• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

showing Client Real IP address at Manager-> server status page

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

I am using nginx with tomcat - serving requests.
I wanted to log real client Ip address at tomcat log instead of ip of machine where nginx is configured.
I've been done with it by setting X-Real-IP and X-Forwarded-For header at nginx and by using RemoteIpValve at tomcat.
It works fine and showing me real client ip address at logs.

Query:
I need real ip address to be shown at tomcat --> server status under the section where request list is shown which are being served specified with different stage value.
At this place, I'm getting ip address of machine where nginx is configured.
Instead, I need real client ip address to be shown.


Any help will be appreciated.

Thanks,
Namrata Shah


 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Namrata!

Which one of my "real" IP addresses do you want to receive? The one that my machine lives at on the LAN? The one that all machines making requests that are routed via my high-speed link present? Or the one that all machines making requests via my low-speed business link show up under?

IP addresses are not trustworthy user identifiers. They're not even all that dependable as geographic locators. The service that the JavaRanch uses says I live 20 miles nearer the ocean than I actually do.
 
Njnamrata Shah
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Tim,

Thanks for replying.
I know Ip addresses are not such trustworthy but It's a requirement to have it at my place.

Below is the example explaining what I'm really looking for:
user ---> send request to ---> my server

user(ip:102.x.x.x) ------------> nginx (ip: 159.x.x.x) -----> tomcat

tomcat server status(displaying serving requests) should display 102.x.x.x as client IP currently: it's showing 159.x.x.x

Hope this could help you to get what I meant.

Thanks,
Namrata Shah
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When people demand unrealistic things where I work, I consider it a requirement to keep an up-to-date CV.

My "real" IP address is (currently) 192.168.10.6. So is the IP address of countless thousands - perhaps millions of other people across the planet, because it's in one of the designated Private IP address groups which, unlike the public addresses are not required to be unique. I may or may not have that same IP address tomorrow, since it was dynamically assigned to me via DHCP.

The address that an external server such as yours would see is usually 216.199.14.19. That is also the address that comes in for every other laptop, desktop, tablet, webcam (when available) and WiFi cell phone user in the mousetech.com domain. In other words, as a unique userID, it's worse than useless, just like the DHCP-assigned IP address is.

In the case where the client has a unique (public) IP address, but it's being obscured by an intermediary (proxy) mechanism, the only way you're going to be able to obtain the original address is is the proxy co-operates and adds it as a special information packet with that info in it. A lot of such proxies are designed to do the exact opposite in order to make their end-users more anonymous, not less so.

 
Njnamrata Shah
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Tim,

I have confirmed at my work place with our all discussed points and found that this is being implemented for intranet only.
our actually interest is in getting real ip of LAN user requesting.

so now,
how can i achieve :
user(ip:192.168.0.32) ------------> nginx (ip: 192.168.0.33) -----> tomcat

tomcat server status(displaying serving requests with the stage information)-
should display 192.168.0.32 as client IP whose request is being served by tomcat. (currently clientIP showing 192.168.0.33 ip)

Thanks,

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As I said, without co-operation, you cannot know the original IP address of the client once it has passed through an intermediary unless that intermediary wishes to be helpful about it.

Apache's mod_proxy component, operating in reverse proxy mode adds a set of headers to the HTTP request stream (in other word's, it's being helpful about it). The one with the proxy's remote client IP address is "X-Forwarded-For". If you make the Tomcat webapp dump incoming HTTP Request headers, look for it (or something similar), as nginx considers itself comparable to Apache as a reverse proxy.

The "forwarded-for" IP address isn't guaranteed to be one of the true IP addresses of the client system, since other factors can be involved. For example, a VM guest's IP address is likely to get translated into the containing host's IP address. However, it's about the closest you can get.

When using client IP addresses, bear in mind that the whole deal is far too touchy to be the primary security mechanism for any application. Knowing a source IP can be useful for auditing purposes, but not for actual protection. Then again, I've ranted repeatedly (and will again) on the unreliability of security systems designed by "clever people" when there are ready-made systems designed by full-time security professionals available, including one that's built right into Tomcat, whether you use it or not.
 
Njnamrata Shah
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have done by editing classes of StatusManager residing in catalina.jar file.

Thanks,
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you did this to look at proxy headers, that was probably not a good idea. Now you're going to have to build a custom Tomcat for every new Tomcat release.

A cleaner way would have been to create a Valve, put it in its own jar in TOMCAT_HOME/lib, and setup the server.xml file to wire it into the request process.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic