Embedded Tomcat X-Forward-For Header

60 views
Skip to first unread message

Wickham, Jeremy

unread,
Oct 3, 2024, 12:52:34 PM10/3/24
to cas-...@apereo.org

We have been using CAS for 10+ years for our authentication and have been using an external tomcat. With my next release I am moving to using the embedded tomcat. I have noticed that my audits are logging our load balancer IP Address instead of the client’s. I have extended CasTomcatServletWebServerFactoryCustomizer to include the RemoteIpValve and to write the X-Forwarded-For header to this valve.

 

Saying this, am I approaching this wrong? I could not find a configuration to enable this behavior.

 

I do have the following set in my properties file.

 

cas.audit.engine.alternate-client-addr-header-name=X-Forwarded-For

 

I was curious if there was another setting I am missing before my deployment next week.

 

Thanks,

 -Jeremy

________________________

Jeremy Wickham

Mississippi State University

jeremy....@msstate.edu

Webex Personal Room: https://msstate.webex.com/meet/jrw16

 

King, Robert

unread,
Oct 3, 2024, 6:08:51 PM10/3/24
to cas-...@apereo.org

I believe setting this option will get you the client IP.

 

server.tomcat.remoteip.internal-proxies

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83124634A3DA07C8B76F347099712%40CYYPR01MB8312.prod.exchangelabs.com.

Erik Mallory

unread,
Oct 3, 2024, 6:09:13 PM10/3/24
to cas-...@apereo.org
We have cas running behind a netscaler. Three nodes using the internal tomcat. I don't have any X-Forwarded-Fo configuration in the cas configuration. The netscaler is configured to send the client ip to the node.
Here is an example audit
WHO: audit:unknown
WHAT: {result=Service Access Granted, service=https://mywsu.wichita.edu/myWSU/authenticate.aspx, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Oct 03 12:00:00 CDT 2024
CLIENT IP ADDRESS: 199.127.59.6
SERVER IP ADDRESS: 10.0.79.44

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83124634A3DA07C8B76F347099712%40CYYPR01MB8312.prod.exchangelabs.com.


--
Erik Mallory
------------------------
"A happy man's paradise is his own good nature." - Edward Abbey

Reply all
Reply to author
Forward
0 new messages