Posted on 07-01-2016 02:52 AM
Hi,
We have 2 JSS's behind a load balancer. I have set the Remote IP Valve setting in Apache Tomcat Settings.
When the computer runs a jamf policy (every 15 minutes), the IP address (not reported IP Address) always comes back as the load balancer address.
If I run a jamf log on the computer, the IP address comes back as the proper IP address.
What's up with that? Is there a way to fix this (without running a jamf log in a policy on an ongoing basis)?
Posted on 07-01-2016 05:33 AM
@paul.love On your Connector port for 8080, do you also have:
proxyPort="8443"
scheme="https"
Posted on 07-01-2016 05:35 AM
Thanks for your reply... I have:
<Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" scheme="https" />
No proxyPort - do I need that?
Posted on 07-01-2016 05:41 AM
@paul.love Yes, my current understanding is that you also need:
proxyPort="8443"
Posted on 07-08-2016 07:51 AM
So, i've tried that... and still no joy.
When i run jamf log or jamf recon on a machine, i get the right IP address. When i run jamf policy on a machine i get the load balancer address... this is doing my head in.
ACE Load balancer has x-forwarded-for header inserted. It's doing SSL decryption / re-encryption.
Any other ideas?
Posted on 07-08-2016 08:01 AM
@paul.love We're using F5 Networks, but I'm just @brock.walters's padawan; he's the master.
Posted on 07-08-2016 09:48 AM
You need to update the server.xml file to add in the RemoteIPValve, and use the internalProxies option to list the IPs for your load balancer/s.
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="1.1.1.1|1.1.1.2" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
Posted on 07-08-2016 10:46 AM
@paul.love please see this JSS is Reporting IP Address of Load Balancer pay close attention to the x-forwarded-for portion.
Posted on 06-28-2023 09:33 AM
While not the exact JSS is Reporting IP Address of Load Balancer article, the Configuring Tomcat to Work with a Load Balancer may contain the information needed.
Posted on 07-08-2016 03:04 PM
It is possible that if you set Remote IP Valve from the JSS GUI the change was not actually made. If there are file ownership issues in the Tomcat directory (e.g., on a Linux host if files or directories are owned by root that must be owned by the tomcat user for the JSS to make the change) you should see an error message to that effect on screen, however, it is possible for the edit to fail silently. You probably did, but, make sure you actually use a text editor to examine (or edit) the Server.xml file.
The JAMF Nation kb referenced above is a good one (& has the arguments each on a single line - those of you who have taken my CJA know what's up!) Also, the Tomcat reference above is the same one I was going to post (Thanks Lisa!)
Without knowing the details it's hard to give advice, but, make sure your load balancer backend configuration is correct. I am assuming since you are able to get devices to communicate with the JSS it's ok but I suppose it's possible you mean to be passing traffic to the backend on some port other than 8080 (8443, e.g.) in which case you would want to make sure you had modified the corresponding connector element in the Server.xml
Lastly, it is possible that the ACE on your load balancer & the Remote IP Valve statement in the Server.xml are in conflict - the TCP/IP packet header information is directly modified by these configurations. Try disabling the ACE on the load balancer & leaving the Tomcat Server.xml Remote IP Valve statement in place, restart Tomcat, & try checking for policies again. Let us know how it turns out!