aspose file tools*
The moose likes Tomcat and the fly likes showing Client Real IP address at Manager-> server status page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "showing Client Real IP address at Manager-> server status page" Watch "showing Client Real IP address at Manager-> server status page" New topic
Author

showing Client Real IP address at Manager-> server status page

Njnamrata Shah
Greenhorn

Joined: Oct 01, 2012
Posts: 8
Hi there,

I am using nginx with tomcat - serving requests.
I wanted to log real client Ip address at tomcat log instead of ip of machine where nginx is configured.
I've been done with it by setting X-Real-IP and X-Forwarded-For header at nginx and by using RemoteIpValve at tomcat.
It works fine and showing me real client ip address at logs.

Query:
I need real ip address to be shown at tomcat --> server status under the section where request list is shown which are being served specified with different stage value.
At this place, I'm getting ip address of machine where nginx is configured.
Instead, I need real client ip address to be shown.


Any help will be appreciated.

Thanks,
Namrata Shah


Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16303
    
  21

Welcome to the JavaRanch, Namrata!

Which one of my "real" IP addresses do you want to receive? The one that my machine lives at on the LAN? The one that all machines making requests that are routed via my high-speed link present? Or the one that all machines making requests via my low-speed business link show up under?

IP addresses are not trustworthy user identifiers. They're not even all that dependable as geographic locators. The service that the JavaRanch uses says I live 20 miles nearer the ocean than I actually do.


Customer surveys are for companies who didn't pay proper attention to begin with.
Njnamrata Shah
Greenhorn

Joined: Oct 01, 2012
Posts: 8
Hi Tim,

Thanks for replying.
I know Ip addresses are not such trustworthy but It's a requirement to have it at my place.

Below is the example explaining what I'm really looking for:
user ---> send request to ---> my server

user(ip:102.x.x.x) ------------> nginx (ip: 159.x.x.x) -----> tomcat

tomcat server status(displaying serving requests) should display 102.x.x.x as client IP currently: it's showing 159.x.x.x

Hope this could help you to get what I meant.

Thanks,
Namrata Shah
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16303
    
  21

When people demand unrealistic things where I work, I consider it a requirement to keep an up-to-date CV.

My "real" IP address is (currently) 192.168.10.6. So is the IP address of countless thousands - perhaps millions of other people across the planet, because it's in one of the designated Private IP address groups which, unlike the public addresses are not required to be unique. I may or may not have that same IP address tomorrow, since it was dynamically assigned to me via DHCP.

The address that an external server such as yours would see is usually 216.199.14.19. That is also the address that comes in for every other laptop, desktop, tablet, webcam (when available) and WiFi cell phone user in the mousetech.com domain. In other words, as a unique userID, it's worse than useless, just like the DHCP-assigned IP address is.

In the case where the client has a unique (public) IP address, but it's being obscured by an intermediary (proxy) mechanism, the only way you're going to be able to obtain the original address is is the proxy co-operates and adds it as a special information packet with that info in it. A lot of such proxies are designed to do the exact opposite in order to make their end-users more anonymous, not less so.

Njnamrata Shah
Greenhorn

Joined: Oct 01, 2012
Posts: 8
Hi Tim,

I have confirmed at my work place with our all discussed points and found that this is being implemented for intranet only.
our actually interest is in getting real ip of LAN user requesting.

so now,
how can i achieve :
user(ip:192.168.0.32) ------------> nginx (ip: 192.168.0.33) -----> tomcat

tomcat server status(displaying serving requests with the stage information)-
should display 192.168.0.32 as client IP whose request is being served by tomcat. (currently clientIP showing 192.168.0.33 ip)

Thanks,

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16303
    
  21

As I said, without co-operation, you cannot know the original IP address of the client once it has passed through an intermediary unless that intermediary wishes to be helpful about it.

Apache's mod_proxy component, operating in reverse proxy mode adds a set of headers to the HTTP request stream (in other word's, it's being helpful about it). The one with the proxy's remote client IP address is "X-Forwarded-For". If you make the Tomcat webapp dump incoming HTTP Request headers, look for it (or something similar), as nginx considers itself comparable to Apache as a reverse proxy.

The "forwarded-for" IP address isn't guaranteed to be one of the true IP addresses of the client system, since other factors can be involved. For example, a VM guest's IP address is likely to get translated into the containing host's IP address. However, it's about the closest you can get.

When using client IP addresses, bear in mind that the whole deal is far too touchy to be the primary security mechanism for any application. Knowing a source IP can be useful for auditing purposes, but not for actual protection. Then again, I've ranted repeatedly (and will again) on the unreliability of security systems designed by "clever people" when there are ready-made systems designed by full-time security professionals available, including one that's built right into Tomcat, whether you use it or not.
Njnamrata Shah
Greenhorn

Joined: Oct 01, 2012
Posts: 8
Hi,

I have done by editing classes of StatusManager residing in catalina.jar file.

Thanks,
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16303
    
  21

If you did this to look at proxy headers, that was probably not a good idea. Now you're going to have to build a custom Tomcat for every new Tomcat release.

A cleaner way would have been to create a Valve, put it in its own jar in TOMCAT_HOME/lib, and setup the server.xml file to wire it into the request process.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: showing Client Real IP address at Manager-> server status page