/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.filters;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.GenericFilter;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestWrapper;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.PushBuilder;
import org.apache.catalina.AccessLog;
import org.apache.catalina.Globals;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.util.RequestUtil;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.parser.Host;
import org.apache.tomcat.util.res.StringManager;
Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.
Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote
IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g.
"X-Forwarded-For").
Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a
proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
This servlet filter proceeds as follows:
If the incoming request.getRemoteAddr()
matches the servlet
filter's list of internal or trusted proxies:
- Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
header named
$remoteIpHeader
(default value x-forwarded-for
). Values are processed in right-to-left order.
- For each ip/host of the list:
- if it matches the internal proxies list, the ip/host is swallowed
- if it matches the trusted proxies list, the ip/host is added to the created proxies header
- otherwise, the ip/host is declared to be the remote ip and looping is stopped.
- If the request http header named
$protocolHeader
(e.g. x-forwarded-proto
) consists only of forwards that match
protocolHeaderHttpsValue
configuration parameter (default https
) then request.isSecure = true
,
request.scheme = https
and request.serverPort = 443
. Note that 443 can be overwritten with the
$httpsServerPort
configuration parameter.
- Mark the request with the attribute
Globals.REQUEST_FORWARDED_ATTRIBUTE
and value Boolean.TRUE
to indicate that this request has been forwarded by one or more proxies.
Configuration parameters
XForwardedFilter property
Description
Equivalent mod_remoteip directive
Format
Default Value
remoteIpHeader
Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client
RemoteIPHeader
Compliant http header name
x-forwarded-for
internalProxies
Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader
value, they will be
trusted and will not appear
in the proxiesHeader
value
RemoteIPInternalProxy
Regular expression (in the syntax supported by java.util.regex
)
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
0:0:0:0:0:0:0:1|::1
By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
proxiesHeader
Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming
remoteIpHeader
RemoteIPProxiesHeader
Compliant http header name
x-forwarded-by
trustedProxies
Regular expression that matches the IP addresses of trusted proxies.
If they appear in the remoteIpHeader
value, they will be
trusted and will appear in the proxiesHeader
value
RemoteIPTrustedProxy
Regular expression (in the syntax supported by java.util.regex
)
protocolHeader
Name of the http header read by this servlet filter that holds the flag that this request
N/A
Compliant http header name like X-Forwarded-Proto
, X-Forwarded-Ssl
or Front-End-Https
null
protocolHeaderHttpsValue
Value of the protocolHeader
to indicate that it is an Https request
N/A
String like https
or ON
https
httpServerPort
Value returned by ServletRequest.getServerPort()
when the protocolHeader
indicates http
protocol
N/A
integer
80
httpsServerPort
Value returned by ServletRequest.getServerPort()
when the protocolHeader
indicates https
protocol
N/A
integer
443
Regular expression vs. IP address blocks: mod_remoteip
allows to use address blocks (e.g.
192.168/16
) to configure RemoteIPInternalProxy
and RemoteIPTrustedProxy
; as the JVM doesn't have a
library similar to apr_ipsubnet_test, we rely on
regular expressions.
Sample with internal proxies
XForwardedFilter configuration:
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
<init-param>
<param-name>internalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>protocolHeader</param-name>
<param-value>x-forwarded-proto</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Request Values
property
Value Before RemoteIpFilter
Value After RemoteIpFilter
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, 192.168.0.10
null
request.header['x-forwarded-by']
null
null
request.header['x-forwarded-proto']
https
https
request.scheme
http
https
request.secure
false
true
request.serverPort
80
443
Note : x-forwarded-by
header is null because only internal proxies as been traversed by the request.
x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with trusted proxies
RemoteIpFilter configuration:
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
<init-param>
<param-name>internalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
<param-value>proxy1|proxy2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Request Values
property
Value Before RemoteIpFilter
Value After RemoteIpFilter
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, proxy1, proxy2
null
request.header['x-forwarded-by']
null
proxy1, proxy2
Note : proxy1
and proxy2
are both trusted proxies that come in x-forwarded-for
header, they both
are migrated in x-forwarded-by
header. x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with internal and trusted proxies
RemoteIpFilter configuration:
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
<init-param>
<param-name>internalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
<param-value>proxy1|proxy2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Request Values
property
Value Before RemoteIpFilter
Value After RemoteIpFilter
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, proxy1, proxy2, 192.168.0.10
null
request.header['x-forwarded-by']
null
proxy1, proxy2
Note : proxy1
and proxy2
are both trusted proxies that come in x-forwarded-for
header, they both
are migrated in x-forwarded-by
header. As 192.168.0.10
is an internal proxy, it does not appear in
x-forwarded-by
. x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with an untrusted proxy
RemoteIpFilter configuration:
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
<init-param>
<param-name>internalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
<param-value>proxy1|proxy2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Request Values
property
Value Before RemoteIpFilter
Value After RemoteIpFilter
request.remoteAddr
192.168.0.10
untrusted-proxy
request.header['x-forwarded-for']
140.211.11.130, untrusted-proxy, proxy1
140.211.11.130
request.header['x-forwarded-by']
null
proxy1
Note : x-forwarded-by
holds the trusted proxy proxy1
. x-forwarded-by
holds
140.211.11.130
because untrusted-proxy
is not trusted and thus, we cannot trust that
untrusted-proxy
is the actual remote ip. request.remoteAddr
is untrusted-proxy
that is an IP
verified by proxy1
.
