Obtaining the correct Client IP address when a Physical Load Balancer and a Web Server Configured With Proxy Plug-in Are Between The Client And Weblogic

Some Load Balancers like Big-IP have build in interoperability with Weblogic Cluster, this means they know how Weblogic understand a header named 'WL-Proxy-Client-IP' to identify the original client ip.

The problem comes when you have a Web Server configured with weblogic plug-in between the Load Balancer and the back-end weblogic servers - WL-Proxy-Client-IP this is not designed to go to Web server proxy plug-in. The plug-in will not use a WL-Proxy-Client-IP header that came in from the previous hop (which is this case is the Physical Load Balancer but could be anything), in order to prevent IP spoofing, therefore the plug-in won't pass on what Load Balancer has set for it.

So unfortunately under this Architecture the header will be useless.

To get the client IP from Weblogic you need to configure extended log format and create a custom field that gets the appropriate header containing the IP of the client.

On WLS versions prior to 10.3.3 use these instructions:



You can also create user-defined fields for inclusion in an HTTP access log file that uses the extended log format. To create a custom field you identify the field in the ELF log file using the Fields directive and then you create a matching Java class that generates the desired output. You can create a separate Java class for each field, or the Java class can output multiple fields. For a sample of the Java source for such a class, see

Java Class for Creating a Custom ELF Field to


import weblogic.servlet.logging.CustomELFLogger;
import weblogic.servlet.logging.FormatStringBuffer;
import weblogic.servlet.logging.HttpAccountingInfo;

/* This example outputs the X-Forwarded-For field into a
custom field called MyOriginalClientIPField
*/

public class MyOriginalClientIPField implements CustomELFLogger{
 public void logField(HttpAccountingInfo metrics,
  FormatStringBuffer buff) {
   buff.appendValueOrDash(metrics.getHeader("X-Forwarded-For";));
  }
}

In this case we are using 'X-Forwarded-For' but it could be changed for the header that contains the data you need to use.

Compile the class, jar it, and prepend it to the classpath.


In order to compile and package the class:



1. Navigate to <WLS_HOME>/user_projects/domains/<SOME_DOMAIN>/bin
2. Set up an environment by executing: $ . ./setDomainEnv.sh This will include weblogic.jar into classpath, in order to use any of the libraries included under package weblogic.*
3. Compile the class by copying the content of the code above and naming the file as:

MyOriginalClientIPField.java

4. Run javac to compile the class.

$javac MyOriginalClientIPField.java

5. Package the compiled class into a jar file by executing:

$jar cvf0 MyOriginalClientIPField.jar MyOriginalClientIPField.class

Expected output is:

added manifest
adding: MyOriginalClientIPField.class(in = 711) (out= 711)(stored 0%)


6. This will produce a file called:

MyOriginalClientIPField.jar


This way you will be able to get the real client IP when the request is passing through a Load Balancer and a Web server before reaching WLS.


Since 10.3.3 it is possible to configure a specific header that WLS will check when getRemoteAddr is called. That can be set on the WebServer Mbean. In this case, set that to be X-Forwarded-For header coming from Load Balancer as well.
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Antonio De Juan Image

I was formerly a Senior Technical Support Engineer in the Middleware Application Server Team. I worked supporting Weblogic Server, Java EE, Jrockit, Coherence among other Oracle products.
You can find my new blog at :
http://antoniodejuan.wordpress.com/
Oracle WebLogic

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today