Mark,
On 1/27/21 14:25, Mark Thomas wrote:
- Add peerAddress to coyote request, which contains the IP address of
the direct connection peer. If a reverse proxy sits in front of
Tomcat and the protocol used is AJP or HTTP in combination with the
RemoteIp(Valve|Filter), the peer address might differ from the
remoteAddress. The latter then contains the address of the client in
front of the reverse proxy, not the address of the proxy itself.
I had to read this 3 times to make sense of it. And it does make sense.
We might want to simplify this lagnuage for a wider announcement. How
about this:
- Add a peerAddress to coyote request, which contains the IP address of
the direct connection peer. This allows other components in Tomcat
to make decisions based upon the direct peer's IP address instead of
the client's IP address. This is especially useful when locking-down
Tomcat to allow any client, but only if they are connecting through
a trusted reverse-proxy.
Another comment:
There is some overlap here with RemoteIPValve/Filter which already
handles understands how to interpret X-Forwarded-* HTTP headers to trust
a reverse-proxy. But you can't use RemoteIPValve/Filter to e.g. force
all users through the proxy with this feature.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