/**
* <p>
* Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.
* </p>
* <p>
* Most of the design of this Servlet Filter is a port of <a
* href="https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this servlet filter replaces the apparent client remote
* IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g.
* "X-Forwarded-For").
* </p>
* <p>
* Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a
* proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
* </p>
* <p>
* This servlet filter proceeds as follows:
* </p>
* <p>
* If the incoming <code>request.getRemoteAddr()</code> matches the servlet
* filter's list of internal or trusted proxies:
* </p>
* <ul>
* <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
* header named <code>$remoteIpHeader</code> (default value <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>
* <li>For each ip/host of the list:
* <ul>
* <li>if it matches the internal proxies list, the ip/host is swallowed</li>
* <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>
* <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
* </ul>
* </li>
* <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-proto</code>) consists only of forwards that match
* <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
* <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
* <code>$httpsServerPort</code> configuration parameter.</li>
* <li>Mark the request with the attribute {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} and value {@code Boolean.TRUE} to indicate
* that this request has been forwarded by one or more proxies.</li>
* </ul>
* <table border="1">
* <caption>Configuration parameters</caption>
* <tr>
* <th>XForwardedFilter property</th>
* <th>Description</th>
* <th>Equivalent mod_remoteip directive</th>
* <th>Format</th>
* <th>Default Value</th>
* </tr>
* <tr>
* <td>remoteIpHeader</td>
* <td>Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client
* </td>
* <td>RemoteIPHeader</td>
* <td>Compliant http header name</td>
* <td>x-forwarded-for</td>
* </tr>
* <tr>
* <td>internalProxies</td>
* <td>Regular expression that matches the IP addresses of internal proxies.
* If they appear in the <code>remoteIpHeader</code> value, they will be
* trusted and will not appear
* in the <code>proxiesHeader</code> value</td>
* <td>RemoteIPInternalProxy</td>
* <td>Regular expression (in the syntax supported by
* {@link java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
* 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1
* <br>
* By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
* <td>Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming
* <code>remoteIpHeader</code></td>
* <td>RemoteIPProxiesHeader</td>
* <td>Compliant http header name</td>
* <td>x-forwarded-by</td>
* </tr>
* <tr>
* <td>trustedProxies</td>
* <td>Regular expression that matches the IP addresses of trusted proxies.
* If they appear in the <code>remoteIpHeader</code> value, they will be
* trusted and will appear in the <code>proxiesHeader</code> value</td>
* <td>RemoteIPTrustedProxy</td>
* <td>Regular expression (in the syntax supported by
* {@link java.util.regex.Pattern java.util.regex})</td>
* <td> </td>
* </tr>
* <tr>
* <td>protocolHeader</td>
* <td>Name of the http header read by this servlet filter that holds the flag that this request</td>
* <td>N/A</td>
* <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code> or <code>Front-End-Https</code></td>
* <td><code>null</code></td>
* </tr>
* <tr>
* <td>protocolHeaderHttpsValue</td>
* <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>
* <td>N/A</td>
* <td>String like <code>https</code> or <code>ON</code></td>
* <td><code>https</code></td>
* </tr>
* <tr>
* <td>httpServerPort</td>
* <td>Value returned by {@link ServletRequest#getServerPort()} when the <code>protocolHeader</code> indicates <code>http</code> protocol</td>
* <td>N/A</td>
* <td>integer</td>
* <td>80</td>
* </tr>
* <tr>
* <td>httpsServerPort</td>
* <td>Value returned by {@link ServletRequest#getServerPort()} when the <code>protocolHeader</code> indicates <code>https</code> protocol</td>
* <td>N/A</td>
* <td>integer</td>
* <td>443</td>
* </tr>
* </table>
* <p>
* <strong>Regular expression vs. IP address blocks:</strong> <code>mod_remoteip</code> allows to use address blocks (e.g.
* <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code> and <code>RemoteIPTrustedProxy</code> ; as the JVM doesn't have a
* library similar to <a
* href="https://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d">apr_ipsubnet_test</a>, we rely on
* regular expressions.
