Fix logging of forwarded IPs in logs

[abh1sar]

Description

This PR fixes a bug due to which forwarded IPs behind a proxy won't be logged in management.log, api.log and access.log.

1. Access log : addForwardingCustomiser() updates request's remoteAddr to the forwarded client's IP
   But ACSRequestLog.log() was looking at getHttpChannel().getEndPoint().getRemoteAddress(), which still returns the proxy's address

2. AddForwardinfCustomizer would only look at the first header in proxy.header.names. If the user is sending client IP address via some other header, it won't be detected.

3. Changing the request's remoteAddr by addFOrwardingCustomizer changes the behaviour in ApiServlet.getClientAddress() which expects request.getRemoteAddr() to return the proxy's address, so that it can compare it with the allowed proxy cidrs as set in proxy.cidr

For the fix, I have removed addForwardingCustomizer and calling ApiServlet.getClientAddress() from ACSRequestLog. This way IPs in all the logs are consistent with each other and use the same method (getClientAddress()) to get the forwarded client's IP address.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Verified that the forwarded IP is being logged in all the logs.
Also tried the with the script test_forwareded_headers.sh as given here #11386 (review)

Settings used :

Forwarded IP : 203.0.113.1
management.log
2025-10-17 11:35:03,230 DEBUG [c.c.a.ApiServlet] (qtp1390913202-27:[ctx-e2a9983c]) (logid:294c8b7e) found ip 203.0.113.1 in header X-Forwarded-For
2025-10-17 11:35:03,230 DEBUG [c.c.a.ApiServlet] (qtp1390913202-27:[ctx-e2a9983c]) (logid:294c8b7e) ===START===  203.0.113.1 -- GET  command=listCapabilities&response=json

api.log
2025-10-17 11:34:58,164 INFO  [a.c.c.a.ApiServlet] (qtp1390913202-443:[ctx-1ba1de31, ctx-a7f19570]) (logid:041cfd8f)  203.0.113.1 -- GET command=listCapabilities&response=json 401 unable to verify user credentials and/or request signature

access.log
/203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

./test_forwareded_headers.sh

=== RESULTS ANALYSIS ===
CloudStack access log entries:
==============================
/10.0.3.251 - - [2025-10-17 11:34:58] "GET /client/api/?managementserverid=ff7ce98c-a53e-44a1-8df5-7adc455cd523&command=readyForShutdown&response=json& HTTP/1.1" 200 231 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0"
/203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.2 - - [2025-10-17 11:34:59] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.3 - - [2025-10-17 11:35:00] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.10 - - [2025-10-17 11:35:01] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/0:0:0:0:0:0:0:1 - - [2025-10-17 11:35:02] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/10.0.3.251 - - [2025-10-17 11:35:03] "GET /client/api/?managementserverid=ff7ce98c-a53e-44a1-8df5-7adc455cd523&command=readyForShutdown&response=json& HTTP/1.1" 200 231 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0"
/203.0.113.20 - - [2025-10-17 11:35:03] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

=== VALIDATION ===
==================
SUCCESS: Forwarded IP addresses found in CloudStack access log!
PR #11386 forwarded headers functionality is working correctly

Detected forwarded IPs:
======================
  /203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.2 - - [2025-10-17 11:34:59] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.3 - - [2025-10-17 11:35:00] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.10 - - [2025-10-17 11:35:01] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.20 - - [2025-10-17 11:35:03] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

Analysis:
=========
Unique forwarded IPs detected:
  /203.0.113.1 (appeared 2 time(s))
  /203.0.113.10 (appeared 1 time(s))
  /203.0.113.2 (appeared 2 time(s))
  /203.0.113.20 (appeared 1 time(s))
  /203.0.113.3 (appeared 1 time(s))

Test completed at: Fri Oct 17 11:35:06 UTC 2025
===========================

The script ./test_forwareded_headers.sh fails without the fix

How did you try to break this feature and the system with this change?

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[DaanHoogland]

clgtm

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 17.59%. Comparing base (b8ed34e) to head (f418cd8).

Files with missing lines	Patch %	Lines
server/src/main/java/com/cloud/api/ApiServlet.java	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.22   #11854      +/-   ##
============================================
- Coverage     17.59%   17.59%   -0.01%     
+ Complexity    15600    15597       -3     
============================================
  Files          5910     5910              
  Lines        529755   529753       -2     
  Branches      64724    64723       -1     
============================================
- Hits          93228    93226       -2     
  Misses       426035   426035              
  Partials      10492    10492              

Flag	Coverage Δ
uitests	3.60% <ø> (ø)
unittests	18.66% <92.30%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15485

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15490

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15495

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15496

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15509

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[DaanHoogland]

clgtm, tested in Lab

[DaanHoogland]

@harikrishna-patnala , can you please review?

[Copilot]

Pull request overview

This PR fixes a bug where forwarded client IPs behind a proxy were not being correctly logged in management.log, api.log, and access.log. The root cause was that PR #11386 introduced a ForwardedRequestCustomizer in Jetty that only checked the first header in the configured list and modified the request's remote address, which interfered with proxy CIDR verification.

Changes:

• Removed the Jetty ForwardedRequestCustomizer approach in favor of consistently using ApiServlet.getClientAddress() across all logging points
• Made several methods in ApiServlet static to enable reuse from ACSRequestLog
• Updated ACSRequestLog to use ApiServlet.getClientAddress() instead of directly accessing the endpoint's remote address

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
client/src/main/java/org/apache/cloudstack/ServerDaemon.java	Removed addForwardingCustomiser() method and related Jetty customizer configuration, plus removed unused imports
client/src/main/java/org/apache/cloudstack/ACSRequestLog.java	Updated to call ApiServlet.getClientAddress() for consistent forwarded IP detection across all logs
server/src/main/java/com/cloud/api/ApiServlet.java	Refactored getClientAddress() and related methods to be static with improved early-return logic and updated logging format
server/src/test/java/com/cloud/api/ApiServletTest.java	Updated tests to use static method calls and added ConfigDepot mocking infrastructure for testing configuration values

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[vishesh92]

Suggested change

	sb.append(remoteAddress)
	sb.append(remoteAddress.getHostAddress())

[abh1sar]

Done

[vishesh92]

Why do we need to remove this?

[abh1sar]

This would modify the request so that getRemoteAddr() returns the forwarded header.
We need the request as is so that the client IP is processed correctly later in getClientAddress() using the configs retrieved by doUseForwardHeaders() and proxyNets().

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16351

[abh1sar]

@blueorangutan test

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests