RemoteIpValve not doing it's job

ssl tomcat

i have several Tomcat servers, behind a NetScaler load-balancer, which does SSL offloading. i've added the following line to server.xml on all of them:

     <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />

this works in all but 2 (identical) servers. i'm trying to get it to work on those two.

i've sniffed the traffic, and it contains the x-forwarded-proto header, with a value of https, as it should be. the returned result for request.getHeader("x-forwarded-proto") is https. however, request.getScheme() returns http and request.isSecure() returns false.

how can i get the remoteIpValve working?

thanks.


What's the remote IP of the load balancer?

The IP address of the connecting device (the load balancer, in this case) must be in the internalProxies configuration, otherwise the translations to the remote address, scheme, port, and request security are not applied.

By default, localhost and most of the RFC1918 ranges are allowed (except 172.16/12). If your proxy's IP when connecting to the tomcat server is not in one of those ranges, you'll need to configure the internalProxies setting to allow your load balancer.

Related

Puppet: Checking sets of variables
find page size and number of pages of a process in linux
If fiber runs 1gig fine, are there any concerns when considering upgrading to 10gig transceivers?
VirtualBox: vboxsf filesystem wrongly detected as readonly?
Do I need to zero-fill a qcow2 image before compacting it?
Phantom NIC issue causing eth0/1 to drop out
Directory with read and write for a user is permission denied, but fine with execute permissions
How to measure server power consumption?
Clock is 10% faster than normal
Should VCenter be a VM?/Can it be external hardware
Removing apache information from http request
Completely disjoint iSCSI networks vs dedicated switches and VLANs