Bug 56181

Summary: RemoteIpValve & RemoteIpFilter: HttpServletRequest.getRemoteHost() returns IP instead of hostname with enableLookups=true and x-forwarded-for header
Product: Tomcat 7 Reporter: Yann Nicolas <yannart>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: NEW ---    
Severity: enhancement CC: yannart
Priority: P2    
Version: 7.0.52   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Yann Nicolas 2014-02-23 17:22:49 UTC
When clients connect to Tomcat through a proxy or load balancer that adds a remoteIpHeader (eg. "x-forwarded-for") and the attribute "enableLookups" is set to "true", the expected behavior is that hostname of the clients is resolved by Tomcat.

However it is not, if the method getRemoteHost() is called on a HttpServletRequest object, the IP is always returned, not the hostname.

In the classes org.apache.catalina.valves.RemoteIpValve and org.apache.catalina.filters.RemoteIpFilter we see that the IP is set to the Hostname field without any option to do the reverse DNS lookup:

request.setRemoteAddr(remoteIp);
request.setRemoteHost(remoteIp);


Instead the pseudo code could be something like:

request.setRemoteAddr(remoteIp);

if(enableRemoteIpLookups == true){
    request.setRemoteHost(InetAddress.getByName(remoteIp).getHostName());
}


Perhaps, instead of using "enableLookups" to indicate the reverse DNS lookup wants to be done for requests passing through a proxy it should be better to have a new Tomcat attribute for this (like enableRemoteIpLookups), because perhaps you do not want to lookups of the proxies IP but just the remoteIp (x-forwarded-for).

Note, this issue applies also to Tomcat 8.
Comment 1 Konstantin Kolinko 2014-02-23 23:12:01 UTC
For reference - discussion thread on the users list (Feb 20)
http://tomcat.markmail.org/thread/2c4jo2ryqv74zgpp

Changing severity to 'enhancement'.
Comment 2 Mark Thomas 2014-02-24 17:42:38 UTC
I don't see any reason to differentiate between proxied and non-proxied clients.
Comment 3 Yann Nicolas 2014-02-25 01:19:21 UTC
The only reason to differentiate between proxied and non-proxied clients is if you want to do reverse DNS lookup only for proxied clients and not for the non-proxied clients (if for example we know it is always the Load Balancer or the Proxy IP) for performance reasons.