* </p>
* <hr>
* <p>
* <strong>Sample with internal proxies</strong>
* </p>
* <p>
* XForwardedFilter configuration:
* </p>
* <code>
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>protocolHeader</param-name>
* <param-value>x-forwarded-proto</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpFilter</th>
* <th>Value After RemoteIpFilter</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, 192.168.0.10</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-proto']</td>
* <td>https</td>
* <td>https</td>
* </tr>
* <tr>
* <td>request.scheme</td>
* <td>http</td>
* <td>https</td>
* </tr>
* <tr>
* <td>request.secure</td>
* <td>false</td>
* <td>true</td>
* </tr>
* <tr>
* <td>request.serverPort</td>
* <td>80</td>
* <td>443</td>
* </tr>
* </table>
* Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed by the request.
* <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* <hr>
* <p>
* <strong>Sample with trusted proxies</strong>
* </p>
* <p>
* RemoteIpFilter configuration:
* </p>
* <code>
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpFilter</th>
* <th>Value After RemoteIpFilter</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, proxy1, proxy2</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1, proxy2</td>
* </tr>
* </table>
* <p>
* Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
* are migrated in <code>x-forwarded-by</code> header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* </p>
* <hr>
* <p>
* <strong>Sample with internal and trusted proxies</strong>
* </p>
* <p>
* RemoteIpFilter configuration:
* </p>
* <code>
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpFilter</th>
* <th>Value After RemoteIpFilter</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1, proxy2</td>
* </tr>
* </table>
* <p>
* Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
* are migrated in <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in
* <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* </p>
* <hr>
* <p>
* <strong>Sample with an untrusted proxy</strong>
* </p>
* <p>
* RemoteIpFilter configuration:
* </p>
* <code>
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpFilter</th>
* <th>Value After RemoteIpFilter</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>untrusted-proxy</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, untrusted-proxy, proxy1</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1</td>
* </tr>
* </table>
* <p>
* Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>. <code>x-forwarded-by</code> holds
* <code>140.211.11.130</code> because <code>untrusted-proxy</code> is not trusted and thus, we cannot trust that
* <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP
* verified by <code>proxy1</code>.
* </p>
* <hr>
*/
public class RemoteIpFilter extends GenericFilter {
private static final long serialVersionUID = 1L;
public static class XForwardedRequest extends HttpServletRequestWrapper {
protected final Map<String, List<String>> headers;
protected String localName;
protected int localPort;
protected String remoteAddr;
protected String remoteHost;
protected String scheme;
protected boolean secure;
protected String serverName;
protected int serverPort;
public XForwardedRequest(HttpServletRequest request) {
super(request);
this.localName = request.getLocalName();
this.localPort = request.getLocalPort();
this.remoteAddr = request.getRemoteAddr();
this.remoteHost = request.getRemoteHost();
this.scheme = request.getScheme();
this.secure = request.isSecure();
this.serverName = request.getServerName();
this.serverPort = request.getServerPort();
headers = new HashMap<>();
for (Enumeration<String> headerNames = request.getHeaderNames(); headerNames.hasMoreElements();) {
String header = headerNames.nextElement();
headers.put(header, Collections.list(request.getHeaders(header)));
}
}
@Override
public long getDateHeader(String name) {
String value = getHeader(name);
if (value == null) {
return -1;
}
long date = FastHttpDateFormat.parseDate(value);
if (date == -1) {
throw new IllegalArgumentException(value);
}
return date;
}
@Override
public String getHeader(String name) {
Map.Entry<String, List<String>> header = getHeaderEntry(name);
if (header == null || header.getValue() == null || header.getValue().isEmpty()) {
return null;
}
return header.getValue().get(0);
}
protected Map.Entry<String, List<String>> getHeaderEntry(String name) {
for (Map.Entry<String, List<String>> entry : headers.entrySet()) {
if (entry.getKey().equalsIgnoreCase(name)) {
return entry;
}
}
return null;
}
@Override
public Enumeration<String> getHeaderNames() {
