How to configure RemoteIpValve with embedded tomcat in cas 6.1.x for Load Balancer
1,614 views
Skip to first unread message
crdaudt
Dec 18, 2019, 1:48:36 PM12/18/19
to CAS Community
Our CAS instances are behind a load balancer. For cas 5.x.x, we placed our version cas.war file in a tomcat container for which the tomcat server.xml file was configured with a RemoteIpValve identifying the internal proxy IP address of the load balancer. The RemoteIpValve configuration allows us to log the clients' IP addresses in the CAS audit logs rather than the IP address of the load balancer. Dave Curry explains how to do this in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html . However, I am not sure how to accomplish this with the embedded tomcat container that is included in the gradle overlay for CAS v 6 and above.
Is it possible to configure the embedded tomcat container with a RemoteIpValve setting? If so, how? Or will I need to install my own instance of tomcat in which to deploy my cas.war file?
Pascal Rigaux
Dec 18, 2019, 2:41:57 PM12/18/19
to cas-...@apereo.org
On 18/12/2019 19:48, crdaudt wrote:
> Is it possible to configure the embedded tomcat container with a RemoteIpValve setting?
It is possible: https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto-use-tomcat-behind-a-proxy-server
> Is it possible to configure the embedded tomcat container with a RemoteIpValve setting?
crdaudt
Dec 19, 2019, 4:22:37 PM12/19/19
to CAS Community
OK, in the cas.properties files I have placed the following (for our reverse proxy hosted at IP = 111.222.33.44):
----BEGIN----
...
server.tomcat.accesslog.directory=/var/log/tomcat
server.tomcat.accesslog.pattern=%h %l %u %t "%r" %s %b
server.use-forward-headers=true
server.tomcat.internal-proxies=111\\.222\\.33\\.44
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
logging.level.org.apache.catalina.valves.RemoteIpValve=DEBUG
...
----END----
However, the IP address field for /var/log/tomcat/access_log.<date>.log still shows the IP address of our load balancer, not the client.
Am I missing something?
crdaudt
Jan 2, 2020, 10:08:11 AM1/2/20
to CAS Community
Thanks, Pascal, for the helpful link you provided a couple weeks ago for confiuring RemoteIpValve for CAS when placing the CAS server behind a reverse proxy (load balancer). Based on the information in the link, I added lines to the cas.properties file, which are described in my Dec 19 post. However, CAS audit logs still show the IP address for the load balancer, not the client. I am not sure what I am missing. Assistance would be appreciated.
crdaudt
Jan 6, 2020, 12:05:45 PM1/6/20
to CAS Community
OK, I checked more closely -- the cas.log and cas_audit.log files are, indeed responding to the RemoteIpValve setting (i.e., they are logging the IP address of the client. The same is true for the gradle log file in .gradle/daemon/5.6.3/daemon-<pid>.out.log. However, the tomcat access_log.<date>.log file is still logging the IP address of the load balancer. Is there a way to cause the access log to also record the IP address of the client rather than the load balancer? For that matter, is this a bad idea?
Pascal Rigaux
Jan 6, 2020, 4:11:59 PM1/6/20
to cas-...@apereo.org
Nice investigation.
Bug reproduced with plain spring-boot 2.2.2.RELEASE (*)
It looks like a bug in spring-boot... or at least a difference with
plain tomcat that could be documented...
Fortunately, easy workaround:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i ...
cu
(*) tested with https://github.com/spring-guides/gs-spring-boot.git
launched with
java -Dserver.tomcat.accesslog.pattern='%{X-Forwarded-For}i %a %h'
-Dserver.tomcat.remote-ip-header='X-Forwarded-For'
-Dserver.tomcat.accesslog.directory=`pwd`
-Dserver.tomcat.accesslog.enabled=true -Dserver.port=8083 -jar
target/gs-spring-boot-0.1.0.jar
crdaudt <crd...@taylor.edu> a écrit :
--
Pascal Rigaux
Bug reproduced with plain spring-boot 2.2.2.RELEASE (*)
It looks like a bug in spring-boot... or at least a difference with
plain tomcat that could be documented...
Fortunately, easy workaround:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i ...
cu
(*) tested with https://github.com/spring-guides/gs-spring-boot.git
launched with
java -Dserver.tomcat.accesslog.pattern='%{X-Forwarded-For}i %a %h'
-Dserver.tomcat.remote-ip-header='X-Forwarded-For'
-Dserver.tomcat.accesslog.directory=`pwd`
-Dserver.tomcat.accesslog.enabled=true -Dserver.port=8083 -jar
target/gs-spring-boot-0.1.0.jar
crdaudt <crd...@taylor.edu> a écrit :
Pascal Rigaux
crdaudt
Jan 7, 2020, 2:59:32 PM1/7/20
to CAS Community
Thanks Pascal, I have confirmed what you proposed as a workaround: I replaced the following:
server.tomcat.accesslog.pattern=%h %l %u %t "%r" %s %b
with the following:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i %l %u %t "%r" %s %b
I.e., I replaced '%h' with '%{X-Forwarded-For}i'
There is a downside of the replacement that readers should be aware of: With the replacement above, if the site is accessed from a host that is not the load balancer (i.e., does not match the server.tomcat.internal-proxies setting), the access log will report a hyphen '-' in place of the IP address of the client. I.e., there will be no log information concerning the IP address of the client connecting to the site.
Of course, rather than replacing '%h', one can add an additional field to include both fields, such as the following:
server.tomcat.accesslog.pattern=%{X-Forwarded-For}i %h %l %u %t "%r" %s %b
Thank you for helping me to resolve this.
Cheers!
Carl
Reply all
Reply to author
Forward
0 new messages