Incorrect IP Reported To JSS Through Apache Proxy

efranson
New Contributor

Hi y'all! Hoping someone has run into a similar issue and has some relevant thoughts.

My setup is clustered JSSs: JSS 1) used by admins for, well, admin work. JSS 2) Limited Access JSS that computers report in to. The LA JSS is open to the internet and so is behind an Apache proxy (running on the same machine). The proxy handles all the TLS. Machines report in just fine, we are able to add and manage machines, etc.

The problem I'm running into: the JSS is reporting the IP address of each machine as the IP address of the LA JSS. I realize this is because the connection is coming from the proxy running on the LA JSS, and was hoping that enabling access logging in tomcat would start to report correct IPs, but no luck there.

Relevant (I think) line from server.xml:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" requestAttributesEnabled="true" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t &quot;%r&quot    ; %s %b" resolveHosts="false"/>

I checked discussions here, but didn't see anything related. Happy to read docs if anyone has links. Any other thoughts? Anyone else running behind an Apache proxy having this issue?

2 ACCEPTED SOLUTIONS

martin
Contributor III

Hi @efranson

Server.xml should at least contain the following options:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

View solution in original post

4 REPLIES 4

Malcolm
Contributor II

we see similar traffic with our infrastructure, but this is more of an source IP issue...

Devices connecting over proxy, or via external access, will receive the IP of our proxy / firewall, as this is the source that JSS can see, and cant see beyond it due to the NATing processes that takes place, and the https traffic used.

We used to have an issue where all proxied traffic was being shown as the one IP also, but I excluded the proxy from being used, and to access directly via the use of global proxy,

perrycj
Contributor III

martin
Contributor III

Hi @efranson

Server.xml should at least contain the following options:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

efranson
New Contributor

After adding the code block above (from martin) our LA JSS is now reporting the correct external IPs (ie: the IP the proxy sees, not the proxy itself). Thanks for your help, all!