/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.valves;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.regex.Pattern;
import jakarta.servlet.ServletException;
import org.apache.catalina.AccessLog;
import org.apache.catalina.Globals;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.parser.Host;
Tomcat port of mod_remoteip, this valve replaces the apparent
client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request
headers (e.g. "X-Forwarded-For").
Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a
load balancer via a request header (e.g. "X-Forwarded-Proto").
This valve proceeds as follows:
If the incoming request.getRemoteAddr()
matches the valve's list
of internal or trusted proxies:
- Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
header named
$remoteIpHeader
(default value x-forwarded-for
). Values are processed in right-to-left order.
- For each ip/host of the list:
- if it matches the internal proxies list, the ip/host is swallowed
- if it matches the trusted proxies list, the ip/host is added to the created proxies header
- otherwise, the ip/host is declared to be the remote ip and looping is stopped.
- If the request http header named
$protocolHeader
(e.g. x-forwarded-proto
) consists only of forwards that match
protocolHeaderHttpsValue
configuration parameter (default https
) then request.isSecure = true
,
request.scheme = https
and request.serverPort = 443
. Note that 443 can be overwritten with the
$httpsServerPort
configuration parameter.
- Mark the request with the attribute
Globals.REQUEST_FORWARDED_ATTRIBUTE
and value Boolean.TRUE
to indicate that this request has been forwarded by one or more proxies.
Configuration parameters
RemoteIpValve property
Description
Equivalent mod_remoteip directive
Format
Default Value
remoteIpHeader
Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client
RemoteIPHeader
Compliant http header name
x-forwarded-for
internalProxies
Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader
value, they will be
trusted and will not appear
in the proxiesHeader
value
RemoteIPInternalProxy
Regular expression (in the syntax supported by java.util.regex
)
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
0:0:0:0:0:0:0:1|::1
By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and ::1 are allowed.
proxiesHeader
Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming
remoteIpHeader
proxiesHeader
Compliant http header name
x-forwarded-by
trustedProxies
Regular expression that matches the IP addresses of trusted proxies.
If they appear in the remoteIpHeader
value, they will be
trusted and will appear in the proxiesHeader
value
RemoteIPTrustedProxy
Regular expression (in the syntax supported by java.util.regex
)
protocolHeader
Name of the http header read by this valve that holds the flag that this request
N/A
Compliant http header name like X-Forwarded-Proto
, X-Forwarded-Ssl
or Front-End-Https
null
protocolHeaderHttpsValue
Value of the protocolHeader
to indicate that it is an Https request
N/A
String like https
or ON
https
httpServerPort
Value returned by ServletRequest.getServerPort()
when the protocolHeader
indicates http
protocol
N/A
integer
80
httpsServerPort
Value returned by ServletRequest.getServerPort()
when the protocolHeader
indicates https
protocol
N/A
integer
443
This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
Regular expression vs. IP address blocks: mod_remoteip
allows to use address blocks (e.g.
192.168/16
) to configure RemoteIPInternalProxy
and RemoteIPTrustedProxy
; as Tomcat doesn't have a
library similar to apr_ipsubnet_test,
RemoteIpValve
uses regular expression to configure internalProxies
and trustedProxies
in the same fashion as RequestFilterValve
does.
Sample with internal proxies
RemoteIpValve configuration:
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
Request Values
property
Value Before RemoteIpValve
Value After RemoteIpValve
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, 192.168.0.10
null
request.header['x-forwarded-by']
null
null
request.header['x-forwarded-proto']
https
https
request.scheme
http
https
request.secure
false
true
request.serverPort
80
443
Note : x-forwarded-by
header is null because only internal proxies as been traversed by the request.
