Passing client ip to tomcat - Cloudflare tunnel
amaurib opened this issue · comments
Hi,
More than reporting a bug, what i would like to ask is how do I pass the client public ip address to tomcat server when using cloudflare tunnel as reverse proxy. I have added the variable REMOTE_IP_VALVE_ENABLED: "true" to my compose file but that didn't do anything... Guacamole keeps logging the cloudflared tunnel container ip...
version: "3"
services:
guacamole:
image: abesnier/guacamole
container_name: guacamole
volumes:
- postgres:/config
- /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
ports:
- 8082:8080
environment:
USE_DEFAULT_BRANDING: N
REMOTE_IP_VALVE_ENABLED: true
volumes:
postgres:
driver: local
Got to show the client IP on the Dashboard.
I Had to modify the tomcat configuration to allow it to see the real ip address of the client.
/usr/local/tomcat/conf/server.xml
Add the following code inside the <Host>
section
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="172.25.0.3"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
docker compose file now looks like this.
version: "3"
services:
guacamole:
image: abesnier/guacamole
container_name: guacamole
volumes:
- postgres:/config
- /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
- /home/guacamole/server.xml:/usr/local/tomcat/conf/server.xml
ports:
- 8082:8080
environment:
USE_DEFAULT_BRANDING: N
REMOTE_IP_VALVE_ENABLED: true
volumes:
postgres:
driver: local
well, that was the easiest issue ever raised ! I did not even had time to read it fully and find documentation.
I'll add a section in the readme, as I know this question is asked regularly on the Guacamole mailing list.
Cheers
Coming back on this subject, let me add some points:
-
the
REMOTE_IP_VALVE_ENABLED
environment variable is not used in my image. This is specific to the official guacamole client docker image. -
the modifications of the
server.conf
can be tricky if you are using a reverse proxy. It is not easy to get the properinternalProxies
value, as docker ip address can change every time you restart a container. I find it easier to just not fill this item, and let Tomcat work it out. Omitting this item will allow most private network IP ranges to be recognized as an authorized proxy (10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and ::1). Actually, just adding<Valve className="org.apache.catalina.valves.RemoteIpValve" />
will work with most configurations because of default values.