Configure your On-Premises Contrast UI Server to include the IP addresses of individual servers on which Contrast agents are running, as opposed to (the default behaviour) of logging the IP address of any proxies or load balancers that reside in front of the Contrast Server.
When Contrast agent traffic is relayed to the Contrast Server, it is normal for the device relaying the traffic to add its own IP address to an
X-Forwarded-For header in each request.
For example, such a header may look like this:
where, given well-behaved client and proxies, the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.
By default, the embedded Tomcat server used in the on-premises Contrast UI will log the IP of the most recent proxy in the Access Log file (
$CONTRAST_HOME/logs/access_log.log), but it can be configured to strip out known trusted proxy IP addresses to leave only the source IP of the client (the server running the application being instrumented by a Contrast agent).
First determine the IP address(es) of any proxies or load balancers that relay agent traffic to the Contrast Server.
With these IP addresses in hand, edit the $CONTRAST_HOME/data/conf/server.properties file to add (or edit if the entry already exists) the following:
remote.ip.valve.trusted.proxies=<ip address of proxy1>|<ip address of proxy2>|etc
Restart the Contrast Server to allow the changes to be picked up.
The access log file should now show agent traffic with the IP address of only the client shown, for example:
203.0.113.195 - - [09/Nov/2023:14:48:32 -0500] "POST /Contrast/agents/v1.0/routes/UmlnaHRIZXJl/QzpcVXNlcnNcQWRtaW5pc3RyYXRvclxEb2N1bWVudHNcV2ViZ29hdDIwMjNc/dW5rbm93bg/amF2YQ/V2ViR29hdDIwMjM/observed HTTP/1.1" 204 - "-" "ContrastJavaAgent/5.0.0"
203.0.113.195 is the IP address of the client.