From 004218d301ddcba8f4a31079b44c74c85d6113df Mon Sep 17 00:00:00 2001 From: markt Date: Thu, 5 Nov 2009 20:35:09 +0000 Subject: [PATCH] https://issues.apache.org/bugzilla/show_bug.cgi?id=47330 Add RemoteIpFilter Patch provided by Cyrille Le Clerc git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@833155 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/filters/RemoteIpFilter.java | 943 +++++++++++++++++++++ webapps/docs/config/filter.xml | 86 ++ 2 files changed, 1029 insertions(+) create mode 100644 java/org/apache/catalina/filters/RemoteIpFilter.java diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java new file mode 100644 index 000000000..ef34340e8 --- /dev/null +++ b/java/org/apache/catalina/filters/RemoteIpFilter.java @@ -0,0 +1,943 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.filters; + +import java.io.IOException; +import java.text.DateFormat; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.regex.Pattern; +import java.util.regex.PatternSyntaxException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import javax.servlet.http.HttpServletResponse; + +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; + +/** + *

+ * Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers. + *

+ *

+ * Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote + * IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. + * "X-Forwarded-For"). + *

+ *

+ * Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a + * proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto"). + *

+ *

+ * This servlet filter proceeds as follows: + *

+ *

+ * If the incoming request.getRemoteAddr() matches the servlet filter's list of internal proxies : + *

+ *

+ *

+ * Configuration parameters: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
XForwardedFilter propertyDescriptionEquivalent mod_remoteip directiveFormatDefault Value
remoteIPHeaderName of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client + * RemoteIPHeaderCompliant http header namex-forwarded-for
internalProxiesList of internal proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will not appear + * in the proxiesHeader valueRemoteIPInternalProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to + * describe with regular expressions
proxiesHeaderName of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming + * remoteIPHeaderRemoteIPProxiesHeaderCompliant http header namex-forwarded-by
trustedProxiesList of trusted proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will appear in + * the proxiesHeader valueRemoteIPTrustedProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library) 
protocolHeaderName of the http header read by this servlet filter that holds the flag that this requestN/ACompliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Httpsnull
protocolHeaderHttpsValueValue of the protocolHeader to indicate that it is an Https requestN/AString like https or ONhttps
+ *

+ *

+ *

+ * Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. + * 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM doesnt have a + * library similar to apr_ipsubnet_test. + *

+ *
+ *

+ * Sample with internal proxies + *

+ *

+ * XForwardedFilter configuration: + *

+ * 
+ * <filter>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ *    <init-param>
+ *       <param-name>internalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>protocolHeader</param-name><param-value>x-forwarded-proto</param-value>
+ *    </init-param>
+ * </filter>
+ * 
+ * <filter-mapping>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <url-pattern>/*</url-pattern>
+ *    <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping>
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before XForwardedFilterValue After XForwardedFilter
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, 192.168.0.10null
request.header['x-forwarded-by']nullnull
request.header['x-forwarded-proto']httpshttps
request.schemehttphttps
request.securefalsetrue
request.serverPort80443
+ * Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. + * x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with trusted proxies + *

+ *

+ * XForwardedFilter configuration: + *

+ * 
+ * <filter>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ *    <init-param>
+ *       <param-name>internalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ *    </init-param>
+ * </filter>
+ * 
+ * <filter-mapping>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <url-pattern>/*</url-pattern>
+ *    <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping>
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before XForwardedFilterValue After XForwardedFilter
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2null
request.header['x-forwarded-by']nullproxy1, proxy2
+ * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both + * are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with internal and trusted proxies + *

+ *

+ * XForwardedFilter configuration: + *

+ * 
+ * <filter>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ *    <init-param>
+ *       <param-name>internalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ *    </init-param>
+ * </filter>
+ * 
+ * <filter-mapping>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <url-pattern>/*</url-pattern>
+ *    <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping>
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before XForwardedFilterValue After XForwardedFilter
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2, 192.168.0.10null
request.header['x-forwarded-by']nullproxy1, proxy2
+ * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both + * are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in + * x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with an untrusted proxy + *

+ *

+ * XForwardedFilter configuration: + *

+ * 
+ * <filter>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ *    <init-param>
+ *       <param-name>internalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ *    </init-param>
+ *    <init-param>
+ *       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ *    </init-param>
+ * </filter>
+ * 
+ * <filter-mapping>
+ *    <filter-name>XForwardedFilter</filter-name>
+ *    <url-pattern>/*</url-pattern>
+ *    <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping>
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before XForwardedFilterValue After XForwardedFilter
request.remoteAddr192.168.0.10untrusted-proxy
request.header['x-forwarded-for']140.211.11.130, untrusted-proxy, proxy1140.211.11.130
request.header['x-forwarded-by']nullproxy1
+ * Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds + * 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that + * untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP + * verified by proxy1. + *

+ *
+ */ +public class RemoteIpFilter implements Filter { + public static class XForwardedRequest extends HttpServletRequestWrapper { + + final static ThreadLocal threadLocalDateFormats = new ThreadLocal() { + @Override + protected SimpleDateFormat[] initialValue() { + return new SimpleDateFormat[] { + new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", Locale.US), + new SimpleDateFormat("EEEEEE, dd-MMM-yy HH:mm:ss zzz", Locale.US), + new SimpleDateFormat("EEE MMMM d HH:mm:ss yyyy", Locale.US) + }; + + } + }; + + protected Map> headers; + + protected String remoteAddr; + + protected String remoteHost; + + protected String scheme; + + protected boolean secure; + + protected int serverPort; + + public XForwardedRequest(HttpServletRequest request) { + super(request); + this.remoteAddr = request.getRemoteAddr(); + this.remoteHost = request.getRemoteHost(); + this.scheme = request.getScheme(); + this.secure = request.isSecure(); + this.serverPort = request.getServerPort(); + + headers = new HashMap>(); + for (Enumeration headerNames = request.getHeaderNames(); headerNames.hasMoreElements();) { + String header = headerNames.nextElement(); + headers.put(header, Collections.list(request.getHeaders(header))); + } + } + + @Override + public long getDateHeader(String name) { + String value = getHeader(name); + if (value == null) { + return -1; + } + DateFormat[] dateFormats = threadLocalDateFormats.get(); + Date date = null; + for (int i = 0; ((i < dateFormats.length) && (date == null)); i++) { + DateFormat dateFormat = dateFormats[i]; + try { + date = dateFormat.parse(value); + } catch (Exception ParseException) { + // Ignore + } + } + if (date == null) { + throw new IllegalArgumentException(value); + } else { + return date.getTime(); + } + } + + @Override + public String getHeader(String name) { + Map.Entry> header = getHeaderEntry(name); + if (header == null || header.getValue() == null || header.getValue().isEmpty()) { + return null; + } else { + return header.getValue().get(0); + } + } + + protected Map.Entry> getHeaderEntry(String name) { + for (Map.Entry> entry : headers.entrySet()) { + if (entry.getKey().equalsIgnoreCase(name)) { + return entry; + } + } + return null; + } + + @Override + public Enumeration getHeaderNames() { + return Collections.enumeration(headers.keySet()); + } + + @Override + public Enumeration getHeaders(String name) { + Map.Entry> header = getHeaderEntry(name); + if (header == null || header.getValue() == null) { + return Collections.enumeration(Collections.emptyList()); + } else { + return Collections.enumeration(header.getValue()); + } + } + + @Override + public int getIntHeader(String name) { + String value = getHeader(name); + if (value == null) { + return -1; + } else { + return Integer.parseInt(value); + } + } + + @Override + public String getRemoteAddr() { + return this.remoteAddr; + } + + @Override + public String getRemoteHost() { + return this.remoteHost; + } + + @Override + public String getScheme() { + return scheme; + } + + @Override + public int getServerPort() { + return serverPort; + } + + @Override + public boolean isSecure() { + return secure; + } + + public void removeHeader(String name) { + Map.Entry> header = getHeaderEntry(name); + if (header != null) { + headers.remove(header.getKey()); + } + } + + public void setHeader(String name, String value) { + List values = Arrays.asList(value); + Map.Entry> header = getHeaderEntry(name); + if (header == null) { + headers.put(name, values); + } else { + header.setValue(values); + } + + } + + public void setRemoteAddr(String remoteAddr) { + this.remoteAddr = remoteAddr; + } + + public void setRemoteHost(String remoteHost) { + this.remoteHost = remoteHost; + } + + public void setScheme(String scheme) { + this.scheme = scheme; + } + + public void setSecure(boolean secure) { + this.secure = secure; + } + + public void setServerPort(int serverPort) { + this.serverPort = serverPort; + } + } + + /** + * {@link Pattern} for a comma delimited string that support whitespace characters + */ + private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*"); + + protected static final String HTTPS_SERVER_PORT_PARAMETER = "httpsServerPort"; + + protected static final String INTERNAL_PROXIES_PARAMETER = "allowedInternalProxies"; + + /** + * Logger + */ + private static Log log = LogFactory.getLog(RemoteIpFilter.class); + + protected static final String PROTOCOL_HEADER_PARAMETER = "protocolHeader"; + + protected static final String PROTOCOL_HEADER_SSL_VALUE_PARAMETER = "protocolHeaderSslValue"; + + protected static final String PROXIES_HEADER_PARAMETER = "proxiesHeader"; + + protected static final String REMOTE_IP_HEADER_PARAMETER = "remoteIPHeader"; + + protected static final String TRUSTED_PROXIES_PARAMETER = "trustedProxies"; + + /** + * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern} + * + * @return array of patterns (not null) + */ + protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) { + String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns); + List patternsList = new ArrayList(); + for (String pattern : patterns) { + try { + patternsList.add(Pattern.compile(pattern)); + } catch (PatternSyntaxException e) { + throw new IllegalArgumentException("Illegal pattern syntax '" + pattern + "'", e); + } + } + return patternsList.toArray(new Pattern[0]); + } + + /** + * Convert a given comma delimited list of regular expressions into an array of String + * + * @return array of patterns (non null) + */ + protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) { + return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern + .split(commaDelimitedStrings); + } + + /** + * Convert an array of strings in a comma delimited string + */ + protected static String listToCommaDelimitedString(List stringList) { + if (stringList == null) { + return ""; + } + StringBuilder result = new StringBuilder(); + for (Iterator it = stringList.iterator(); it.hasNext();) { + Object element = it.next(); + if (element != null) { + result.append(element); + if (it.hasNext()) { + result.append(", "); + } + } + } + return result.toString(); + } + + /** + * Return true if the given str matches at least one of the given patterns. + */ + protected static boolean matchesOne(String str, Pattern... patterns) { + for (Pattern pattern : patterns) { + if (pattern.matcher(str).matches()) { + return true; + } + } + return false; + } + + /** + * @see #setHttpsServerPort(int) + */ + private int httpsServerPort = 443; + + /** + * @see #setInternalProxies(String) + */ + private Pattern[] internalProxies = new Pattern[] { + Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"), + Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") + }; + + /** + * @see #setProtocolHeader(String) + */ + private String protocolHeader = null; + + private String protocolHeaderSslValue = "https"; + + /** + * @see #setProxiesHeader(String) + */ + private String proxiesHeader = "X-Forwarded-By"; + + /** + * @see #setRemoteIPHeader(String) + */ + private String remoteIPHeader = "X-Forwarded-For"; + + /** + * @see #setTrustedProxies(String) + */ + private Pattern[] trustedProxies = new Pattern[0]; + + public void destroy() { + // NOOP + } + + public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { + + if (matchesOne(request.getRemoteAddr(), internalProxies)) { + String remoteIp = null; + // In java 6, proxiesHeaderValue should be declared as a java.util.Deque + LinkedList proxiesHeaderValue = new LinkedList(); + + String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIPHeader)); + int idx; + // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain + for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) { + String currentRemoteIp = remoteIPHeaderValue[idx]; + remoteIp = currentRemoteIp; + if (matchesOne(currentRemoteIp, internalProxies)) { + // do nothing, internalProxies IPs are not appended to the + } else if (matchesOne(currentRemoteIp, trustedProxies)) { + proxiesHeaderValue.addFirst(currentRemoteIp); + } else { + idx--; // decrement idx because break statement doesn't do it + break; + } + } + // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader + LinkedList newRemoteIpHeaderValue = new LinkedList(); + for (; idx >= 0; idx--) { + String currentRemoteIp = remoteIPHeaderValue[idx]; + newRemoteIpHeaderValue.addFirst(currentRemoteIp); + } + + XForwardedRequest xRequest = new XForwardedRequest(request); + if (remoteIp != null) { + + xRequest.setRemoteAddr(remoteIp); + xRequest.setRemoteHost(remoteIp); + + if (proxiesHeaderValue.size() == 0) { + xRequest.removeHeader(proxiesHeader); + } else { + String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue); + xRequest.setHeader(proxiesHeader, commaDelimitedListOfProxies); + } + if (newRemoteIpHeaderValue.size() == 0) { + xRequest.removeHeader(remoteIPHeader); + } else { + String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue); + xRequest.setHeader(remoteIPHeader, commaDelimitedRemoteIpHeaderValue); + } + } + + if (protocolHeader != null) { + String protocolHeaderValue = request.getHeader(protocolHeader); + if (protocolHeaderValue != null && protocolHeaderSslValue.equalsIgnoreCase(protocolHeaderValue)) { + xRequest.setSecure(true); + xRequest.setScheme("https"); + xRequest.setServerPort(httpsServerPort); + } + } + + if (log.isDebugEnabled()) { + log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + request.getRemoteAddr() + + "', originalRemoteHost='" + request.getRemoteHost() + "', originalSecure='" + request.isSecure() + + "', originalScheme='" + request.getScheme() + "', original[" + remoteIPHeader + "]='" + + request.getHeader(remoteIPHeader) + ", original[" + protocolHeader + "]='" + + request.getHeader(protocolHeader) + "' will be seen as newRemoteAddr='" + xRequest.getRemoteAddr() + + "', newRemoteHost='" + xRequest.getRemoteHost() + "', newScheme='" + xRequest.getScheme() + "', newSecure='" + + xRequest.isSecure() + "', new[" + remoteIPHeader + "]='" + xRequest.getHeader(remoteIPHeader) + ", new[" + + proxiesHeader + "]='" + xRequest.getHeader(proxiesHeader) + "'"); + } + chain.doFilter(xRequest, response); + } else { + chain.doFilter(request, response); + } + + } + + /** + * Wrap the incoming request in a {@link XForwardedRequest} if the http header x-forwareded-for is not empty. + */ + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) { + doFilter((HttpServletRequest)request, (HttpServletResponse)response, chain); + } else { + chain.doFilter(request, response); + } + } + + public int getHttpsServerPort() { + return httpsServerPort; + } + + public Pattern[] getInternalProxies() { + return internalProxies; + } + + public String getProtocolHeader() { + return protocolHeader; + } + + public String getProtocolHeaderSslValue() { + return protocolHeaderSslValue; + } + + public String getProxiesHeader() { + return proxiesHeader; + } + + public String getRemoteIPHeader() { + return remoteIPHeader; + } + + public Pattern[] getTrustedProxies() { + return trustedProxies; + } + + public void init(FilterConfig filterConfig) throws ServletException { + if (filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER) != null) { + setInternalProxies(filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER)); + } + + if (filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER) != null) { + setProtocolHeader(filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER)); + } + + if (filterConfig.getInitParameter(PROTOCOL_HEADER_SSL_VALUE_PARAMETER) != null) { + setProtocolHeaderSslValue(filterConfig.getInitParameter(PROTOCOL_HEADER_SSL_VALUE_PARAMETER)); + } + + if (filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER) != null) { + setProxiesHeader(filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER)); + } + + if (filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER) != null) { + setRemoteIPHeader(filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER)); + } + + if (filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER) != null) { + setTrustedProxies(filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER)); + } + + if (filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null) { + try { + setHttpsServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER))); + } catch (NumberFormatException e) { + throw new NumberFormatException("Illegal serverPort : " + e.getMessage()); + } + } + } + + /** + *

