Tomcat
X-Forwarded-For
catalina.valves.RemoteIpValve
internalProxies
RemoteIpValve

How to fix when Tomcat does not log real client IP address but proxy IP address [ internalProxies, RemoteIpValve ]

Symptom

Running Tomcat 8.5/7.0 behind Nginx, separated Tomcat from Nginx server. Since then Tomcat shows the proxy server IP address, not the real client IP address.

/etc/nginx/conf.d/default.conf
...
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_hide_header X-Powered-By;
    proxy_ignore_headers Expires;
...
/etc/tomcat/server.xml
...
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
             remoteIpHeader="x-forwarded-for"
             proxiesHeader="x-forwarded-by"
             protocolHeader="x-forwarded-proto" />
...

How to fix

  • add internalProxies in server.xml with appropriate IP address range
/etc/tomcat/server.xml
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
             internalProxies="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
             remoteIpHeader="x-forwarded-for"
             proxiesHeader="x-forwarded-by"
             protocolHeader="x-forwarded-proto" />

References

https://nulab-inc.com/ja/blog/cacoo/cacoo-login/

設定していなかったinternalProxiesプロパティがあり、以下のとおりの説明でした。
内部プロキシのIPアドレスと一致する正規表現。それらがremoteIpHeader値に表示される場合、それらは信頼され、proxiesHeader値には表示されません
逆を言うと、プロキシのIPアドレスと一致していない場合、信頼されずにhttpとしてTomcatに渡ります。

https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html

  • internalProxies
    • Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value
    • Default :
      • Regular expression (in the syntax supported by java.util.regex)
      • 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
      • By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are allowed.