| Summary: | RemoteIpValve & RemoteIpFilter: HttpServletRequest.getRemoteHost() returns IP instead of hostname with enableLookups=true and x-forwarded-for header | ||
|---|---|---|---|
| Product: | Tomcat 7 | Reporter: | Yann Nicolas <yannart> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | yannart |
| Priority: | P2 | ||
| Version: | 7.0.52 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
For reference - discussion thread on the users list (Feb 20) http://tomcat.markmail.org/thread/2c4jo2ryqv74zgpp Changing severity to 'enhancement'. I don't see any reason to differentiate between proxied and non-proxied clients. The only reason to differentiate between proxied and non-proxied clients is if you want to do reverse DNS lookup only for proxied clients and not for the non-proxied clients (if for example we know it is always the Load Balancer or the Proxy IP) for performance reasons. Fixed in: - 10.0.x for 10.0.0-M11 onwards - 9.0.x for 9.0.41 onwards - 8.5.x for 8.5.61 onwards - 7.0.x for 7.0.108 onwards |
When clients connect to Tomcat through a proxy or load balancer that adds a remoteIpHeader (eg. "x-forwarded-for") and the attribute "enableLookups" is set to "true", the expected behavior is that hostname of the clients is resolved by Tomcat. However it is not, if the method getRemoteHost() is called on a HttpServletRequest object, the IP is always returned, not the hostname. In the classes org.apache.catalina.valves.RemoteIpValve and org.apache.catalina.filters.RemoteIpFilter we see that the IP is set to the Hostname field without any option to do the reverse DNS lookup: request.setRemoteAddr(remoteIp); request.setRemoteHost(remoteIp); Instead the pseudo code could be something like: request.setRemoteAddr(remoteIp); if(enableRemoteIpLookups == true){ request.setRemoteHost(InetAddress.getByName(remoteIp).getHostName()); } Perhaps, instead of using "enableLookups" to indicate the reverse DNS lookup wants to be done for requests passing through a proxy it should be better to have a new Tomcat attribute for this (like enableRemoteIpLookups), because perhaps you do not want to lookups of the proxies IP but just the remoteIp (x-forwarded-for). Note, this issue applies also to Tomcat 8.