RemoteIPValve for Access Log IP Addresses

Mark Symons
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 21, 2013

If JIRA is running behind Apache or another proxy server, the Access Logs will show only the IP address of the reverse proxy itself.

Will editing server.xml to use Tomcat RemoteIPValve help provide a way around the problem? Or is there another solution? I am using Apache mod_proxy.

5 answers

1 accepted

0 votes
Answer accepted
Aseem Parikh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 16, 2013

If you are indeed behind a proxy, you can use the X-Forwarded-For header to get a more detailed picutre of what's going on. This field includes a comma-separated list containing the client IP and any forwarder IPs.

If you're using the default logging pattern in server.xml, try adding %{X-Forwarded-For}i to it.

You can also add %{X-Forwarded-For}i to your LogFormat in apache.conf if needed.

Mark Symons
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 8, 2014

I got everything working....

1) Apache (on JIRA server) set up with mod_proxy

2) RemoteIpValve config added to JIRA server.xml.

3) %{x-forwarded-for}i added to logging pattern (server.xml again)

The only problem I had was with the RemoteIP configuration of "internalProxies". I used this from JRA-22399:

internalProxies="127\.0\.0\.1"

...and got "_" in the logs. Tweaking the internalProxies config to use the actual IP of the JIRA server made everything come right in the Access logs, such that the "_" was now the correct IP.

There is one small thing. "atlassian-jira.log" logs:

"Correct IP,127.0.0.1"

...where I used to have a useless:

"JIRA server IP"

I guess I need to tweak one last thing somewhere to get rid of the extraneous "127.0.0.1"

1 vote
Jason Hensler
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 16, 2013

Use mod_jk instead of mod_proxy. I am using mod_jk and my log files show the correct user ip addresses. Mod_jk uses the ajp protocol instead of http, which preserves client headers and passes them along to the tomcat. See here (url is for confluence setup but, the options metioned are tomcat, not confluence specific).

0 votes

Using apache2 mod_proxy with ajp and Tomcat 8.0.36 (distributed with Standalone Confluence 5.10.8), I found that to enable access logging with this in server.xml:

<Valve className="org.apache.catalina.valves.RemoteIpValve" />

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="tomcat-access" suffix=".log" pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i" />

Note that one must load RemoteIpValve first, and then you get your (default header X-Forwarded-For) remote IP address.
  

0 votes
Mark Symons
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 18, 2013

Thanks for the answers. It's the confirmation that others have been successful that is most important - it's the ammunition that helps me convince someone else to get Apache set up for me. When that is complete then I'll be able to accept an answer for karma to be awarded.

0 votes
Mark Symons
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 16, 2013

I am still looking for help in this area.

Having JIRA Access Logs that only contain the single IP address is making it so hard to diagnose problems. For instance, I cannot match any errors with users' access via our VPN - users sometimes use the VPN and sometimes not. So the IP address would be the only way of being sure that an event was from a VPN user.

Is there a solution? Or am I stymied by JIRA itself?

I am using Apache v2.2.3 and can upgrade to the latest v2.2.x or to v2.4.x (with it's new modules and enhanced modules). Whatever it takes to solve the problem....

Suggest an answer

Log in or Sign up to answer