We have a JSF application , serving the requests via tomcat ajp protocol. The entire web site is sitting behind Cloudflare CDN. When the following code is executed
String ipaddress = httpServletRequest.getHeader(HTTP_CF_CONNECTING_IP);
The ipaddress is always null.
httpServletRequest.getRemoteAddr()
always gives the cloud flare ip address.
Have found this http://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish for websites using jninix.
Do we have a similar solution for apache http server
Found solution by loading
LoadModule cloudflare_module modules/mod_cloudflare.so
This sets the remote ip instead of cloudflare's ip
Related
Currently I am hosting WAR with tomcat.
However, I find that if we host web by port 18080,
just like http://my-server-site:18080/welcome
the page can show successfully.
However, if i just type :
http://my-server-site/welcome
it said cannot find directory '/welcome'.
Anyone have idea why looks weird?
Thanks
Not weird at all...
If you do not specify a port, it will default to 80 for HTTP and 443 for HTTPS. I guess you have another web server (apache?) running on the same host that give you the error you see.
If you are expecting to see the same page on the default port, you will need to configure your web server as a proxy. ProxyPass for apache and proxy_pass for nginx.
I need some help with doing netty socket io over https. I have got it to in my local env but not on a server with secure domain. The server starts but client isn't able to connect. Tried by starting the socket server with IP as well as domain name. For the server to start with domain name as hostname value in setHostname method, I added an entry in /etc/hosts file as following
127.0.0.1 localhost example.com
Socket server started by giving example.com as hostname but client isn't able to connect using the same hostname over https as following
var socket = io.connect('https://example.com:10443')
Tried with options - { secure: true, reconnect: true, rejectUnauthorized : false } too but the same issue.
On server side my configuration is as following
Configuration configuration = new Configuration();
configuration.setHostname("example.com");
configuration.setPort(10443);
configuration.setKeyStorePassword("mypassword");
InputStream stream = getClass().getClassLoader().getResourceAsStream("keystore.jks");
configuration.setKeyStore(stream);
The jsk file was created using keytool command for the same domain (example.com)
Is there something more to be done for the port - 10443 to be used by the socket server? Or is there any other configuration to be done?
Got the solution! I had not mentioned that the domain was set up on cloudflare. Here the issue was with the port I used - 10443. It's not supported by cloudflare. Changed it to 8443 and it worked!
For those who come across this, please find here the list of supported ports that Cloudflare work with. May save much of your time unlike me.
Also, please note that I used my public IP as hostname in setHostname() method so that I don't need anything added in my hosts file. Then gave the actual domain name with https on client side to connect to the server. That's it. Thank you all!
Sandeep
I know that Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.
But I found that old versions of overthere library allows to use IP address with Kerberos authentication.
I extracted code from overthere and created small java project that demonstrates that https://github.com/igolikov/KerberosWithIP
It uses Apache HttpClient to send WSMan request to hyper-v host.
I also found that it works with httpclient 4.3.3 and it doesn't work with httpclient 4.4.1
How it is possible that it works with IP?
UPD1. I suppose that httpclient or something in sun.security may use revers DNS lookup. I tried to intercept traffic with Wireshark, and found 1 Revers DNS lookup (in-addr.arpa), but it responded with "No such host" because default DNS server cannot do revers DNS for this IP.
UPD2. Here is server configuration
There are SPNs for host name and for IP address
SPN( 1 ) = WSMAN/10.10.64.60 1+=1
SPN( 1 ) = HOST/somehost.corp.org.com 1+=1
SPN( 1 ) = HOST/somehost 1+=1
Kerberos can work without DNS just fine, the problem DNS solves is both sides of the connection agreeing on the same service principal to use. If I use the kerberos API to fix that principal to standard one, then as long as the server side has that prinicpal in it's keytab it will continue to work.
I.E. you have to know the kerberos principal that the service you are connecting to uses before you can connnect. Most service principals are of the form
service/dns.name.of.host
But the service principal can be anything as long as the client software knows what to use "somehow".
I'm working with tomcat with a front load balancer. The load balancer take my requests in HTTPS and forward them to tomcat over HTTP. So my tomcat has no SSL configuration and it's working fine so.
My problem is that I've got a response wrapper that does encode redirect some URLs, all my URLs are relative and when I encode redirect my URLs the resulting redirect URL is in HTTP. I'd like it to be HTTPS. I believe this is because tomcat is not in HTTPS, is it possible to enforce HTTPS when doing encode redirect without configuring tomcat with a SSL connector ?
Configure Tomcat to use the RemoteIPValve. This will take the headers that AWS ELB uses to communication the original TLS connection information to the back-end server and wire it into the request object.
This will get you the proper redirect protocol plus you'll also get the original client's IP address when you ask for it, instead of the IP address of the proxy (which is pretty much useless).
I have deployed my web application on Tomcat 6.0 in machine having ip address 10.xx.xx.90. Then i am making a http request(from browser) to this app from m/c having ip address (10.xx.xx.56).
I am trying to get the IP address of client(10.xx.xx.56) in my app using the below code. But I am getting null value for request.getHeader("X-FORWARDED-FOR") where as request.getRemoteAddr() returns the ip address of the machine on which the application is deployed i.e 10.xx.xx.90.
But, if I make a http call to the application from standalone java program I am able to get the client m/c ip address. So, what is the correct way to get the client IP address. Do I need to configure something in my tomcat ??
String ipAddress = request.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = request.getRemoteAddr();
}
If you are using a reverse proxy you should know it. However, the end-client could presumably be behind a regular web-proxy. Anyway, the load balancer or proxy would set "X-Forwarded-For". From the Wikipedia article,
The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Based on your comments and question there isn't a proxy or load balancer. For best practices I would recommend you check that header first. If it's null then use request.getRemoteAddr() (which you reported as working).