This is a follow up from my earlier question on capturing the X-Forwarded-For IP address in across multiple proxies. Now, I'm looking to capture the Client's IP in the application's (Shibboleth's IdP) logs.
The follow is:
Client > Load Balancer > Apache httpd server > Tomcat server (running Shibboleth's IdP)
The variable with the Client's IP at the Load Balancer is ClientIP which I can capture in the web server's logs using LogFormat "%{ClientIP}i ... " and similarly in Tomcat's access logs using these inserver.xml`:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="ClientIP"
protocolHeaderHttpsValue="https" />
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log."
suffix=".txt"
pattern="%{ClientIP}i %h %l %u %t %r %>s %b %{Referer}i %{User-Agent}i" resolveHosts="false"/>
Now, I'm looking to capture this IP in Shibboleth's IdP audit logs. This discussion talks about using mod_rpaf for Apache but doesn't get into the details. I'm hoping to do without installing additional modules.
Looks like I'm missing a couple of (small?) pieces here. Any ideas? Many thanks!
After digging at LogBack's documentation on logging client IPs and the corresponding code for the MDCInsertingServletFilter servlet, turns out you must use the
X-Forwarder-Forheader.We replaced
ClientIPwithX-Forwarder-Forin the load balancer, updatedhttpd.conf'sLogFormatto logX-Forwarder-For, then updated Shibboleth'slogging.xmlfile as follows for the audit logs:We made similar changes to the idp-process as well
, and did not have to update Tomcat's logging.Hope this helps others.
Edit 1: Tomcat Logging
Turns out, after a while, the
X-Forwarded-ForIP address stopped appearing in Shib's IdP logs. We ended up adding theRemoteIpValvein tomcat and restarting. Looks like it is needed after all: