Bug 35941 - Wrong remote IP reported when using AJP and APR
Wrong remote IP reported when using AJP and APR
Status: RESOLVED WORKSFORME
Product: Tomcat 5
Classification: Unclassified
Component: Connector:AJP
5.5.10
PC Linux
: P2 critical (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2005-07-30 18:21 UTC by Markus Schönhaber
Modified: 2007-09-06 19:17 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Schönhaber 2005-07-30 18:21:50 UTC
When using AJP and APR, in the access-logs the address of the machine running
the httpd gets recorded as remote IP address and not the address of the machine
where the request originates (where the client browser runs on). 
ServletRequest#getRemoteAddress() shows the same behaviour.
What I consider more serious is that the RemoteAddrValve is rendered useless.

I've verified this on a stock Tomcat 5.5.10 binary distribution connected to an
Apache httpd 2.0.54 using JK-1.2.14.
Comment 1 Markus Schönhaber 2005-07-30 18:27:52 UTC
For completeness' sake I should mention:
if APR is not used, no Exception is thrown.
Comment 2 Cris Daniluk 2007-04-17 05:25:32 UTC
This doesn't seem to be fixed in 5.5.20, connecting with AJP/1.3. The
documentation does not indicate any special behavior required to utilize this
functionality.
Comment 3 Remy Maucherat 2007-04-17 08:04:37 UTC
I doubt that this is the case. I think you should be posting about this on the
user list instead.
Comment 4 Mark Thomas 2007-09-06 17:01:08 UTC
This works as expected with:
httpd 2.2.4, mod_proxy_ajp, Tomcat 5.5.25, Tomcat-Native 1.1.10

Still check earlier versions...
Comment 5 Mark Thomas 2007-09-06 17:41:50 UTC
It also works with httpd 2.0.59, mod_jk 1.2.25, Tomcat 5.5.25 and Tomcat-Native
1.1.10

I am not going to rule out a bug in an earlier version but if you still see this
issue, an upgrade to the latest versions should fix it. If it doesn't, it is a
configuration issue and you should use the users list for further assistance in
that case.
Comment 6 William A. Rowe Jr. 2007-09-06 19:05:44 UTC
With APR as shipped for httpd 2.2.4, there was a bug looking up the remote IP,
and it's quite possible the apr-ajp connector overwrites the server address with
the remote IP when it becomes known.  Although this does not sound like your bug,
it's something to be aware of, and something to avoid.

It's addressed in the last two versions of APR 1.2.x, and in the httpd 2.2.6
distribution, so hopefully it's the last we would see of this bug.  It only
occurred when AcceptEx caught the connection on Windows 2000, and then apr
used traditional socket calls to determine the remote IP address. 
Comment 7 Mark Thomas 2007-09-06 19:17:10 UTC
For the record, I build Tomcat native with APR 1.2.9 for both of the above tests.