Closed utdream closed 6 years ago
Igal suggested this config:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" />
Would this be Apache specific? I f so, assuming we use mod_proxy_http everywhere and reverse proxy mode. Then this could be possible (This is the only time I know that mod_proxy will populate those headers). However, we need to be sure to take the left-most non-public address as the client address since the web-server could be a few levels deep in the routing infrastructure. As far as I understand the RemoteIpValve would need more input in scenarios where load balancers or other proxies are used in between, e.g. internalProxies="192.168.0.10|192.168.0.11" and/or trustedProxies="proxy1|proxy2"
Yeah, it would just be for Apache installs (currently Linux only). What I was planning on doing was just making a check-box in the installer that would be checked by default to have "remoteIPFilter" installed. The screen would be one of the screens that shows up in the Apache prompts (like the apache config file location, etc), so you would not be prompted if you weren't installing to Apache.
Further, you could opt to NOT install it if you needed a more complex config like the load balancing config you mention. This should offer the basic, expected functionality to the bulk of our Apache users without getting in the way of anything else. Sound reasonable?
out of scope
Considering adding the remote IP filter by default to Tomcat builds in order to correct issue with 127.0.0.1 being returned in non-AJP environments.
Seeking input on this idea...