Closed chrismccracken closed 4 years ago
jtesser
commented
11 years ago Right the way to get the logging in with config of tomcat.
I guess clickstream etc.. are places we can alter where we get the remote IP. We would want to make configurable though I think. Cause some might not want it.
I wonder if we can cheat here by creating a filter maybe the first one that wraps the request and/or alters it by setting to remoteIP if property is true
wezell
commented
11 years ago I guess if we do, we need to be careful as some clever person can hit a dotCMS install and pass in an incorrect X-Forwarded-For header which we would log instead. Maybe there should just be 2 log messages if X-Forwarded-For !=null and X-Forwarded-For != remote_address, one right after the other
signed8bit
commented
11 years ago I've configured getting at the originating client IP via the existing Tomcat RemoteIpValve. From my ROOT.xml
<!-- Support carrying over information about the origin request through a load balancer -->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />Yes I have done it using the custom header logging also.
jtesser
commented
11 years ago @wezell I think in your case it wouldn't matter as it is expected in this scenario that public traffic comes through the LB. The default config would NOT be to use it.
stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had activity within the past 90 days. It will be closed in 30 days no further activity occurs. Thank you.
When dotCMS is run behind a load balancer or other proxy server, the request source IP address only shows the address of the proxy host instead of the real client. Almost all load balancers and proxy servers append an "X-Forwarded-For" HTTP request header that contains the original (real) client IP address, and this should be used in addition to and/or in lieu of the request source address.
Any log files that contain "audit" type data (Ex. dotcms-security.log) should contain both the actual request source address and the address presented via the X-Forwarded-For header. In a proxied server situation, direct un-proxied access is still possible. Additionally, the X-Forwarded-For header could be forged. Audit data should contain both IP addresses for forensic purposes.
Any area that stores the IP address for "convenience" purposes (Ex. backend "Logged-In Users" page) should use the X-Forwarded-For header if it exists, otherwise the request source IP.
Access logs are managed by the pattern set in Tomcat's server.xml, and should be configured in the client's config plugin and are not part of this enhancement request.