Frontend server or load balancer IP is displayed in the HTML source code of Liferay pages

• We have detected that if you go to the "view page source" option, open the HTML source code of any Liferay page and search the getRemoteAddr text, you will see the internal frontend server (Apache, Nginx) or load balancer IP on a javascript code.
• How can I remove this IP information from the source code?
• We have also detected that if you run Liferay.ThemeDisplay.getRemoteHost() or Liferay.ThemeDisplay.getRemoteAddr() on the browser console the internal IP Address is also exposed

• DXP 7.4
• Quartery Releases

Root cause of the issue:

• The javascript code getRemoteAddr where the internal information is located was added in LPS-160188 to allow access from javascript developments to the user's IP information from which he/she accesses the server (see commit afaf024959c42bf67f16408bc632259f9b60354a)

• This fragment simply adds in the javascript code the result of invoking httpServletRequest.getRemoteAddr() in the backend, so here the root cause of the issue is the application server is receiving the IP from the load balancer as if it would be the true client IP.

Solution:

The frontend server or load balancer usually stores the original IP Client in an X-Forwarded-For header of the request.

You can configure your application server or web application to use this header to get the IP Client instead, so the HttpServletRequest.getRemoteAddr() returns the correct information.

You have two options:

Option 1: Add Tomcat Remote IP Valve to the application server configuration application

• Edit the [LIFERAY_HOME]/tomcat-9.x.x/conf/server.xml file
• Add the Tomcat Remote IP Valve inside the "Host" section:

  • <Valve className="org.apache.catalina.valves.RemoteIpValve" 
           internalProxies="x.x.x.x" 
           remoteIpHeader="X-Forwarded-For" 
           proxiesHeader="X-Forwarded-By" 
           protocolHeader="X-Forwarded-Proto" />

Option 2: Add Tomcat IP Filter to the Liferay web application. This is similar to the previous option, but the configuration is only applied to the Liferay web application:

• Edit the [LIFERAY_HOME]/tomcat-9.x.x/webapps/ROOT/WEB-INF/web.xmlfile
• Add the Tomcat IP Filter:

  •      <filter>
           <filter-name>RemoteIpFilter</filter-name>
           <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
           <init-param>
             <param-name>internalProxies</param-name>
             <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
           </init-param>
           <init-param>
             <param-name>remoteIpHeader</param-name>
             <param-value>X-Forwarded-For</param-value>
           </init-param>
           <init-param>
             <param-name>remoteIpProxiesHeader</param-name>
             <param-value>X-Forwarded-By</param-value>
           </init-param>
           <init-param>
             <param-name>protocolHeader</param-name>
             <param-value>X-Forwarded-Proto</param-value>
           </init-param>
         </filter>
         <filter-mapping>
            <filter-name>RemoteIpFilter</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
         </filter-mapping>

• Apache Tomcat Remote IP Valve: https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html (external documentation)
• Apache Tomcat IP Fillter: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_IP_Filter (external documentation)
• LPS-160188 and commit afaf024959c42bf67f16408bc632259f9b60354a
• Client's public IP is visible in source code