And, oddly, #GetHttpRequestData().headers# says x-forwarded-for is set correctly as expected, so the Valve isn’t working ? Or Lucee is twiddling something else when it makes the CGI scope ?
Are you using the plain Lucee image or the combined Lucee-Nginx image?
It’s possible that it’s behaving differently when nginx (or something else) is being used to proxy the requests. Perhaps the valve in Tomcat needs to include 127.0.0.1 for internalProxies and trustedProxies like Joe’s config does.
Also worth noting that the standard Lucee images don’t use mod_cfml, with the default configuration they are intended for single app containers.
I’ve tried all sorts of things, and couldn’t get anything to work.
If may be complicated by the Nginix+Lucee container itself being behind an Amazon Elastic Load Balencer.
What does work is adding
public boolean function onRequestStart(string targetPage){
cgi.REMOTE_ADDR = cgi['x-real-ip'];
}
But what didn’t work, and really should have, was
sed -i "s/X-Forwarded-For/x-real-ip/" /usr/local/tomcat/conf/server.xml
The getPageContext() based output returns 127.0.0.1
A CFDUMP of getHttpRequestData().headers lists x-forwarded-for and x-real-ip as the expected value (i.e. the office outbound gateway). Still feel like I must be missing something about how the remote IP valve is meant to work.
Which I find interesting considering the server.xml says to use X-Forwarded-For which isn’t even in the headers… maybe they got stripped, because the nginx config says:
One thing to note, if you have ELB in front, you’re going to have TWO proxies to strip off. I’d imagine remote_addr in nginx will be the ELB address, and proxy_add_x_forwarded_for will be something like: ClientIP, ELBIP
(i.e. from wikipedia)
The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2[[3]](https://en.wikipedia.org/wiki/X-Forwarded-For#cite_note-3)
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from.
So you may have to add both 127.0.0.1 and ELB as trusted proxies
My apologies for not noticing this thread earlier. I am curious if you recall exactly where you were placing your RemoteIpValve config. Valves can be placed within an Engine, Host, or Context inside the server.xml. If you placed the RemoteIpValve within the default context where several other valves are, rather than the Engine, that could be why it wasn’t working. The default context only gets hit when there’s no other context to service a request. So it’s possible that your requests were simply bypassing your RemoteIpValve config.
Yeah, that would make the RemoveIpValve load only in the default context, which you would rarely, if ever, hit directly.
I did some digging on this and while Valves are supported in wider scopes, it is up to the valve specifically to support being loaded in those wider contexts (like Engine). Looking at the documentation here:
It says “This Valve may be attached to any Container…” but does not mention the wider contexts. So, my guess would be that it doesn’t support it. Instead, you might try loading the RemoteIpValve using the /opt/lucee/tomcat/conf/context.xml - which is theoretically applied to all contexts in that Tomcat instance. There’s even a commented Valve example there. This means you should get the RemoteIpValve functionality in ALL your contexts, regardless of whether those contexts were made by mod_cfml or not.
Not that it matters too much since you already found a solution, but an interesting concept for anyone else who may be facing a similar situation.
Jordan, you hit it on the nose!
Thanks, this is still an issue with Docker Swarm where you have multiple sites running in one box.
Moved it and boom, it works.
Hi, i’m in a bit of a mystery here. I have several docker containers on the same VPS. In the one container i get my remote_addr and in another it’s giving me an unknown IP. Setup ngxin / docker is the same… only difference is the running Lucee version so it seems.
proxy params the same, server.xml the same… VPS the same.
Could anyone point me in the right direction?? This worked for years…
I’m talking above my experience here, but I’m wondering if the Java Servlet for the new version of Lucee is different (such as a newer Tomcat). I believe that there is sometimes an X-Forwarded-For configuration in the servlet config. For example, if I dig around in my server.xml, I see this:
That is what i have for years and it always worked… seems that somewhere tomcat/lucee changed this. I have older Lucee containers that work. Correct IP is given. And with newer Lucee containers i get some random IP i don’t recognize as range. The containers are on the same VPS so docker as the culprit is ruled out.
Mystery solved… nothing todo with Lucee or Tomcat. It was the hosting HA-IP service that did not proxy the real-ip. I had some domains still running with the old IP for nginx (those worked) and i have most domains running with the HA-IP service proxy (don’t work). I had a light-bulb moment and slapped myself for it.