Issues with cgi.remote_addr being 127.0.0.1 with nginx and mod_cfml

dev support
1

I setup the connection to mod_cfml from nginx based on what I found here, and have been trying to fix a few issues:

everything is working except for a couple minor things, any assistance would be greatly appreciated!

lucee says cgi.remote_addr is: 127.0.0.1

and sometimes index.cfm gets added to the url, especially just after restarting lucee service, can that be prevented?

here are my nginx conf files:

nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  on;

    server {
        listen       80;
	server_name  mypetmask.ca www.mypetmask.ca;
	
	return 301 https://mypetmask.ca$request_uri;
    }
    server {
	listen       443 ssl;
	server_name  www.mypetmask.ca;
	
	return 301 https://mypetmask.ca$request_uri;

        ssl_certificate      H:\Certificates\mypetmask.ca-chain.pem;
        ssl_certificate_key  H:\Certificates\mypetmask.ca-key.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
        ssl_prefer_server_ciphers   on;
    }
    server {
        listen       443 ssl;
        server_name  mypetmask.ca;

	root H:/wwwroot/mypetmask.ca;
	set $lucee_context "mypetmask.ca";
	include lucee.conf;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        ssl_certificate      H:\Certificates\mypetmask.ca-chain.pem;
        ssl_certificate_key  H:\Certificates\mypetmask.ca-key.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
        ssl_prefer_server_ciphers   on;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

lucee.conf

#to enable Lucee for a server: include lucee.conf;

#block the lucee-context except for certain ip
location ~* /lucee/ {
	#allow 10.0.0.10;
	deny all;
	include lucee-proxy.conf;
}

location ~* /lucee-server {
	return 404;
}

#block/ignore CFIDE requests
location ~* /CFIDE {
	return 404;
}

#block requests for Application.cfc/cfm
location ~* Application.cf[mc]$ {
	return 404;
}

location ~* (\.cfm(\/|$)|\.cfc$) {
  include lucee-proxy.conf;
}

#set the default document to index.html or index.cfm
index index.html index.cfm;

lucee-proxy.conf

set $path_info $request_uri;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 100s;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header https $https;

#add headers for mod_cfml to do its work
proxy_set_header X-Tomcat-DocRoot $document_root;
proxy_set_header X-ModCFML-SharedKey [correct-sharedkey-is-here];
# For more info on $lucee_context, see http://www.modcfml.org/index.cfm/install/web-server-components/nginx-all-os/
if ($lucee_context = false) {
	set $lucee_context $document_root;
}
proxy_set_header X-Webserver-Context $lucee_context;
2

adding this to the server.xml of tomcat, just inside the tag allows lucee to see the real ip of the requester.

<Valve className="org.apache.catalina.valves.RemoteIpValve" />

I found referance to this possibly being added to lucee 4, but its not there by default in 5.1.3.018

3 Likes
3

only issue now is the index.cfm being added to the url when visiting a folder without it, reproducible by restarting the lucee service, and then being the first hit.

I’ve had this happen before with iis and acf9 occasionally also, where the entire rewritten url from iis gets put into the address bar, which shouldn’t happen, would be great to figure out why this happens.

4

This is still a issue and your hint about the Valve on server.xml helped me resolving it, @walterbax.
Thank you!