Apache / X-Forwarded-For / ColdFusion

Hey, all. Thanks in advance for the info on this. I realize it's not a straight-up CF question, but my search for answers has come up empty thus far. Hoping someone here will have the last piece of the puzzle. We're running our CF servers (using JRun and Apache) behind a load balancer, and as such the IP address that comes through the apps in CGI.REMOTE_ADDR is always the IP of the load balancer.  Now, I'm familiar that the standard procedure for this seems to be having the proxy (or, in this case load balancer) add a header - X-FORWARDED-FOR. We've accomplished that. The question then is how to reliably use this value in both the scenario when it's defined (coming from the LB) and when it's not (when, say, I'm hitting a box directly via IP). In other threads on CF-Talk I've seen this come up and one solution was the same I came up with (basically an if IsDefined etc). That's all well and good, but my question is this: Is there a configuration change I can either make to Apache or to JRun that will automatically treat the X-FORWARDED-FOR header as REMOTE_ADDR such that no change to my application'(s) code needs to be made? This would be ideal as we have a number of applications/sites running that were programmed before moving to a load balanced setup, and it would be lovely to let the code be. Thanks again.

You can reference that as cgi.http_x_forwarded_for -- and it will come back blank if not there, and with a list of IPs otherwise. So I supposed you could do something in your onrequest that if it exists replaces cgi.remote_addr -- but that's not going to help you if it returns multiple IPs. (We usually see 2 IPs in the list). Also note: the IPs returned could well be another proxy. It is still not a definitive end-point resolver. Cheers, Kris On Wed, Aug 1, 2012 at 5:11 PM, Matthew Gersting <mgersting@gmail.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

Load balancers are going to probably act a bit different from one to another as well. For instance, we use a CoyotePoint with SSL off-loading.  Http requests wind up not even having a X-Forwarded-For value, so the code below only works for us for SSL requests. For http request, the cgi.remote_addr variable still winds up being the load-balancer IP. So we wound up just doing a replace/find to use this function instead of the cgi.remote_addr everywhere. public string function REMOTE_ADDR() output='false'   {     var httpRequest = GetHttpRequestData();     if(structKeyExists(httpRequest, "headers")       && structKeyExists(httpRequest.headers, "X-Forwarded-For"))     {       return getToken(httpRequest.headers['X-Forwarded-For'],1,',');     }          return cgi.remote_addr;   } ----- Excess quoted text cut - see Original Post for more -----

>So we wound up just doing a replace/find to use this function instead >of the cgi.remote_addr everywhere. Byron, this is basically the same code I've written. However, in other forums I've seen discussion of the X-FORWARDED-FOR header being seamlessly translated into REMOTE_ADDR by Tomcat. The code solution you're suggesting works, and if it's the way to go I'll accept that, but it means we'll have to add this to every application behind the firewall, leading to much testing and deployments, etc. I was hoping someone might know of an Apache configuration or an Apache plugin would enable this translation on the fly.

>You can reference that as cgi.http_x_forwarded_for -- and it will come back >blank if not there, and with a list of IPs otherwise. Yes, any CGI variable will also return blank when directly referenced and not available. >So I supposed you could do something in your onrequest that if it exists >replaces cgi.remote_addr Actually, you can't. ColdFusion will throw an error if you try to set CGI.REMOTE_ADDR. Unless there's a Java layer work-around I'm not familiar with. >Also note: the IPs returned could well be another proxy. It is still not a >definitive end-point resolver. Fair enough, but it's still vastly more useful than having every request (we deal with ~100k a day) appear to come from the same IP that you know isn't at all accurate. > >On Wed, Aug 1, 2012 at 5:11 PM, Matthew Gersting <mgersting@gmail.com>wrote:

An update: It appears this is now possible with Apache by using mod_remoteip (link below). Unfortunately for me, at this time, it's only available for version 2.4 (the most recent) which is not yet available for Windows.  But, Linux guys, it looks you're in luck. http://httpd.apache.org/docs/current/mod/mod_remoteip.html

in IIS you can create custom headers and I think populate them with value of other headers, so if your on IIS you could try this. -- Russ Michaels www.bluethunderinternet.com  : Business hosting services & solutions www.cfmldeveloper.com        : ColdFusion developer community www.michaels.me.uk           : my blog www.cfsearch.com             : ColdFusion search engine ** *skype me*                     : russmichaels