CGI.REMOTE_ADDR?

[Seth Johnson]

I am running the latest version (4.0.2.002) on Apache (Ubuntu) and for some reason if I output #CGI.REMOTE_ADDR# I just get 127.0.0.1.

Of course, this makes it very difficult to set up debugging output based on my remote IP address.

If you have come across this issue before or know how to fix it please enlighten me.

Thank you,

Seth

[Igal @ getRailo.org]

you mean that you get 127.0.0.1 for ALL users?

that's probably due to fronting with a web server, i.e. Apache in your case.

[Seth Johnson]

Correct, all users.  Is there a way to have Apache hand of the CGI vars to Railo I wonder?

[Matt Quackenbush]

Weird. We use Apache in front of Tomcat and I've never seen that behavior. How are you passing the request off to Tomcat?

[Igal @ getRailo.org]

I think that in Tomcat the http connector has this issue, but the AJP doesn't.

to reiterate Matt's question:  what is your setup?  specifically the servlet container (Tomcat?) and the connector between the web server and the servlet container?

[Bilal]

I am with Igal on this one.

You are most likely using the http proxy you will need to use ajp proxy for CGI information to be correctly transferred.

[Seth Johnson]

It's just a vanilla install, nothing funny going on that I know of.

I followed the instructions found here: http://blog.nictunney.com/2012/03/railo-tomcat-and-apache-on-amazon-ec2.html

Seth

[Matt Quackenbush]

Ayep, a quick look at that post indicates that it is indeed using http_proxy. You'll want ajp_proxy instead, as Igal stated.

HTH

[Jordan Michaels]

http proxy is currently the default with Linux Installer builds.

There are several reasons for this:

1) http proxy (mod_proxy_html/mod_proxy_http) comes installed by default
in the vast majority of Linux distro's, so installation is incredibly
simple because it's already done in most cases.

2) mod_proxy_ajp is *unavailable* in the majority of Linux distro's, so
in those cases a custom compilation would be required.

3) mod_jk (which uses the AJP protocol) used to come pre-installed until
binaries of the connector were no longer supplied by the Apache
foundation. This also means custom compiled versions would be required.

4) mod_proxy_http is recommended by Mark Thomas, a major contributor to
the Tomcat project:
http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp

"Given a completely free choice, I'd use mod_proxy_http just because the
configuration is more consistent with other httpd modules."


To find the same information you're looking for with CGI.REMOTE_ADDR in
a default install, check the X-Forward-* HTTP headers instead.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

X-Forwarded-For: The IP address of the client.
X-Forwarded-Host: The original host requested by the client in the Host
HTTP request header.
X-Forwarded-Server: The hostname of the proxy server.

You can grab these using the CFML GetHTTPRequestData() function. IE:

<cfset myHeaders = GetHttpRequestData()>
<cfdump var="#myHeaders#">

Hope this helps.


Warm Regards,
Jordan Michaels

[Seth Johnson]

Thank you Jordan for the detailed explanation, I guess it does help in my code based debugging but if I want to use Railo built in debugging templates I am out of luck?

Seth

[Igal Sapir]

Well...  You could allow debugging in the admin and then in Application.cfc at onRequestStart() check for the 'original' IP and disable the debug output if it's not your IP via cfSetting.

--
typos, misspels, and other weird words brought to you courtesy of my mobile device.

[Chris Blackwell]

If your running Tomcat 7 you can use the RemoteIpFilter to fix this, it looks for the x-forwarded-for header and sets the request's remote address correctly.

There lots of config options, but basically just add the following block to the top of /WEB-INF/web.xml inside the <web-app>

<filter>

  <filter-name>RemoteIpFilter</filter-name>

  <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>

</filter>

<filter-mapping>

  <filter-name>RemoteIpFilter</filter-name>

  <url-pattern>/*</url-pattern>

  <dispatcher>REQUEST</dispatcher>

</filter-mapping>

If you're running Tomcat 6 there is an equivalent called RemoteIpValve, the difference being a Valve must be added to {tomcat-home}/conf/server.xml inside the <Host> block for the server, which isn't very portable.

