Enable X-Forwarded-For HTTP Header for identifying the originating IP address of a client connecting to Confluence Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Atlassian applications can be accessed through Load Balancer, however, Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it.

Since all requests to Confluence nodes in Data Center come through the Load Balancer (LB) o an internal Proxy. Either way, Tomcat will log the LB/Proxy IP in the access logs by default. This limitation makes troubleshooting web requests in Data Center difficult.

It is possible for Tomcat to log the value from X-Forwarded-For header sent by the load balancer via Tomcat's RemoteIpValve. Note this will add a minor overhead as Tomcat will have to parse all HTTP headers.

Solution

  1. Edit the file CONFLUENCE_INSTALL_DIR/conf/server.xml

  2. Insert this line before the "AccessLogValve":

    1 2 3 4 5 6 <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="PROXY_IP_ADDRESS" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" />

    By default, there are several internalProxies ranges allowed by default:

    • 10.0.0.0/8

    • 192.168.0.0/16

    • 169.254.0.0/16

    • 127.0.0.0/8

    • ::1

    For public IP addresses or different private ranges, you need to add an aninternalProxies attribute that lists the load balancer/proxy IPs. 

    This needs to be specified as a regular expression, escaping the "." characters in PROXY_IP_ADDRESS with a backlash. Example: internalProxies="1\.1\.1\.8". 

  3. Configure AccessLogValve to accept the substituted IP from RemoteIpValve by adding the requestAttributesEnabled attribute to the AccessLogValve:

    1 2 3 4 <Valve className="org.apache.catalina.valves.AccessLogValve" requestAttributesEnabled="true" ... EXISTING_ATTRIBUTES ... />

  4. Restart Confluence.

  5. Repeat the same process on each Confluence node (in a clustered environment).

Some additional references about this:

Updated on March 14, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community