x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with trusted proxies
RemoteIpValve configuration:
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
trustedProxies="proxy1|proxy2"
/>
Request Values
property
Value Before RemoteIpValve
Value After RemoteIpValve
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, proxy1, proxy2
null
request.header['x-forwarded-by']
null
proxy1, proxy2
Note : proxy1
and proxy2
are both trusted proxies that come in x-forwarded-for
header, they both
are migrated in x-forwarded-by
header. x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with internal and trusted proxies
RemoteIpValve configuration:
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
trustedProxies="proxy1|proxy2"
/>
Request Values
property
Value Before RemoteIpValve
Value After RemoteIpValve
request.remoteAddr
192.168.0.10
140.211.11.130
request.header['x-forwarded-for']
140.211.11.130, proxy1, proxy2, 192.168.0.10
null
request.header['x-forwarded-by']
null
proxy1, proxy2
Note : proxy1
and proxy2
are both trusted proxies that come in x-forwarded-for
header, they both
are migrated in x-forwarded-by
header. As 192.168.0.10
is an internal proxy, it does not appear in
x-forwarded-by
. x-forwarded-by
is null because all the proxies are trusted or internal.
Sample with an untrusted proxy
RemoteIpValve configuration:
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
trustedProxies="proxy1|proxy2"
/>
Request Values
property
Value Before RemoteIpValve
Value After RemoteIpValve
request.remoteAddr
192.168.0.10
untrusted-proxy
request.header['x-forwarded-for']
140.211.11.130, untrusted-proxy, proxy1
140.211.11.130
request.header['x-forwarded-by']
null
proxy1
Note : x-forwarded-by
holds the trusted proxy proxy1
. x-forwarded-by
holds
140.211.11.130
because untrusted-proxy
is not trusted and thus, we cannot trust that
untrusted-proxy
is the actual remote ip. request.remoteAddr
is untrusted-proxy
that is an IP
verified by proxy1
.
/**
* <p>
* Tomcat port of <a href="https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this valve replaces the apparent
* client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request
* headers (e.g. "X-Forwarded-For").
* </p>
* <p>
* Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a
* load balancer via a request header (e.g. "X-Forwarded-Proto").
* </p>
* <p>
* This valve proceeds as follows:
* </p>
* <p>
* If the incoming <code>request.getRemoteAddr()</code> matches the valve's list
* of internal or trusted proxies:
* </p>
* <ul>
* <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
* header named <code>$remoteIpHeader</code> (default value <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>
* <li>For each ip/host of the list:
* <ul>
* <li>if it matches the internal proxies list, the ip/host is swallowed</li>
* <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>
* <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
* </ul>
* </li>
* <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-proto</code>) consists only of forwards that match
* <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
* <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
* <code>$httpsServerPort</code> configuration parameter.</li>
* <li>Mark the request with the attribute {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} and value {@code Boolean.TRUE} to indicate
* that this request has been forwarded by one or more proxies.</li>
* </ul>
* <table border="1">
* <caption>Configuration parameters</caption>
* <tr>
* <th>RemoteIpValve property</th>
* <th>Description</th>
* <th>Equivalent mod_remoteip directive</th>
* <th>Format</th>
* <th>Default Value</th>
* </tr>
* <tr>
* <td>remoteIpHeader</td>
* <td>Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client</td>
* <td>RemoteIPHeader</td>
* <td>Compliant http header name</td>
* <td>x-forwarded-for</td>
* </tr>
* <tr>
* <td>internalProxies</td>
* <td>Regular expression that matches the IP addresses of internal proxies.
* If they appear in the <code>remoteIpHeader</code> value, they will be
* trusted and will not appear
* in the <code>proxiesHeader</code> value</td>
* <td>RemoteIPInternalProxy</td>
* <td>Regular expression (in the syntax supported by
* {@link java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
* 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1
* <br>
* By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and ::1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
* <td>Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming
* <code>remoteIpHeader</code></td>
* <td>proxiesHeader</td>
* <td>Compliant http header name</td>
* <td>x-forwarded-by</td>
* </tr>
* <tr>
* <td>trustedProxies</td>
* <td>Regular expression that matches the IP addresses of trusted proxies.
