We are injecting the x-forwarded-for header in the loadbalancer, which sends the request to apache web server, which inturn proxys (mod_proxy_balancer) the request to the backend tomcat server.
we are seeing the client IP in 'x-forwarded-for' header on apache, but we get '-' in Tomcat access logs.
we have added the loadbalancer IP in internalProxies list on Tomcat.
from https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html it looks like for secure connections (requests coming from internal Proxies) the x-forwarded-for becomes NULL and client IP is assigned to remote address. is that correct? is there a way to keep the client-IP in x-forwarded-for header on tomcat when using internal Proxy setting?
Thanks
Best Answer
AJP is being used in our case between the web servers and Tomcat servers. Update: I found this answer in the Tomcat documentation, https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html, which is what I think is happening. Specifically:
If the incoming request.getRemoteAddr() matches the valve's list of internal proxies :