Bug 65301 - the enableLookups configuration is not fully active
Summary: the enableLookups configuration is not fully active
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.41
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-05-12 06:43 UTC by wangmc
Modified: 2021-05-20 14:32 UTC (History)
0 users

key line (190.76 KB, image/png)
2021-05-12 06:43 UTC, wangmc
Patch (842 bytes, patch)
2021-05-12 08:21 UTC, Remy Maucherat
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description wangmc 2021-05-12 06:43:42 UTC
Created attachment 37857 [details]
key line

when I use org.apache.catalina.valves.RemoteIpValve to get real protocol from "X-Forwarded-Proto", sometimes it take too many times to search local machine hostname.

the thread dump as follows :
"http-nio-8080-exec-1" #85 daemon prio=5 os_prio=0 tid=0x00007f0ef8fdd000 nid=0x79 runnable [0x00007f0e8d1d4000]
   java.lang.Thread.State: RUNNABLE
	at java.net.Inet4AddressImpl.getHostByAddr(Native Method)
	at java.net.InetAddress$2.getHostByAddr(InetAddress.java:932)
	at java.net.InetAddress.getHostFromNameService(InetAddress.java:617)
	at java.net.InetAddress.getHostName(InetAddress.java:559)
	at java.net.InetAddress.getHostName(InetAddress.java:531)
	at org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.populateLocalName(NioEndpoint.java:1354)
	at org.apache.tomcat.util.net.SocketWrapperBase.getLocalName(SocketWrapperBase.java:275)
	at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:472)
	at org.apache.coyote.Request.action(Request.java:432)
	at org.apache.catalina.connector.Request.getLocalName(Request.java:1331)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:612)

when I see org.apache.catalina.valves.RemoteIpValve in tomcat , getLocalName methord must search ip from machine dnsserver,why this does not check whether it's(enableLookups) on or not ,like line num 663 in this class.

the methord getLoaclName alawys call dns to search local ip.
Comment 1 Remy Maucherat 2021-05-12 08:21:21 UTC
Created attachment 37858 [details]

This can be fixed easily, *but* there's a problem. Most often (= always) DNS lookup must be disabled, so then the actual local name is not available anymore. The actual local name could be used a lot more in user code than the remote host name (which if needed is probably coded with DNS resolution) and as a result it could break existing apps.
I don't understand why your local name lookup would be so slow.
Comment 2 wangmc 2021-05-12 09:54:36 UTC
on my service dns is a must. so I disabled Lookups(default is false) in "server.xml".but in my code used RemoteIpValve class, the methord getLocalName does not on the controll of the "enableLookups=false",this methord alawys do dnslockup.This is not what I expected and It's also an imperfect judgment.

so one way I must deprecated to use RemoteIpValve ,one way disable DNS at the system level and edit hosts to suport needed dns.

I expect the configuration(enableLookups) to be consistent,It's more rigorous.

Comment 3 Remy Maucherat 2021-05-12 15:31:28 UTC
As it is right now, the enableLookups flags documentation is accurate: "Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled."

As a result, I think the current behavior of the flag should not be changed. If the local name lookup is really a problem, then a new flag can be introduced.
Reading the RemoteIpValve code, saving and restoring the localName is not needed if isChangeLocalName() is false (the default value). Since this has a cost, it's an easy enhancement that I'll do.
Comment 4 wangmc 2021-05-13 02:12:29 UTC
thanks,You're right.

when the system is configured with DNS, getLocalName will attempt to search for "hostname" using the native IP. This will also use the DNS service, which will occasionally result in a slow query if the system is not configured with DNS cache.

You can get the "hostname" efficiently in the simpler way you mentioned, without the DNS query.

now I have circumvented this problem by installing the NSCD service.
Comment 5 Remy Maucherat 2021-05-20 14:32:39 UTC
Fixed RemoteIpValve to avoid using the local host name if not really needed. The change will be in 10.0.7, 9.0.47 and 8.5.67.