return Collections.enumeration(headers.keySet());
}
@Override
public Enumeration<String> getHeaders(String name) {
Map.Entry<String, List<String>> header = getHeaderEntry(name);
if (header == null || header.getValue() == null) {
return Collections.enumeration(Collections.<String>emptyList());
}
return Collections.enumeration(header.getValue());
}
@Override
public int getIntHeader(String name) {
String value = getHeader(name);
if (value == null) {
return -1;
}
return Integer.parseInt(value);
}
@Override
public String getLocalName() {
return localName;
}
@Override
public int getLocalPort() {
return localPort;
}
@Override
public String getRemoteAddr() {
return this.remoteAddr;
}
@Override
public String getRemoteHost() {
return this.remoteHost;
}
@Override
public String getScheme() {
return scheme;
}
@Override
public String getServerName() {
return serverName;
}
@Override
public int getServerPort() {
return serverPort;
}
@Override
public boolean isSecure() {
return secure;
}
public void removeHeader(String name) {
Map.Entry<String, List<String>> header = getHeaderEntry(name);
if (header != null) {
headers.remove(header.getKey());
}
}
public void setHeader(String name, String value) {
List<String> values = Collections.singletonList(value);
Map.Entry<String, List<String>> header = getHeaderEntry(name);
if (header == null) {
headers.put(name, values);
} else {
header.setValue(values);
}
}
public void setLocalName(String localName) {
this.localName = localName;
}
public void setLocalPort(int localPort) {
this.localPort = localPort;
}
public void setRemoteAddr(String remoteAddr) {
this.remoteAddr = remoteAddr;
}
public void setRemoteHost(String remoteHost) {
this.remoteHost = remoteHost;
}
public void setScheme(String scheme) {
this.scheme = scheme;
}
public void setSecure(boolean secure) {
this.secure = secure;
}
public void setServerName(String serverName) {
this.serverName = serverName;
}
public void setServerPort(int serverPort) {
this.serverPort = serverPort;
}
@Override
public StringBuffer getRequestURL() {
return RequestUtil.getRequestURL(this);
}
@Override
public PushBuilder newPushBuilder() {
ServletRequest current = getRequest();
while (current instanceof ServletRequestWrapper) {
current = ((ServletRequestWrapper) current).getRequest();
}
if (current instanceof RequestFacade) {
return ((RequestFacade) current).newPushBuilder(this);
} else {
return null;
}
}
}
Pattern
for a comma delimited string that support whitespace characters /**
* {@link Pattern} for a comma delimited string that support whitespace characters
*/
private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
protected static final String HTTP_SERVER_PORT_PARAMETER = "httpServerPort";
protected static final String HTTPS_SERVER_PORT_PARAMETER = "httpsServerPort";
protected static final String INTERNAL_PROXIES_PARAMETER = "internalProxies";
// Log must be non-static as loggers are created per class-loader and this
// Filter may be used in multiple class loaders
private transient Log log = LogFactory.getLog(RemoteIpFilter.class);
protected static final StringManager sm = StringManager.getManager(RemoteIpFilter.class);
protected static final String PROTOCOL_HEADER_PARAMETER = "protocolHeader";
protected static final String PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER = "protocolHeaderHttpsValue";
protected static final String HOST_HEADER_PARAMETER = "hostHeader";
protected static final String PORT_HEADER_PARAMETER = "portHeader";
protected static final String CHANGE_LOCAL_NAME_PARAMETER = "changeLocalName";
protected static final String CHANGE_LOCAL_PORT_PARAMETER = "changeLocalPort";
protected static final String PROXIES_HEADER_PARAMETER = "proxiesHeader";
protected static final String REMOTE_IP_HEADER_PARAMETER = "remoteIpHeader";
protected static final String TRUSTED_PROXIES_PARAMETER = "trustedProxies";
Convert a given comma delimited list of regular expressions into an array of String
Params: - commaDelimitedStrings – The string to split
Returns: array of patterns (non null
)
/**
* Convert a given comma delimited list of regular expressions into an array of String
*
* @param commaDelimitedStrings The string to split
* @return array of patterns (non <code>null</code>)
*/
protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {
return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern
.split(commaDelimitedStrings);
}
Convert a list of strings in a comma delimited string.
Params: - stringList – List of strings
Returns: concatenated string
/**
* Convert a list of strings in a comma delimited string.
