Problem

Confluence websudo allowlist is not working for the installer and archive file distributions. The configuration fails with the error message "IP address is blank, read from header: X-Forwarded-For" even though the relevant header is set properly on the reverse proxy.

Environment

Confluence 8.9.1 that created by the installer or archive file

Steps to Reproduce

1. Be sure that X-Forwarded-For header set on reverse proxy layer:
   Nginx

   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   

   HAProxy

   http-request set-header X-Forwarded-For %[src]
   

1. Set the websudo attributes properly in confluence.cfg.xml file:

       <property name="websudo.allowlist.cidr">XXX.XXX.XXX.0/24</property>
       <property name="websudo.allowlist.enabled">true</property>
       <property name="websudo.allowlist.ip">XXX.XXX.XXX.XXX</property>
   

1. Restart your Confluence and try to open the Administration pages with a user that member confluence-administrators group.

Expected Results

If the IP addresses are set properly, you should be able to view the administration pages

Actual Results

1. You could not open administration pages with the below message:

   You don't have access to this page. Contact your system administrator.
   

1. You see the below error message in the atlassian-confluence-security.log

   2024-05-29 11:26:32,467 ERROR [http-nio-8090-exec-18 url: /doauthenticate.action; user: admin] [confluence.security.websudo.WebSudoIPAllowListManager] isAllowed IP address is blank, read from header: X-Forwarded-For
   

Workaround

• If you remove the RemoteIpValve from server.xml file, the issue resolves:

  <!-- http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve -->
  <Valve className="org.apache.catalina.valves.RemoteIpValve" /
  
  

• Or refer to -  https://confluence.atlassian.com/confkb/enable-x-forwarded-for-http-header-for-identifying-the-originating-ip-address-of-a-client-connecting-to-confluence-1251411719.html