* If they appear in the <code>remoteIpHeader</code> value, they will be
* trusted and will appear in the <code>proxiesHeader</code> value</td>
* <td>RemoteIPTrustedProxy</td>
* <td>Regular expression (in the syntax supported by
* {@link java.util.regex.Pattern java.util.regex})</td>
* <td> </td>
* </tr>
* <tr>
* <td>protocolHeader</td>
* <td>Name of the http header read by this valve that holds the flag that this request </td>
* <td>N/A</td>
* <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code> or <code>Front-End-Https</code></td>
* <td><code>null</code></td>
* </tr>
* <tr>
* <td>protocolHeaderHttpsValue</td>
* <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>
* <td>N/A</td>
* <td>String like <code>https</code> or <code>ON</code></td>
* <td><code>https</code></td>
* </tr>
* <tr>
* <td>httpServerPort</td>
* <td>Value returned by {@link jakarta.servlet.ServletRequest#getServerPort()} when the <code>protocolHeader</code> indicates <code>http</code> protocol</td>
* <td>N/A</td>
* <td>integer</td>
* <td>80</td>
* </tr>
* <tr>
* <td>httpsServerPort</td>
* <td>Value returned by {@link jakarta.servlet.ServletRequest#getServerPort()} when the <code>protocolHeader</code> indicates <code>https</code> protocol</td>
* <td>N/A</td>
* <td>integer</td>
* <td>443</td>
* </tr>
* </table>
* <p>
* This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
* </p>
* <p>
* <strong>Regular expression vs. IP address blocks:</strong> <code>mod_remoteip</code> allows to use address blocks (e.g.
* <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code> and <code>RemoteIPTrustedProxy</code> ; as Tomcat doesn't have a
* library similar to <a
* href="https://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d">apr_ipsubnet_test</a>,
* <code>RemoteIpValve</code> uses regular expression to configure <code>internalProxies</code> and <code>trustedProxies</code> in the same
* fashion as {@link RequestFilterValve} does.
* </p>
* <hr>
* <p>
* <strong>Sample with internal proxies</strong>
* </p>
* <p>
* RemoteIpValve configuration:
* </p>
* <code>
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10|192\.168\.0\.11"
* remoteIpHeader="x-forwarded-for"
* proxiesHeader="x-forwarded-by"
* protocolHeader="x-forwarded-proto"
* /></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpValve</th>
* <th>Value After RemoteIpValve</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, 192.168.0.10</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-proto']</td>
* <td>https</td>
* <td>https</td>
* </tr>
* <tr>
* <td>request.scheme</td>
* <td>http</td>
* <td>https</td>
* </tr>
* <tr>
* <td>request.secure</td>
* <td>false</td>
* <td>true</td>
* </tr>
* <tr>
* <td>request.serverPort</td>
* <td>80</td>
* <td>443</td>
* </tr>
* </table>
* <p>
* Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed by the request.
* <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* </p>
* <hr>
* <p>
* <strong>Sample with trusted proxies</strong>
* </p>
* <p>
* RemoteIpValve configuration:
* </p>
* <code>
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10|192\.168\.0\.11"
* remoteIpHeader="x-forwarded-for"
* proxiesHeader="x-forwarded-by"
* trustedProxies="proxy1|proxy2"
* /></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpValve</th>
* <th>Value After RemoteIpValve</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, proxy1, proxy2</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1, proxy2</td>
* </tr>
* </table>
* <p>
* Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
* are migrated in <code>x-forwarded-by</code> header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* </p>
* <hr>
* <p>
* <strong>Sample with internal and trusted proxies</strong>
* </p>
* <p>
* RemoteIpValve configuration:
* </p>
* <code>
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10|192\.168\.0\.11"
* remoteIpHeader="x-forwarded-for"
* proxiesHeader="x-forwarded-by"
* trustedProxies="proxy1|proxy2"
* /></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpValve</th>
* <th>Value After RemoteIpValve</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
* <td>null</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1, proxy2</td>
* </tr>
* </table>
* <p>
* Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
* are migrated in <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in
* <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
* </p>
* <hr>
* <p>
* <strong>Sample with an untrusted proxy</strong>
* </p>
* <p>
* RemoteIpValve configuration:
* </p>
* <code>
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10|192\.168\.0\.11"
* remoteIpHeader="x-forwarded-for"
* proxiesHeader="x-forwarded-by"
* trustedProxies="proxy1|proxy2"
* /></code>
* <table border="1">
* <caption>Request Values</caption>
* <tr>
* <th>property</th>
* <th>Value Before RemoteIpValve</th>
* <th>Value After RemoteIpValve</th>
* </tr>
* <tr>
* <td>request.remoteAddr</td>
* <td>192.168.0.10</td>
* <td>untrusted-proxy</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-for']</td>
* <td>140.211.11.130, untrusted-proxy, proxy1</td>
* <td>140.211.11.130</td>
* </tr>
* <tr>
* <td>request.header['x-forwarded-by']</td>
* <td>null</td>
* <td>proxy1</td>
* </tr>
* </table>
* <p>
* Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>. <code>x-forwarded-by</code> holds
* <code>140.211.11.130</code> because <code>untrusted-proxy</code> is not trusted and thus, we cannot trust that
* <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP
* verified by <code>proxy1</code>.