*
* @param stringList List of strings
* @return concatenated string
*/
protected static String listToCommaDelimitedString(List<String> stringList) {
if (stringList == null) {
return "";
}
StringBuilder result = new StringBuilder();
for (Iterator<String> it = stringList.iterator(); it.hasNext();) {
Object element = it.next();
if (element != null) {
result.append(element);
if (it.hasNext()) {
result.append(", ");
}
}
}
return result.toString();
}
See Also: - setHttpServerPort(int)
/**
* @see #setHttpServerPort(int)
*/
private int httpServerPort = 80;
See Also: - setHttpsServerPort(int)
/**
* @see #setHttpsServerPort(int)
*/
private int httpsServerPort = 443;
See Also: - setInternalProxies(String)
/**
* @see #setInternalProxies(String)
*/
private Pattern internalProxies = Pattern.compile(
"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
"127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"0:0:0:0:0:0:0:1|::1");
See Also: - setProtocolHeader(String)
/**
* @see #setProtocolHeader(String)
*/
private String protocolHeader = "X-Forwarded-Proto";
private String protocolHeaderHttpsValue = "https";
private String hostHeader = null;
private boolean changeLocalName = false;
private String portHeader = null;
private boolean changeLocalPort = false;
See Also: - setProxiesHeader(String)
/**
* @see #setProxiesHeader(String)
*/
private String proxiesHeader = "X-Forwarded-By";
See Also: - setRemoteIpHeader(String)
/**
* @see #setRemoteIpHeader(String)
*/
private String remoteIpHeader = "X-Forwarded-For";
See Also: - setRequestAttributesEnabled(boolean)
/**
* @see #setRequestAttributesEnabled(boolean)
*/
private boolean requestAttributesEnabled = true;
See Also: - setTrustedProxies(String)
/**
* @see #setTrustedProxies(String)
*/
private Pattern trustedProxies = null;
public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
boolean isInternal = internalProxies != null &&
internalProxies.matcher(request.getRemoteAddr()).matches();
if (isInternal || (trustedProxies != null &&
trustedProxies.matcher(request.getRemoteAddr()).matches())) {
String remoteIp = null;
// In java 6, proxiesHeaderValue should be declared as a java.util.Deque
LinkedList<String> proxiesHeaderValue = new LinkedList<>();
StringBuilder concatRemoteIpHeaderValue = new StringBuilder();
for (Enumeration<String> e = request.getHeaders(remoteIpHeader); e.hasMoreElements();) {
if (concatRemoteIpHeaderValue.length() > 0) {
concatRemoteIpHeaderValue.append(", ");
}
concatRemoteIpHeaderValue.append(e.nextElement());
}
String[] remoteIpHeaderValue = commaDelimitedListToStringArray(concatRemoteIpHeaderValue.toString());
int idx;
if (!isInternal) {
proxiesHeaderValue.addFirst(request.getRemoteAddr());
}
// loop on remoteIpHeaderValue to find the first trusted remote ip and to build the proxies chain
for (idx = remoteIpHeaderValue.length - 1; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
remoteIp = currentRemoteIp;
if (internalProxies !=null && internalProxies.matcher(currentRemoteIp).matches()) {
// do nothing, internalProxies IPs are not appended to the
} else if (trustedProxies != null &&
trustedProxies.matcher(currentRemoteIp).matches()) {
proxiesHeaderValue.addFirst(currentRemoteIp);
} else {
idx--; // decrement idx because break statement doesn't do it
break;
}
}
// continue to loop on remoteIpHeaderValue to build the new value of the remoteIpHeader
LinkedList<String> newRemoteIpHeaderValue = new LinkedList<>();
for (; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
newRemoteIpHeaderValue.addFirst(currentRemoteIp);
}
XForwardedRequest xRequest = new XForwardedRequest(request);
if (remoteIp != null) {
xRequest.setRemoteAddr(remoteIp);
xRequest.setRemoteHost(remoteIp);
if (proxiesHeaderValue.size() == 0) {
xRequest.removeHeader(proxiesHeader);
} else {
String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
xRequest.setHeader(proxiesHeader, commaDelimitedListOfProxies);
}
if (newRemoteIpHeaderValue.size() == 0) {
xRequest.removeHeader(remoteIpHeader);
} else {
String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
xRequest.setHeader(remoteIpHeader, commaDelimitedRemoteIpHeaderValue);
}
}
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
// Don't modify the secure, scheme and serverPort attributes
// of the request
} else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
xRequest.setSecure(true);
xRequest.setScheme("https");
setPorts(xRequest, httpsServerPort);
} else {
xRequest.setSecure(false);
xRequest.setScheme("http");
setPorts(xRequest, httpServerPort);
}
}
if (hostHeader != null) {
String hostHeaderValue = request.getHeader(hostHeader);
if (hostHeaderValue != null) {
try {
int portIndex = Host.parse(hostHeaderValue);
if (portIndex > -1) {
log.debug(sm.getString("remoteIpFilter.invalidHostWithPort", hostHeaderValue, hostHeader));
hostHeaderValue = hostHeaderValue.substring(0, portIndex);
}
xRequest.setServerName(hostHeaderValue);
if (isChangeLocalName()) {
xRequest.setLocalName(hostHeaderValue);
}
} catch (IllegalArgumentException iae) {
log.debug(sm.getString("remoteIpFilter.invalidHostHeader", hostHeaderValue, hostHeader));
}
}
}
request.setAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE, Boolean.TRUE);
if (log.isDebugEnabled()) {
log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr [" + request.getRemoteAddr() +
"], originalRemoteHost=[" + request.getRemoteHost() + "], originalSecure=[" + request.isSecure() +
"], originalScheme=[" + request.getScheme() + "], originalServerName=[" + request.getServerName() +
"], originalServerPort=[" + request.getServerPort() +
"] will be seen as newRemoteAddr=[" + xRequest.getRemoteAddr() +
"], newRemoteHost=[" + xRequest.getRemoteHost() + "], newSecure=[" + xRequest.isSecure() +
"], newScheme=[" + xRequest.getScheme() + "], newServerName=[" + xRequest.getServerName() +
"], newServerPort=[" + xRequest.getServerPort() + "]");
}
if (requestAttributesEnabled) {
request.setAttribute(AccessLog.REMOTE_ADDR_ATTRIBUTE,
xRequest.getRemoteAddr());
request.setAttribute(Globals.REMOTE_ADDR_ATTRIBUTE,
xRequest.getRemoteAddr());
request.setAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE,
xRequest.getRemoteHost());
request.setAttribute(AccessLog.PROTOCOL_ATTRIBUTE,
xRequest.getProtocol());
request.setAttribute(AccessLog.SERVER_NAME_ATTRIBUTE,
xRequest.getServerName());
request.setAttribute(AccessLog.SERVER_PORT_ATTRIBUTE,
Integer.valueOf(xRequest.getServerPort()));
}
chain.doFilter(xRequest, response);
} else {
if (log.isDebugEnabled()) {
log.debug("Skip RemoteIpFilter for request " + request.getRequestURI() + " with originalRemoteAddr '"
+ request.getRemoteAddr() + "'");
}
chain.doFilter(request, response);
}
}
/*
* Considers the value to be secure if it exclusively holds forwards for
* {@link #protocolHeaderHttpsValue}.
