RemoteIpValve not doing it's job
i have several Tomcat servers, behind a NetScaler load-balancer, which does SSL offloading. i've added the following line to server.xml on all of them:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
this works in all but 2 (identical) servers. i'm trying to get it to work on those two.
i've sniffed the traffic, and it contains the x-forwarded-proto
header, with a value of https
, as it should be.
the returned result for request.getHeader("x-forwarded-proto")
is https
.
however, request.getScheme()
returns http
and request.isSecure()
returns false
.
how can i get the remoteIpValve working?
thanks.
What's the remote IP of the load balancer?
The IP address of the connecting device (the load balancer, in this case) must be in the internalProxies
configuration, otherwise the translations to the remote address, scheme, port, and request security are not applied.
By default, localhost and most of the RFC1918 ranges are allowed (except 172.16/12). If your proxy's IP when connecting to the tomcat server is not in one of those ranges, you'll need to configure the internalProxies
setting to allow your load balancer.