Fix logging of forwarded IPs in logs

[abh1sar]

Description

This PR fixes a bug due to which forwarded IPs behind a proxy won't be logged in management.log, api.log and access.log.

1. Access log : addForwardingCustomiser() updates request's remoteAddr to the forwarded client's IP
   But ACSRequestLog.log() was looking at getHttpChannel().getEndPoint().getRemoteAddress(), which still returns the proxy's address

2. AddForwardinfCustomizer would only look at the first header in proxy.header.names. If the user is sending client IP address via some other header, it won't be detected.

3. Changing the request's remoteAddr by addFOrwardingCustomizer changes the behaviour in ApiServlet.getClientAddress() which expects request.getRemoteAddr() to return the proxy's address, so that it can compare it with the allowed proxy cidrs as set in proxy.cidr

For the fix, I have removed addForwardingCustomizer and calling ApiServlet.getClientAddress() from ACSRequestLog. This way IPs in all the logs are consistent with each other and use the same method (getClientAddress()) to get the forwarded client's IP address.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Verified that the forwarded IP is being logged in all the logs.
Also tried the with the script test_forwareded_headers.sh as given here #11386 (review)

Settings used :

Forwarded IP : 203.0.113.1
management.log
2025-10-17 11:35:03,230 DEBUG [c.c.a.ApiServlet] (qtp1390913202-27:[ctx-e2a9983c]) (logid:294c8b7e) found ip 203.0.113.1 in header X-Forwarded-For
2025-10-17 11:35:03,230 DEBUG [c.c.a.ApiServlet] (qtp1390913202-27:[ctx-e2a9983c]) (logid:294c8b7e) ===START===  203.0.113.1 -- GET  command=listCapabilities&response=json

api.log
2025-10-17 11:34:58,164 INFO  [a.c.c.a.ApiServlet] (qtp1390913202-443:[ctx-1ba1de31, ctx-a7f19570]) (logid:041cfd8f)  203.0.113.1 -- GET command=listCapabilities&response=json 401 unable to verify user credentials and/or request signature

access.log
/203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

./test_forwareded_headers.sh

=== RESULTS ANALYSIS ===
CloudStack access log entries:
==============================
/10.0.3.251 - - [2025-10-17 11:34:58] "GET /client/api/?managementserverid=ff7ce98c-a53e-44a1-8df5-7adc455cd523&command=readyForShutdown&response=json& HTTP/1.1" 200 231 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0"
/203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.2 - - [2025-10-17 11:34:59] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.3 - - [2025-10-17 11:35:00] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/203.0.113.10 - - [2025-10-17 11:35:01] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/0:0:0:0:0:0:0:1 - - [2025-10-17 11:35:02] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
/10.0.3.251 - - [2025-10-17 11:35:03] "GET /client/api/?managementserverid=ff7ce98c-a53e-44a1-8df5-7adc455cd523&command=readyForShutdown&response=json& HTTP/1.1" 200 231 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0"
/203.0.113.20 - - [2025-10-17 11:35:03] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

=== VALIDATION ===
==================
SUCCESS: Forwarded IP addresses found in CloudStack access log!
PR #11386 forwarded headers functionality is working correctly

Detected forwarded IPs:
======================
  /203.0.113.1 - - [2025-10-17 11:34:58] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.2 - - [2025-10-17 11:34:59] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.3 - - [2025-10-17 11:35:00] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.10 - - [2025-10-17 11:35:01] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"
  /203.0.113.20 - - [2025-10-17 11:35:03] "GET /client/api?command=listCapabilities&response=json HTTP/1.1" 401 133 "-" "curl/7.61.1"

Analysis:
=========
Unique forwarded IPs detected:
  /203.0.113.1 (appeared 2 time(s))
  /203.0.113.10 (appeared 1 time(s))
  /203.0.113.2 (appeared 2 time(s))
  /203.0.113.20 (appeared 1 time(s))
  /203.0.113.3 (appeared 1 time(s))

Test completed at: Fri Oct 17 11:35:06 UTC 2025
===========================

The script ./test_forwareded_headers.sh fails without the fix

How did you try to break this feature and the system with this change?

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[DaanHoogland]

clgtm

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 17.56%. Comparing base (f63118c) to head (cad2aa4).

Files with missing lines	Patch %	Lines
server/src/main/java/com/cloud/api/ApiServlet.java	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11854   +/-   ##
=========================================
  Coverage     17.55%   17.56%           
- Complexity    15529    15531    +2     
=========================================
  Files          5909     5909           
  Lines        529012   529010    -2     
  Branches      64604    64603    -1     
=========================================
+ Hits          92892    92909   +17     
+ Misses       425671   425653   -18     
+ Partials      10449    10448    -1     

Flag	Coverage Δ
uitests	3.58% <ø> (ø)
unittests	18.63% <92.30%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15485

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15490

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15495

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15496

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15509

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15513

[abh1sar]

@blueorangutan test

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-14708)

[abh1sar]

@blueorangutan test

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-14710)