*/
private boolean isForwardedProtoHeaderValueSecure(String protocolHeaderValue) {
if (!protocolHeaderValue.contains(",")) {
return protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue);
}
String[] forwardedProtocols = commaDelimitedListToStringArray(protocolHeaderValue);
if (forwardedProtocols.length == 0) {
return false;
}
for (int i = 0; i < forwardedProtocols.length; i++) {
if (!protocolHeaderHttpsValue.equalsIgnoreCase(forwardedProtocols[i])) {
return false;
}
}
return true;
}
private void setPorts(XForwardedRequest xrequest, int defaultPort) {
int port = defaultPort;
if (getPortHeader() != null) {
String portHeaderValue = xrequest.getHeader(getPortHeader());
if (portHeaderValue != null) {
try {
port = Integer.parseInt(portHeaderValue);
} catch (NumberFormatException nfe) {
log.debug("Invalid port value [" + portHeaderValue +
"] provided in header [" + getPortHeader() + "]");
}
}
}
xrequest.setServerPort(port);
if (isChangeLocalPort()) {
xrequest.setLocalPort(port);
}
}
Wrap the incoming request
in a XForwardedRequest
if the http header x-forwarded-for
is not empty.
{@inheritDoc}
/**
* Wrap the incoming <code>request</code> in a {@link XForwardedRequest} if the http header <code>x-forwarded-for</code> is not empty.
* {@inheritDoc}
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
doFilter((HttpServletRequest)request, (HttpServletResponse)response, chain);
} else {
chain.doFilter(request, response);
}
}
public boolean isChangeLocalName() {
return changeLocalName;
}
public boolean isChangeLocalPort() {
return changeLocalPort;
}
public int getHttpsServerPort() {
return httpsServerPort;
}
public Pattern getInternalProxies() {
return internalProxies;
}
public String getProtocolHeader() {
return protocolHeader;
}
public String getPortHeader() {
return portHeader;
}
public String getProtocolHeaderHttpsValue() {
return protocolHeaderHttpsValue;
}
public String getProxiesHeader() {
return proxiesHeader;
}
public String getRemoteIpHeader() {
return remoteIpHeader;
}
See Also: - setRequestAttributesEnabled(boolean)
Returns: true
if the attributes will be logged, otherwise
false
/**
* @see #setRequestAttributesEnabled(boolean)
* @return <code>true</code> if the attributes will be logged, otherwise
* <code>false</code>
*/
public boolean getRequestAttributesEnabled() {
return requestAttributesEnabled;
}
public Pattern getTrustedProxies() {
return trustedProxies;
}
@Override
public void init() throws ServletException {
if (getInitParameter(INTERNAL_PROXIES_PARAMETER) != null) {
setInternalProxies(getInitParameter(INTERNAL_PROXIES_PARAMETER));
}
if (getInitParameter(PROTOCOL_HEADER_PARAMETER) != null) {
setProtocolHeader(getInitParameter(PROTOCOL_HEADER_PARAMETER));
}
if (getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER) != null) {
setProtocolHeaderHttpsValue(getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER));
}
if (getInitParameter(HOST_HEADER_PARAMETER) != null) {
setHostHeader(getInitParameter(HOST_HEADER_PARAMETER));
}
if (getInitParameter(PORT_HEADER_PARAMETER) != null) {
setPortHeader(getInitParameter(PORT_HEADER_PARAMETER));
}
if (getInitParameter(CHANGE_LOCAL_NAME_PARAMETER) != null) {
setChangeLocalName(Boolean.parseBoolean(getInitParameter(CHANGE_LOCAL_NAME_PARAMETER)));
}
if (getInitParameter(CHANGE_LOCAL_PORT_PARAMETER) != null) {
setChangeLocalPort(Boolean.parseBoolean(getInitParameter(CHANGE_LOCAL_PORT_PARAMETER)));
}
if (getInitParameter(PROXIES_HEADER_PARAMETER) != null) {
setProxiesHeader(getInitParameter(PROXIES_HEADER_PARAMETER));
}
if (getInitParameter(REMOTE_IP_HEADER_PARAMETER) != null) {
setRemoteIpHeader(getInitParameter(REMOTE_IP_HEADER_PARAMETER));
}
if (getInitParameter(TRUSTED_PROXIES_PARAMETER) != null) {
setTrustedProxies(getInitParameter(TRUSTED_PROXIES_PARAMETER));
}
if (getInitParameter(HTTP_SERVER_PORT_PARAMETER) != null) {
try {
setHttpServerPort(Integer.parseInt(getInitParameter(HTTP_SERVER_PORT_PARAMETER)));
