After the communication between APACHE and jettty (JBoss/tomcat) is adjusted from the mod_jk mode to the mod_proxy mode, the IP address acquisition method should be modified.

The original request. getremoteaddr (); get the IP address, you can go to the real IP address, but after modification to the mod_proxy method, request. getremoteaddr (); is the IP address that initiates the request for the Apache server. In most cases, it is the local machine.

So we should modify it:

 

String IP = request. getheader ("X-forwarded-");
If (IP! = NULL &&! "Unknown". inclusignorecase (IP )){
String [] iplist = IP. Split (",");
For (string ipitem: iplist ){
// Ip min length 7: 0.0.0.0
If (ipitem. Length () >=7 &&! "Unknown". inclusignorecase (ipitem )){
Return ipitem;
}
}
}

Return NULL; // The configuration must be incorrect.

As for the proxy-client-IP circulating on the internet, WebLogic custom headers wl-proxy-client-IP that cannot be used for eight years are floating, which is half unreliable, the requester can add any value in the header domain.

However, only this xFF is the IP address obtained by Apache and then forwarded to the backend. The forwarding at both ends is authentic and credible to us. If you have started mod_proxy

When xFF is obtained in a Web container, it must be the IP address seen in Apache (the Client Connected to Apache, which may be itself a proxy, but this is usually called getremoteaddr ().

Consistency). For Apache reverse proxy, it will not be unknown. The above unknown is used to be compatible with the squid forwarded_for off scenario. If this cannot be obtained, there is no

If getremoteaddr () is required, return null or return "127.0.0.1 ".

 

Please note that, according to the IETF xFF specification, the original xFF should be retained, and the proxy will append the obtained IP address to the end. If we retrieve the first non-unknown of xFF, it may be a client.

The submitted value is spoofed by the client, so the original value should be unset in Apache:

Requestheader unset X-forwarded-

In this way, Apache clears the original X-forwarded-for and forwards the current client value to the backend as X-forwarded-.