Bug 56058 - AccessLogValve Local IP/port inconsistent
AccessLogValve Local IP/port inconsistent
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
unspecified
PC Linux
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-01-23 23:14 UTC by andilist
Modified: 2015-03-04 14:07 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description andilist 2014-01-23 23:14:58 UTC
Hi,
i think the logging of 
%A - Local IP address
%p - Local port on which this request was received
is inconsisstent if an ajp-connector is used.

%A logs the ip of the tomcat Server
%p logs the port of the Apache webserver

There should be a possibility to log:
1) the ip-address of the tomcat Server on which the request was recieved
2) the port of the tomcat Server on which the request was recieved

3) the ip-address of the webserver on which the request was recieved
4) the port of the webserver on which the request was recieved

Even 
%h - Remote host name (or IP address if resolveHosts is false) (and %a)
is not clear in case of an ajp-request.

There should be a possibility to log
5) the remote host of the ajp-request (= webserver)
6) the remote host of the webserver-request (= browser)

Use case:
i want to log, who is connecting to my tomcat Server. In case of ajp i can only see the endusers ip (with %h).
Comment 1 Mark Thomas 2014-01-27 21:34:31 UTC
I've been looking at the source and doing some testing.

For the AJP protocol:
- %a and %h always refer to the client as seen by the reverse proxy
- %v is the host header received by the reverse proxy or the reverse proxy's host name for HTTP/1.0 or HTTP/0.9 requests
- %A is always InetAddress.getLocalHost().getHostAddress() (or 127.0.0.1 if that fails)
- %p is the port that the reverse proxy received the connection on

The IP address that the reverse proxy received the connection on is not available in the AJP protocol. You could make this available by setting a custom HTTP header in the reverse proxy and then displaying the value of that header in the AccessLogValve.

Because of the way AJP is implemented, it is probably easiest to expose the connector port the same way (since the reverse proxy must know what port it is sending the request to).

It is highly unlikely that there is going to be any functional changes to Tomcat 6 this area.

You do get much more control if you:
- upgrade to Tomcat 7.0.x or Tomcat 8.0.x
- switch to using HTTP rather than AJP for your reverse proxy
- use the RemoteIpValve or RemoteIpFilter
- configure the RemoteIpValve or RemoteIpFilter with requestAttributesEnabled=true
- configure the AccessLogValve with requestAttributesEnabled=false

With this configuration the standard access log valve elements will record the values as seen by Tomcat. The values as seen by the proxy will be available as request attributes that can be included in the access log via the %{xxx}r pattern.

I'm not going to resolve this just yet as I think the documentation (for all Tomcat versions) could be improved to make clear exactly what gets logged and/or when what gets logged varies.
Comment 2 Rainer Jung 2014-01-28 10:41:37 UTC
Some related info is contained in

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html

It also contains the names of the Apache variables one can set if one wants to override the data automatically forwarded via AJP by mod_jk (not mod_proxy_ajp).
Comment 3 Mark Thomas 2015-03-04 14:07:56 UTC
I've added some links to the AccessLogValve docs for trunk, 8.0.x (8.0.21 onwards), 7.0.x (7.0.60 onwards) and 6.0.x (6.0.44 onwards).

It loks like what you want to do is possible via configuration. If you need further pointers, please use the users mailing list.