} catch (NumberFormatException e) {
throw new NumberFormatException(sm.getString("remoteIpFilter.invalidNumber", HTTP_SERVER_PORT_PARAMETER, e.getLocalizedMessage()));
}
}
if (getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null) {
try {
setHttpsServerPort(Integer.parseInt(getInitParameter(HTTPS_SERVER_PORT_PARAMETER)));
} catch (NumberFormatException e) {
throw new NumberFormatException(sm.getString("remoteIpFilter.invalidNumber", HTTPS_SERVER_PORT_PARAMETER, e.getLocalizedMessage()));
}
}
}
If true
, the return values for both ServletRequest.getLocalName()
and ServletRequest.getServerName()
will be modified by this Filter rather than just ServletRequest.getServerName()
.
Default value : false
Params: - changeLocalName – The new flag value
/**
* <p>
* If <code>true</code>, the return values for both {@link
* ServletRequest#getLocalName()} and {@link ServletRequest#getServerName()}
* will be modified by this Filter rather than just
* {@link ServletRequest#getServerName()}.
* </p>
* <p>
* Default value : <code>false</code>
* </p>
* @param changeLocalName The new flag value
*/
public void setChangeLocalName(boolean changeLocalName) {
this.changeLocalName = changeLocalName;
}
If true
, the return values for both ServletRequest.getLocalPort()
and ServletRequest.getServerPort()
will be modified by this Filter rather than just ServletRequest.getServerPort()
.
Default value : false
Params: - changeLocalPort – The new flag value
/**
* <p>
* If <code>true</code>, the return values for both {@link
* ServletRequest#getLocalPort()} and {@link ServletRequest#getServerPort()}
* will be modified by this Filter rather than just
* {@link ServletRequest#getServerPort()}.
* </p>
* <p>
* Default value : <code>false</code>
* </p>
* @param changeLocalPort The new flag value
*/
public void setChangeLocalPort(boolean changeLocalPort) {
this.changeLocalPort = changeLocalPort;
}
Server Port value if the protocolHeader
indicates HTTP (i.e. protocolHeader
is not null and has a value different of protocolHeaderHttpsValue
).
Default value : 80
Params: - httpServerPort – The server port to use
/**
* <p>
* Server Port value if the {@link #protocolHeader} indicates HTTP (i.e. {@link #protocolHeader} is not null and
* has a value different of {@link #protocolHeaderHttpsValue}).
* </p>
* <p>
* Default value : 80
* </p>
* @param httpServerPort The server port to use
*/
public void setHttpServerPort(int httpServerPort) {
this.httpServerPort = httpServerPort;
}
Server Port value if the protocolHeader
indicates HTTPS
Default value : 443
Params: - httpsServerPort – The server port to use
/**
* <p>
* Server Port value if the {@link #protocolHeader} indicates HTTPS
* </p>
* <p>
* Default value : 443
* </p>
* @param httpsServerPort The server port to use
*/
public void setHttpsServerPort(int httpsServerPort) {
this.httpsServerPort = httpsServerPort;
}
Regular expression that defines the internal proxies.
Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
Params: - internalProxies – The regexp
/**
* <p>
* Regular expression that defines the internal proxies.
* </p>
* <p>
* Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
* </p>
* @param internalProxies The regexp
*/
public void setInternalProxies(String internalProxies) {
if (internalProxies == null || internalProxies.length() == 0) {
this.internalProxies = null;
} else {
this.internalProxies = Pattern.compile(internalProxies);
}
}
Header that holds the incoming host, usually named
X-Forwarded-HOst
.
Default value : null
Params: - hostHeader – The header name
/**
* <p>
* Header that holds the incoming host, usually named
* <code>X-Forwarded-HOst</code>.
* </p>
* <p>
* Default value : <code>null</code>
* </p>
* @param hostHeader The header name
*/
public void setHostHeader(String hostHeader) {
this.hostHeader = hostHeader;
}
Header that holds the incoming port, usually named
X-Forwarded-Port
. If null
, httpServerPort
or httpsServerPort
will be used.
