Getting the Real IP Address from a Proxied Request in ATG

Many things can obscure the real IP address of the end user when they visit your site: a load balancer in front of your ATG cluster, Akamai, the user’s ISP or office network, and more. This makes correlating logging events, or using the ATG session IP validation security option, and more, very difficult. In light of that challange I’ve added a new mini-module to my Open Source ATG Modules called the ProxyIPFixer. It uses a simple ATG pipeline Servlet to examine the X-FORWARDED-FOR request header, and if it finds one, parse through the IP addresses to find the originating IP address of the user, and puts that value into the ATG Request object’s remoteAddr property.

This allows downstream pipeline servlets, code, and pages to see the real user’s IP address.

The caveat is that the header can be faked, and that some ISPs/companies, such as AOL, do not set the true end point of the user, and you can only see back to their outgoing proxy server. In AOL’s case in particular, they can also route subsequent requests by the same AOL user through different AOL proxy points, which will make it appear that someone is hijacking a session (if you’re using the ATG session security mechanism). So be aware of the limitations. However it can be very useful.

For those who don’t want to download the whole module package, I have attached the Java source and the ATG properties file to this post.

Enjoy! (and as always feel free to contact me with questions, issues, improvements, etc…)

ProxyIPFixerServlet Java Source

ProxyIPFixer ATG Properties File

Apache Proxy Breaks RichFaces

I’ve run into this twice now, so I wanted to document it here to help other folks, and to see if anyone knows the root cause of the issue.

When using RichFaces with Seam, things work just fine on my local development JBoss instance. But when I deploy the same EAR file up to my production JBoss instance, which is sitting behind an Apache proxy, everything works EXCEPT the rich/ajax stuff.

The issue was that the JavaScript located here: ContextRoot/a4j_3_1_4.GAorg.ajax4jsf.javascript.AjaxScript

would not load.

My Apache proxy was configured like this:

	ProxyPass /10MinuteMail balancer://mycluster/10MinuteMail/
	ProxyPass /10MinuteMail/* balancer://mycluster/10MinuteMail/
	ProxyPassReverse /10MinuteMail http://127.0.0.1:8080/10MinuteMail

With mycluster defined like this:

        
                AddDefaultCharset off
                Order deny,allow
                Allow from all

		BalancerMember http://127.0.0.1:8080
                #Allow from .example.com
        

Again, this configuration worked fine for everything EXCEPT that RichFaces JavaScript.

Since I am only using one node for 10MinuteMail, there is no real need for a load balancer configuration, so I replaced the configuration with this:

	ProxyPass /10MinuteMail http://127.0.0.1:8080/10MinuteMail
	ProxyPass /10MinuteMail/ http://127.0.0.1:8080/10MinuteMail/
        ProxyPassReverse /10MinuteMail/ http://127.0.0.1:8080/10MinuteMail/

Which works, and fixed the RichFaces reference.

So there’s your solution. However I have no idea what the actual root cause is.

Apache Proxy & Making Things Look Nice

I recently setup a dev/build server with Jira, Confluence, Hudson, ATG (with two web apps and the atg admin), Oracle (with web admin), and Postgres (with web admin). I’m running everything independantly, and everything is listening on it’s own high number port. This makes the URLs ugly, and finding what you want tricky.

I used Apache 2.2 and mod_proxy_http to wrap all of the services in the Apache running on port 80.

Any Apache 2.2 installation should come with mod_proxy and mod_proxy_http. You may need to activate them with something like this:
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so

then set a basic configuration for security:
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

It’s best to ensure all the applications you are trying to wrap are listening at context roots, not the base URL/port. So you want hudson on :9000/hudson/ or whatever your setup has (for instance: java -jar hudson.war –httpPost=9000 –prefix=/hudson ). Same for Jira and everything else.

Then setup your proxy mappings in your apache configs.

ProxyPass /jira http://localhost:8080/jira
ProxyPassReverse /jira http://localhost:8080/jira
<Location /jira>
Order allow,deny
Allow from all
</Location>

Repeat for all of your applications. Then just restart apache to pickup all the changes:

apachectl restart

So now we have Jira at host/jira, Confluence at host/confluence, Hudson at host/hudson, and so on. Pretty, easy to book mark, easy to cross link. It just looks more professional.