Chris

[Mark Drew]

Can someone spend a few mins and put all this great info in the wiki?

Here maybe? https://github.com/getrailo/railo/wiki/Railo_Installation

or here? 

https://github.com/getrailo/railo/wiki/Railo_Installation#wiki-Misc

Not sure, but it would be good to get the community adding things like this when they are resolved to the wiki. 

Thanks! 

MD 

[Seth Johnson]

Hi Mark,

I wouldn't mind doing so.  I am in the middle of a launch though so it may be a couple days.

Seth

[Jordan Michaels]

This is an excellent solution! It may be possible to include this with
the installers as well. =)

Warm Regards,
Jordan Michaels

On 12/19/2012 02:06 AM, Chris Blackwell wrote:
> If your running Tomcat 7 you can use the RemoteIpFilter

> <http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/RemoteIpFilter.html>

> to fix this, it looks for the x-forwarded-for header and sets the
> request's remote address correctly.
>
> There lots of config options, but basically just add the following block
> to the top of /WEB-INF/web.xml inside the <web-app>
>
> <filter>
> <filter-name>RemoteIpFilter</filter-name>
> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>RemoteIpFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> If you're running Tomcat 6 there is an equivalent called RemoteIpValve

> <http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html>,

> the difference being a Valve must be added to
> {tomcat-home}/conf/server.xml inside the <Host> block for the server,
> which isn't very portable.
>
> Chris
>
> On 19 December 2012 06:55, Igal Sapir <ig...@getrailo.org

> <mailto:ig...@getrailo.org>> wrote:
>
> Well... You could allow debugging in the admin and then in
> Application.cfc at onRequestStart() check for the 'original' IP and
> disable the debug output if it's not your IP via cfSetting.
>
> --
> typos, misspels, and other weird words brought to you courtesy of my
> mobile device.
>
> On Dec 18, 2012 10:43 PM, "Seth Johnson" <cfx...@gmail.com

> <mailto:cfx...@gmail.com>> wrote:
>
> Thank you Jordan for the detailed explanation, I guess it does
> help in my code based debugging but if I want to use Railo built
> in debugging templates I am out of luck?
>
> Seth
>
> On Tuesday, December 18, 2012 6:28:22 PM UTC-5, Jordan Michaels
> wrote:
>
> http proxy is currently the default with Linux Installer
> builds.
>
> There are several reasons for this:
>

> 1) http proxy (mod_proxy_html/mod_proxy___http) comes

> installed by default
> in the vast majority of Linux distro's, so installation is
> incredibly
> simple because it's already done in most cases.
>
> 2) mod_proxy_ajp is *unavailable* in the majority of Linux
> distro's, so
> in those cases a custom compilation would be required.
>
> 3) mod_jk (which uses the AJP protocol) used to come
> pre-installed until
> binaries of the connector were no longer supplied by the Apache
> foundation. This also means custom compiled versions would
> be required.
>
> 4) mod_proxy_http is recommended by Mark Thomas, a major
> contributor to
> the Tomcat project:

> http://www.tomcatexpert.com/__blog/2010/06/16/deciding-__between-modjk-modproxyhttp-__and-modproxyajp

> <http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp>
>
>
> "Given a completely free choice, I'd use mod_proxy_http just
> because the
> configuration is more consistent with other httpd modules."
>
>
> To find the same information you're looking for with
> CGI.REMOTE_ADDR in
> a default install, check the X-Forward-* HTTP headers instead.
>

> http://httpd.apache.org/docs/__2.2/mod/mod_proxy.html

[Igal @ getRailo.org]

just needs to make sure that it's "secure".

I mean, imagine a scenario where a hacker passes a X-Forwarded-For
header with value of 127.0.0.1 and the RemoteIpFilter translates it into
a trusted local address...