Default value : null
Params: - portHeader – The header name
/**
* <p>
* Header that holds the incoming port, usually named
* <code>X-Forwarded-Port</code>. If <code>null</code>,
* {@link #httpServerPort} or {@link #httpsServerPort} will be used.
* </p>
* <p>
* Default value : <code>null</code>
* </p>
* @param portHeader The header name
*/
public void setPortHeader(String portHeader) {
this.portHeader = portHeader;
}
Header that holds the incoming protocol, usually named X-Forwarded-Proto
. If null
, request.scheme and
request.secure will not be modified.
Default value : null
Params: - protocolHeader – The header name
/**
* <p>
* Header that holds the incoming protocol, usually named <code>X-Forwarded-Proto</code>. If <code>null</code>, request.scheme and
* request.secure will not be modified.
* </p>
* <p>
* Default value : <code>null</code>
* </p>
* @param protocolHeader The header name
*/
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
}
Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.
Default value : https
Params: - protocolHeaderHttpsValue – The header value
/**
* <p>
* Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.
* </p>
* <p>
* Default value : <code>https</code>
* </p>
* @param protocolHeaderHttpsValue The header value
*/
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
}
The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
while any intermediate RemoteIPInternalProxy addresses are discarded.
Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
The value of this header can be comma delimited.
Default value : X-Forwarded-By
Params: - proxiesHeader – The header name
/**
* <p>
* The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
* addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
* while any intermediate RemoteIPInternalProxy addresses are discarded.
* </p>
* <p>
* Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
* </p>
* <p>
* The value of this header can be comma delimited.
* </p>
* <p>
* Default value : <code>X-Forwarded-By</code>
* </p>
* @param proxiesHeader The header name
*/
public void setProxiesHeader(String proxiesHeader) {
this.proxiesHeader = proxiesHeader;
}
Name of the http header from which the remote ip is extracted.
The value of this header can be comma delimited.
Default value : X-Forwarded-For
Params: - remoteIpHeader – The header name
/**
* <p>
* Name of the http header from which the remote ip is extracted.
* </p>
* <p>
* The value of this header can be comma delimited.
* </p>
* <p>
* Default value : <code>X-Forwarded-For</code>
* </p>
* @param remoteIpHeader The header name
*/
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
Should this filter set request attributes for IP address, Hostname, protocol and port used for the request? This are typically used in conjunction with an AccessLog
which will otherwise log the original values. Default is true
.
The attributes set are:
- org.apache.catalina.AccessLog.RemoteAddr
- org.apache.catalina.AccessLog.RemoteHost
- org.apache.catalina.AccessLog.Protocol
- org.apache.catalina.AccessLog.ServerPort
- org.apache.tomcat.remoteAddr
Params: - requestAttributesEnabled –
true
causes the attributes
to be set, false
disables
the setting of the attributes.
/**
* Should this filter set request attributes for IP address, Hostname,
* protocol and port used for the request? This are typically used in
* conjunction with an {@link AccessLog} which will otherwise log the
* original values. Default is <code>true</code>.
*
* The attributes set are:
* <ul>
* <li>org.apache.catalina.AccessLog.RemoteAddr</li>
* <li>org.apache.catalina.AccessLog.RemoteHost</li>
* <li>org.apache.catalina.AccessLog.Protocol</li>
* <li>org.apache.catalina.AccessLog.ServerPort</li>
* <li>org.apache.tomcat.remoteAddr</li>
* </ul>
*
* @param requestAttributesEnabled <code>true</code> causes the attributes
* to be set, <code>false</code> disables
* the setting of the attributes.
*/
public void setRequestAttributesEnabled(boolean requestAttributesEnabled) {
this.requestAttributesEnabled = requestAttributesEnabled;
}
Regular expression defining proxies that are trusted when they appear in the remoteIpHeader
header.
Default value : empty list, no external proxy is trusted.
Params: - trustedProxies – The trusted proxies regexp
/**
* <p>
* Regular expression defining proxies that are trusted when they appear in
* the {@link #remoteIpHeader} header.
* </p>
* <p>
* Default value : empty list, no external proxy is trusted.
* </p>
* @param trustedProxies The trusted proxies regexp
*/
public void setTrustedProxies(String trustedProxies) {
if (trustedProxies == null || trustedProxies.length() == 0) {
this.trustedProxies = null;
} else {
this.trustedProxies = Pattern.compile(trustedProxies);
}
}
/*
* Log objects are not Serializable but this Filter is because it extends
* GenericFilter. Tomcat won't serialize a Filter but in case something else
* does...
*/
private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException {
ois.defaultReadObject();
log = LogFactory.getLog(RemoteIpFilter.class);
}
}