User's IP address is always registered as IP address of web server

Issue

After configuring Liferay behind the frontend server (Apache or Nginx) and Load Balancers, when a user logs in, the value of the loginIp column in the User_ table is always the same local IP addresses of the Load Balancers instead of the correct user's IP address

The log files of Tomcat and Liferay are also storing the wrong IP address from the load balancer.

Environment

  • Any Liferay installation with a frontend server or Load Balancer configured behind

Resolution

The root cause of this problem is Liferay and Tomcat uses httpServletRequest.getRemoteAddr() to get the user's IP, but this method returns the IP address of the client or last proxy that sent the request, so the real IP is replaced by the frontend server or load balancer.

The frontend server or load balancer usually stores the original IP Client in an X-Forwarded-For header of the request.

You can configure your application server or web application to use this header to get the IP Client instead, so the HttpServletRequest.getRemoteAddr() returns the correct information.

You have two options:

Option 1: Add Tomcat Remote IP Valve to the application server configuration application

  • Edit the [LIFERAY_HOME]/tomcat-9.x.x/conf/server.xml file
  • Add the Tomcat Remote IP Valve inside the "Host" section:
    • <Valve className="org.apache.catalina.valves.RemoteIpValve" 
      internalProxies="x.x.x.x"
      remoteIpHeader="X-Forwarded-For"
      proxiesHeader="X-Forwarded-By"
      protocolHeader="X-Forwarded-Proto" />

Option 2: Add Tomcat IP Filter to the Liferay web application. This is similar to the previous option, but the configuration is only applied to the Liferay web application:

    • Edit the [LIFERAY_HOME]/tomcat-9.x.x/webapps/ROOT/WEB-INF/web.xmlfile
    • Add the Tomcat IP Filter:
      •      <filter>
               <filter-name>RemoteIpFilter</filter-name>
               <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
               <init-param>
                 <param-name>internalProxies</param-name>
                 <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
               </init-param>
               <init-param>
                 <param-name>remoteIpHeader</param-name>
                 <param-value>X-Forwarded-For</param-value>
               </init-param>
               <init-param>
                 <param-name>remoteIpProxiesHeader</param-name>
                 <param-value>X-Forwarded-By</param-value>
               </init-param>
               <init-param>
                 <param-name>protocolHeader</param-name>
                 <param-value>X-Forwarded-Proto</param-value>
               </init-param>
             </filter>
             <filter-mapping>
                <filter-name>RemoteIpFilter</filter-name>
                <url-pattern>/*</url-pattern>
                <dispatcher>REQUEST</dispatcher>
             </filter-mapping>

Additional Information

Was this article helpful?
1 out of 1 found this helpful