Bug 56181 - RemoteIpValve & RemoteIpFilter: HttpServletRequest.getRemoteHost() returns IP instead of hostname with enableLookups=true and x-forwarded-for header
Summary: RemoteIpValve & RemoteIpFilter: HttpServletRequest.getRemoteHost() returns IP...
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.52
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2014-02-23 17:22 UTC by Yann Nicolas
Modified: 2020-11-26 19:04 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Yann Nicolas 2014-02-23 17:22:49 UTC
When clients connect to Tomcat through a proxy or load balancer that adds a remoteIpHeader (eg. "x-forwarded-for") and the attribute "enableLookups" is set to "true", the expected behavior is that hostname of the clients is resolved by Tomcat.

However it is not, if the method getRemoteHost() is called on a HttpServletRequest object, the IP is always returned, not the hostname.

In the classes org.apache.catalina.valves.RemoteIpValve and org.apache.catalina.filters.RemoteIpFilter we see that the IP is set to the Hostname field without any option to do the reverse DNS lookup:


Instead the pseudo code could be something like:


if(enableRemoteIpLookups == true){

Perhaps, instead of using "enableLookups" to indicate the reverse DNS lookup wants to be done for requests passing through a proxy it should be better to have a new Tomcat attribute for this (like enableRemoteIpLookups), because perhaps you do not want to lookups of the proxies IP but just the remoteIp (x-forwarded-for).

Note, this issue applies also to Tomcat 8.
Comment 1 Konstantin Kolinko 2014-02-23 23:12:01 UTC
For reference - discussion thread on the users list (Feb 20)

Changing severity to 'enhancement'.
Comment 2 Mark Thomas 2014-02-24 17:42:38 UTC
I don't see any reason to differentiate between proxied and non-proxied clients.
Comment 3 Yann Nicolas 2014-02-25 01:19:21 UTC
The only reason to differentiate between proxied and non-proxied clients is if you want to do reverse DNS lookup only for proxied clients and not for the non-proxied clients (if for example we know it is always the Load Balancer or the Proxy IP) for performance reasons.
Comment 4 Mark Thomas 2020-11-26 19:04:47 UTC
Fixed in:
- 10.0.x for 10.0.0-M11 onwards
- 9.0.x for 9.0.41 onwards
- 8.5.x for 8.5.61 onwards
- 7.0.x for 7.0.108 onwards