We have haproxy and websphere in different machines to publish software. Software try to insert client's ip to database however it insert IP of haproxy. Programmers only use this code and they do not change.
ipAddress = request.getRemoteAddr();
I got tcpdump and i can see client's ip is on x-forwarded-for tag of http layer. Software does not use this tag to get, i think. Is there any way to change x-forwarded-for to remoteaddress? Is there any tips to get client's ip without change software code? What should i do in the websphere servers or haproxy layer?
Websphere version 8.5.5.11
haproxy version 1.8
Well as websphere is a commercial product I would suggest to ask IBM which parameter should be set in websphere.
A short search in the Internet have bring up this page
Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server linked from this page HTTPServletRequest.getRemoteAddr/getRemoteHost starts to return WebSphere Plugin host value from 8.5.5.16 or 9.0.0.11.
Tomcat have for this the Remote IP Valve, I assume that websphere have a similar option.
I also strongly recommend to use a more recent version of HAProxy as the 1.8 will be soon end of live https://www.haproxy.org/ .
Related
Hope you're all doing fin!
I'm working at a company where the main application is at a web page made with Java. It deploys with Tomcat on a server with Microsoft Windows Server 2008 R2 O.S. I've recently made some changes on this application, but the development environment is not on Tomcat but on JBoss and the former developers knew how to deploy the development from JBoss to Tomcat, but didn't leave any documentation on how to do that.
My problem is that the DNS server is associated with Tomcat, so my development deployed on JBoss can only be accessed through IP address.
My team and I spoke to the company in charge of the DNS server and it indicated that Tomcat's configuration as DNS response should be made by us, given that this company is only in charge of redirecting the IP without specifying the web server.
In order to solve this problem I have two proposals which I don't know how to implement:
1. Modify the server configuration in order to respond to the DNS server through JBoss, overwriting Tomcat response.
2. Deploy the application made on JBoss on Tomcat server.
I would really appreciate your help with any of these proposals. It is a very important matter for the company.
Thanks a lot beforehand for your help.
the request from ihs is passed to plugin then to the application server and server received it.there is no cluster environment here.the server is up and running fine.But the response is not going back to plugin.how to troubleshoot?
(I would have made this a comment, but I don't have enough rep points).
You may need to engage IBM WebSphere Support to assist with this, but typically, for that type of issue, you would need to trace both sides of the connection (IHS plugin and WebSphere). Specifically,
Set LogLevel="Trace" in the plugin-cfg.xml
Set the following trace spec on the AppServer:
=info:com.ibm.ws.webcontainer=all:com.ibm.wsspi.webcontainer*=all:HTTPChannel=all:GenericBNF=all:TCPChannel=all
Reproducing the failure and reviewing the http_plugin.log and trace.log may provide some clues.
Do you receive some type of error in the browser? timeout? Is there anything (firewall, proxy) sitting between the IHS server and WebSphere AppServer?
It could be DNS problem with your WebSphere server. Can you please let us know about your IHS and plugin. Is it installed on same server where WebSphere is or on different server? If IHS and plugin is on different server just check that WebSphere server is able to resolve the IP address of IHS server using hostname. If not try to update host file with IP and hostname of your IHS server. It should work.
Does the client or the plugin not getting the response? Will that the request result in secure connection (i.e HTTPS/SSL...)?
The WAS server should extract most of the ports correctly if IHS/plugin is used in between. If using different webServer/load balancer(LB), the WAS server may not extract the listerning ports on the webServer/LB correctly.
You can take a look at the sample setting in PK55330 where a different web server is used in place of the IHS.
http://www-01.ibm.com/support/docview.wss?uid=swg1PK55330
Regards,
I have an application (.war) deployed in a Websphere Application Server v8. This app consists in a web application which is accessed by browser.
Now I have an IP Address that I want to ban but I don't find the option in the Administrative Console. Where I should ban this ip for to avoid the access this specifically application?
In WebSphere you have 2 options (depends if you directly access app server or through http server):
1 Directly via WebSphere admin console.
Go to:
Application servers > server1 > Web container transport chains > WCInboundDefault > TCP inbound channel (TCP_2)
In the Address exclude list enter client addresses you want to block
restart the server
2 Use IBM HTTP Server (based on Apache) and WebSphere Plugin, which is available with WebSphere and define Deny list using standard httpd.conf configuration.
Probably an IP filter isn't implemented by default in your application server, but it's easy enough to include an IP filter implemented in a servlet filter.
There's a nice intro to what filters can do on the Oracle site and plenty of readymade IP filters all over the web, like here or here. As you can see, the code needed is pretty simple, and as servlet filters are part of the EE spec, the result is portable between appservers as well.
I have installed a middleware component and websphere 7.0 was installed as part of this middleware installation. I have deployed Maximo 7.5 application ear (maximo.ear) in this websphere 7.0.
I am quite successful accessing this application in SMART cloud Instance.
I have disabled the Windows firewall setting as well. But still it is not working.
I don't know where to configure and what to configure to access this Maximo application from public internet which is deployed in websphere server.
Usually you need to open a port for access from outside your network. As I don't know enough of your setup here a some steps to help you on your way.
check which port is required to be open, default maximo is port 80 (most http servers are default port 80.
check if you have a public ip address (this is a requirement). If you don't have a public address you can use dns tools to forward traffic to you.
open the port on your router, this can be different on routers, but the key point is to open the port you found in step 1 (probably port 80)
**
to check which port you need to open is simple:
**
if your address looks like http://ipaddressornameofyourserver/maximo then it's port 80.
if it's something like http://ipaddressornameofyourserver:****/maximo the **** is your port.
to check if you have a public ip
ask you isp
check your ip using whatsmyip (see if it changes from time to time, if it changes you don't have a public IP, but this could take some time)
ask your IT personnel, if you're not from the IT department yourself and if you have an IT department.
to open the port in your router
check with the it department (again if you are not the in the department yourself or if you are part of it)
consult your router guides
Usually you will find it under:
port forwarding
application ports
firewall rules
don't forget
Sometimes their are both a firewall (hardware or software) that could block traffic going to/from you server, please allow or disable that firewall too. Remember this is not the same firewall found on your server (the one you already disabled)
I have a web server that responds to a number of different sites on port 80. Currently, IIS does the mapping to various sites via host headers, but I'd like to be able to serve other web apps on port 80 hosted in Jetty or Tomcat. IIS prevents that by grabbing all port 80 traffic.
I basically need a reverse proxy to just change the port number to something that another app stack can listen in on. I was looking into nginx but it seems to not be quite ready for prime time on Windows. Eventually I may set up a Linux box specifically for this, but for now I'm interested in a solution which will run all on the same box.
All I really need is something very light which mostly just matches hostname/port and allows rewriting of the port. Does anyone have any suggestions?
If you are running in IIS 7 or above you can use Application Request Routing for that: http://www.iis.net/download/ApplicationRequestRouting
For IIS 5-6, it looks like Apache Tomcat Connector (JK 1.2) is a clean solution. This is an IIS ISAPI filter which allows IIS to act as a reverse proxy for other web servers. It uses Apache JServ Protocol (AJP) to communicate with the app server actually serving requests. Both Tomcat and Jetty implement AJP. URLs are mapped with regex-like config to a particular AJP server instance.
Overview: http://www.iisadmin.co.uk/?p=40&page=3
IIS Config: http://tomcat.apache.org/connectors-doc/reference/iis.html
Mapping Config: http://tomcat.apache.org/connectors-doc/reference/workers.html
This ISAPI plug-in also works with IIS 7.x, but in that case the Application Request Routing (see marked answer) should be considered as it might work better with non-AJP servers.