IP Address behind load balancer

paul_love
New Contributor

Hi,

We have 2 JSS's behind a load balancer. I have set the Remote IP Valve setting in Apache Tomcat Settings.

When the computer runs a jamf policy (every 15 minutes), the IP address (not reported IP Address) always comes back as the load balancer address.

If I run a jamf log on the computer, the IP address comes back as the proper IP address.

What's up with that? Is there a way to fix this (without running a jamf log in a policy on an ongoing basis)?

9 REPLIES 9

dan-snelson
Valued Contributor II

@paul.love On your Connector port for 8080, do you also have:

proxyPort="8443"
scheme="https"

paul_love
New Contributor

Thanks for your reply... I have:

<Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" scheme="https" />

No proxyPort - do I need that?

dan-snelson
Valued Contributor II

@paul.love Yes, my current understanding is that you also need:

proxyPort="8443"

paul_love
New Contributor

So, i've tried that... and still no joy.

When i run jamf log or jamf recon on a machine, i get the right IP address. When i run jamf policy on a machine i get the load balancer address... this is doing my head in.

ACE Load balancer has x-forwarded-for header inserted. It's doing SSL decryption / re-encryption.

Any other ideas?

dan-snelson
Valued Contributor II

@paul.love We're using F5 Networks, but I'm just @brock.walters's padawan; he's the master.

lisacherie
Contributor II

You need to update the server.xml file to add in the RemoteIPValve, and use the internalProxies option to list the IPs for your load balancer/s.

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="1.1.1.1|1.1.1.2" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

jhbush
Valued Contributor II

@paul.love please see this JSS is Reporting IP Address of Load Balancer pay close attention to the x-forwarded-for portion.

CalleyO
Contributor III

While not the exact JSS is Reporting IP Address of Load Balancer article, the Configuring Tomcat to Work with a Load Balancer may contain the information needed. 

brock_walters
Contributor

It is possible that if you set Remote IP Valve from the JSS GUI the change was not actually made. If there are file ownership issues in the Tomcat directory (e.g., on a Linux host if files or directories are owned by root that must be owned by the tomcat user for the JSS to make the change) you should see an error message to that effect on screen, however, it is possible for the edit to fail silently. You probably did, but, make sure you actually use a text editor to examine (or edit) the Server.xml file.

The JAMF Nation kb referenced above is a good one (& has the arguments each on a single line - those of you who have taken my CJA know what's up!) Also, the Tomcat reference above is the same one I was going to post (Thanks Lisa!)

Without knowing the details it's hard to give advice, but, make sure your load balancer backend configuration is correct. I am assuming since you are able to get devices to communicate with the JSS it's ok but I suppose it's possible you mean to be passing traffic to the backend on some port other than 8080 (8443, e.g.) in which case you would want to make sure you had modified the corresponding connector element in the Server.xml

Lastly, it is possible that the ACE on your load balancer & the Remote IP Valve statement in the Server.xml are in conflict - the TCP/IP packet header information is directly modified by these configurations. Try disabling the ACE on the load balancer & leaving the Tomcat Server.xml Remote IP Valve statement in place, restart Tomcat, & try checking for policies again. Let us know how it turns out!