RemoteIPValve for Access Log IP Addresses

If JIRA is running behind Apache or another proxy server, the Access Logs will show only the IP address of the reverse proxy itself.

Will editing server.xml to use Tomcat RemoteIPValve help provide a way around the problem? Or is there another solution? I am using Apache mod_proxy.

5 answers

1 accepted

0 votes
Accepted answer

If you are indeed behind a proxy, you can use the X-Forwarded-For header to get a more detailed picutre of what's going on. This field includes a comma-separated list containing the client IP and any forwarder IPs.

If you're using the default logging pattern in server.xml, try adding %{X-Forwarded-For}i to it.

You can also add %{X-Forwarded-For}i to your LogFormat in apache.conf if needed.

I got everything working....

1) Apache (on JIRA server) set up with mod_proxy

2) RemoteIpValve config added to JIRA server.xml.

3) %{x-forwarded-for}i added to logging pattern (server.xml again)

The only problem I had was with the RemoteIP configuration of "internalProxies". I used this from JRA-22399:


...and got "_" in the logs. Tweaking the internalProxies config to use the actual IP of the JIRA server made everything come right in the Access logs, such that the "_" was now the correct IP.

There is one small thing. "atlassian-jira.log" logs:

"Correct IP,"

...where I used to have a useless:

"JIRA server IP"

I guess I need to tweak one last thing somewhere to get rid of the extraneous ""

Use mod_jk instead of mod_proxy. I am using mod_jk and my log files show the correct user ip addresses. Mod_jk uses the ajp protocol instead of http, which preserves client headers and passes them along to the tomcat. See here (url is for confluence setup but, the options metioned are tomcat, not confluence specific).

I am still looking for help in this area.

Having JIRA Access Logs that only contain the single IP address is making it so hard to diagnose problems. For instance, I cannot match any errors with users' access via our VPN - users sometimes use the VPN and sometimes not. So the IP address would be the only way of being sure that an event was from a VPN user.

Is there a solution? Or am I stymied by JIRA itself?

I am using Apache v2.2.3 and can upgrade to the latest v2.2.x or to v2.4.x (with it's new modules and enhanced modules). Whatever it takes to solve the problem....

Thanks for the answers. It's the confirmation that others have been successful that is most important - it's the ammunition that helps me convince someone else to get Apache set up for me. When that is complete then I'll be able to accept an answer for karma to be awarded.

Using apache2 mod_proxy with ajp and Tomcat 8.0.36 (distributed with Standalone Confluence 5.10.8), I found that to enable access logging with this in server.xml:

<Valve className="org.apache.catalina.valves.RemoteIpValve" />

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="tomcat-access" suffix=".log" pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i" />

Note that one must load RemoteIpValve first, and then you get your (default header X-Forwarded-For) remote IP address.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Wednesday in Jira

Make your Atlassian Cloud products more secure: our NEW admin security guide

Hey admins! I’m Dave, Principal Product Manager here at Atlassian working on our cloud platform and security products. Cloud security is a moving target. As you adopt more products, employees consta...

84 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you