+ * Server Port value if the {@link #protocolHeader} indicates HTTPS + *

+ *

+ * Default value : 443 + *

+ */ + public void setHttpsServerPort(int httpsServerPort) { + this.httpsServerPort = httpsServerPort; + } + + /** + *

+ * Comma delimited list of internal proxies. Can be expressed with regular expressions. + *

+ *

+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} + *

+ */ + public void setInternalProxies(String internalProxies) { + this.internalProxies = commaDelimitedListToPatternArray(internalProxies); + } + + /** + *

+ * Header that holds the incoming protocol, usally named X-Forwarded-Proto. If null, request.scheme and + * request.secure will not be modified. + *

+ *

+ * Default value : null + *

+ */ + public void setProtocolHeader(String protocolHeader) { + this.protocolHeader = protocolHeader; + } + + /** + *

+ * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL. + *

+ *

+ * Default value : HTTPS + *

+ */ + public void setProtocolHeaderSslValue(String protocolHeaderSslValue) { + this.protocolHeaderSslValue = protocolHeaderSslValue; + } + + /** + *

+ * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP + * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, + * while any intermediate RemoteIPInternalProxy addresses are discarded. + *

+ *

+ * Name of the http header that holds the list of trusted proxies that has been traversed by the http request. + *

+ *

+ * The value of this header can be comma delimited. + *

+ *

+ * Default value : X-Forwarded-By + *

+ */ + public void setProxiesHeader(String proxiesHeader) { + this.proxiesHeader = proxiesHeader; + } + + /** + *

+ * Name of the http header from which the remote ip is extracted. + *

+ *

+ * The value of this header can be comma delimited. + *

+ *

+ * Default value : X-Forwarded-For + *

+ */ + public void setRemoteIPHeader(String remoteIPHeader) { + this.remoteIPHeader = remoteIPHeader; + } + + /** + *

+ * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a + * regular expression. + *

+ *

+ * Default value : empty list, no external proxy is trusted. + *

+ */ + public void setTrustedProxies(String trustedProxies) { + this.trustedProxies = commaDelimitedListToPatternArray(trustedProxies); + } +} diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml index d4e6248c9..f28ecf31b 100644 --- a/webapps/docs/config/filter.xml +++ b/webapps/docs/config/filter.xml @@ -194,6 +194,92 @@ +
+ + + +

Tomcat port of + mod_remoteip, + this filter replaces the apparent client remote IP address and hostname for + the request with the IP address list presented by a proxy or a load balancer + via a request headers (e.g. "X-Forwarded-For").

+ +

Another feature of this filter is to replace the apparent scheme + (http/https) and server port with the scheme presented by a proxy or a load + balancer via a request header (e.g. "X-Forwarded-Proto").

+ +

If used in conjunction with Remote Address/Host filters then this filter + should be defined first to ensure that the correct client IP address is + presented to the Remote Address/Host filters.

+ + + + + +

The filter class name for the Remote IP Filter is + org.apache.catalina.filters.RemoteIpFilter + .

+ + + + + +

The Remote IP Filter supports the + following initialisation parameters:

+ + + + +

Name of the HTTP Header read by this valve that holds the list of + traversed IP addresses starting from the requesting client. If not + specified, the default of x-forwarded-for is used.

+ + + +

List of internal proxies' IP addresses as comma separated regular + expressions. If they appear in the remoteIpHeader + value, they will be trusted and will not appear in the + proxiesHeader value. If not specified the default value + of 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, + 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} will + be used.

+ + + +

Name of the HTTP header created by this valve to hold the list of + proxies that have been processed in the incoming + remoteIpHeader. If not specified, the default of + x-forwarded-by is used.

+ + + +

List of trusted proxies' IP addresses as comma separated regular + expressions. If they appear in the remoteIpHeader + value, they will be trusted and will appear in the + proxiesHeader value. If not specified, no proxies will + be trusted.

+ + + +

Name of the HTTP Header read by this valve that holds the protocol + used by the client to connect to the proxy. If not specified, the + default of null is used.

+ + + +

Value of the protocolHeader to indicate that it is + an HTTPS request. If not specified, the default of https is + used.

+ + + + + + + +
+ +
-- 2.11.0