  • 2
  • 14
  • 19
  • Can you paste the HTTP headers that the NodeBalancer passes on to Tomcat ?. You can use "sudo tcpdump -vvvs 0 -l -A -i " to get the headers. – Kannan Mohan Mar 27 '14 at 14:29

1 Answers1

1

Looks like your header configuration is fine, however three things to watch for:

  • The trustedProxies attribute needs to trust the load balancers. By default, this includes all private addresses except those in the 172.16/12 range
  • If you're using the Tomcat access log valve, make sure you're using requestAttributesEnabled on the valve. The logging is asynchronous, and the RemoteIpValve will reset the original values when control returns to it, however the request attributes don't change
  • If you're offloading HTTPS, be aware that redirects from foo to foo/ occur in the connector, before the valve can do its thing. You might find you need to set scheme and proxyPort on the connector too, otherwise you could get the wonky locations in 302s

The valve documentation is pretty good, but all three of these have caught me by surprise recently (docs here http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html).

Danny Thomas
  • 1,879
  • 1
  • 18
  • 32