[Bruce Kirkpatrick]

I rewrote my application to never use CGI scope directly for anything.   In Application.cfc, I duplicate(cgi) into request.cgi and then I modify REMOTE_ADDR and HTTP_HOST and SCRIPT_NAME to be the correct values based on the other cgi variables so that the rest of the application can use them accurately.  The http_host needs the port removed in my configuration.  I also detect SSL connections with cgi.server_port_secure EQ 1 and force request.cgi.server_port to be 443 - you can get this value set by using a separate connector using a separate port and secure="true" in server.xml like this: <Connector port="8889" protocol="HTTP/1.1" redirectPort="8443" scheme="https" secure="true" />.    When I switched from Apache to Nginx, I found that HTTP Proxy is superior to the current ajp proxy plugin for nginx for static caching, so I had to do the CGI code rewrite to use Nginx the way I want.    mod_ajp_proxy on apache is best performance / accuracy when using apache though.   SCRIPT_NAME is usually my "front controller", but I change it into the script the request actually routes to.  It's easy to remember request.cgi.script_name.

In apache, you can use different ajp or proxy ports with mod_rewrite like this:

RewriteRule ^/(.*(|.cfm|.cfc))$ ajp://www.yourdomain.com:8009/index.cfm?actualpath=/$1 [L,P,QSA]

or

RewriteRule ^/(.*(|.cfm|.cfc))$ http://www.yourdomain.com:8889/index.cfm?actualpath=/$1 [L,P,QSA]

You have to include the P flag at the end to enable proxying.  You'd stop using the other ways of connecting to Tomcat and Apache by commenting out the lines for mod_jk or mod_cfml.

This configuration is secure as long as your tomcat ports are not open to the public.

[Igal @ getRailo.org]

funny -- I, too, set Request.CGI for the same reason. I don't set all
of the keys/values though. just a few that I might "override" like
Request.CGI.SCRIPT_NAME and a few others.

as someone who's so concerned about performance you really shouldn't
duplicate the information that you needn't modify ;)

[Seth Johnson]

Thanks Chris, I will def check it out!

[Bruce Kirkpatrick]

LOL.  I suppose in this case, I'm forcing a habit on myself and anyone who uses my code to always use request.cgi.  I don't know when I'll need another variable to be different.   It's likely that a single duplicate() call is similar in performance to multiple CFML variables in the underlying Java.  It's well under 0.00001 seconds to duplicate cgi.    If cgi was not read-only, then I'd just overwrite, but the desire for ACF compatibility is forcing it to stay read-only i guess.  PHP and probably other languages don't have it as read-only and the world doesn't seem to mind.

[Bilal]

Two things to note regarding x-forwarded-for. It used to indicate traffic flow inside network, e.g. Behind load balancer or proxy this would be what the proxy saw as the client. This can be multiple ips.

Use of it is considered insecure since it can be set by clients directly and intermediaries (proxies, load balances, gateways) pass thus value on by default. They may add their own ip to the right.

If you still use it the tomcat filter has to be smart enough to pick up the left most public ip if possible. Thus, I would test this for each filter.

[Bruce Kirkpatrick]

The security here is assuming you trust 127.0.0.1 or another one more for some reason.   Your administrative web pages (railo, tomcat, plesk, cpanel) should be secured by firewall and either the web server configuration or application.cfc.   For railo, I block public access by returning 404 or 403 when the url contains "/railo-context/" and the port doesn't match 8888.   I then use SSH tunneling to connect directly to the tomcat http connector port.  My SSH connection is secured with a puttysc (smart card version) + rsa key and my static IP in firewall.  That's quite a bit more secure because the port has to match and the private key is required as well.   SSH Root password authentication is disabled.   It is fairly easy to configure RSA keys with linux and openssl even if you don't use a smart card.

[Igal @ getRailo.org]

true.  actually -- there's a good chance that duplicate() is faster since it uses an iterator -- as opposed to the multiple "searches" of keys in the way I do it.

memory-wise -- you lose 64 (or 128) bit for each key/value pairs because of the extra pointers, which is insignificant either, especially if you have 4GB of RAM available.

like you said -- it's probably a few microseconds -- insignificant.