Issue
loginIp
column in the User_
table is always the same local IP addresses of the Load Balancers instead of the correct user's IP addressThe log files of Tomcat and Liferay are also storing the wrong IP address from the load balancer.
Environment
- Any Liferay installation with a frontend server or Load Balancer configured behind
Resolution
The root cause of this problem is Liferay and Tomcat uses httpServletRequest.getRemoteAddr()
to get the user's IP, but this method returns the IP address of the client or last proxy that sent the request, so the real IP is replaced by the frontend server or load balancer.
The frontend server or load balancer usually stores the original IP Client in an X-Forwarded-For
header of the request.
You can configure your application server or web application to use this header to get the IP Client instead, so the HttpServletRequest.getRemoteAddr()
returns the correct information.
You have two options:
Option 1: Add Tomcat Remote IP Valve to the application server configuration application
- Edit the
[LIFERAY_HOME]/tomcat-9.x.x/conf/server.xml
file - Add the Tomcat Remote IP Valve inside the "Host" section:
-
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="x.x.x.x"
remoteIpHeader="X-Forwarded-For"
proxiesHeader="X-Forwarded-By"
protocolHeader="X-Forwarded-Proto" />
-
Option 2: Add Tomcat IP Filter to the Liferay web application. This is similar to the previous option, but the configuration is only applied to the Liferay web application:
-
- Edit the
[LIFERAY_HOME]/tomcat-9.x.x/webapps/ROOT/WEB-INF/web.xml
file - Add the Tomcat IP Filter:
-
<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>X-Forwarded-For</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>X-Forwarded-By</param-value> </init-param> <init-param> <param-name>protocolHeader</param-name> <param-value>X-Forwarded-Proto</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
-
- Edit the
Additional Information
- Apache Tomcat Remote IP Valve: https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html (external documentation)
- Apache Tomcat IP Fillter: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_IP_Filter (external documentation)