* </p>
*/
public class RemoteIpValve extends ValveBase {
Pattern
for a comma delimited string that support whitespace characters /**
* {@link Pattern} for a comma delimited string that support whitespace characters
*/
private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
Logger
/**
* Logger
*/
private static final Log log = LogFactory.getLog(RemoteIpValve.class);
Convert a given comma delimited String into an array of String
Params: - commaDelimitedStrings – The string to convert
Returns: array of String (non null
)
/**
* Convert a given comma delimited String into an array of String
* @param commaDelimitedStrings The string to convert
* @return array of String (non <code>null</code>)
*/
protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {
return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern
.split(commaDelimitedStrings);
}
Convert an array of strings in a comma delimited string
Params: - stringList – The string list to convert
Returns: The concatenated string
/**
* Convert an array of strings in a comma delimited string
* @param stringList The string list to convert
* @return The concatenated string
*/
protected static String listToCommaDelimitedString(List<String> stringList) {
if (stringList == null) {
return "";
}
StringBuilder result = new StringBuilder();
for (Iterator<String> it = stringList.iterator(); it.hasNext();) {
Object element = it.next();
if (element != null) {
result.append(element);
if (it.hasNext()) {
result.append(", ");
}
}
}
return result.toString();
}
private String hostHeader = null;
private boolean changeLocalName = false;
See Also: - setHttpServerPort(int)
/**
* @see #setHttpServerPort(int)
*/
private int httpServerPort = 80;
See Also: - setHttpsServerPort(int)
/**
* @see #setHttpsServerPort(int)
*/
private int httpsServerPort = 443;
private String portHeader = null;
private boolean changeLocalPort = false;
See Also: - setInternalProxies(String)
/**
* @see #setInternalProxies(String)
*/
private Pattern internalProxies = Pattern.compile(
"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
"127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"0:0:0:0:0:0:0:1|::1");
See Also: - setProtocolHeader(String)
/**
* @see #setProtocolHeader(String)
*/
private String protocolHeader = "X-Forwarded-Proto";
See Also: - setProtocolHeaderHttpsValue(String)
/**
* @see #setProtocolHeaderHttpsValue(String)
*/
private String protocolHeaderHttpsValue = "https";
See Also: - setProxiesHeader(String)
/**
* @see #setProxiesHeader(String)
*/
private String proxiesHeader = "X-Forwarded-By";
See Also: - setRemoteIpHeader(String)
/**
* @see #setRemoteIpHeader(String)
*/
private String remoteIpHeader = "X-Forwarded-For";
See Also: - setRequestAttributesEnabled(boolean)
/**
* @see #setRequestAttributesEnabled(boolean)
*/
private boolean requestAttributesEnabled = true;
See Also: - setTrustedProxies.setTrustedProxies(String)
/**
* @see RemoteIpValve#setTrustedProxies(String)
*/
private Pattern trustedProxies = null;
Default constructor that ensures ValveBase(boolean)
is called with true
.
/**
* Default constructor that ensures {@link ValveBase#ValveBase(boolean)} is
* called with <code>true</code>.
*/
public RemoteIpValve() {
// Async requests are supported with this valve
super(true);
}
Obtain the name of the HTTP header used to override the value returned by Request.getServerName()
and (optionally depending on {link isChangeLocalName()
Request.getLocalName()
. Returns: The HTTP header name
/**
* Obtain the name of the HTTP header used to override the value returned
* by {@link Request#getServerName()} and (optionally depending on {link
* {@link #isChangeLocalName()} {@link Request#getLocalName()}.
*
* @return The HTTP header name
*/
public String getHostHeader() {
return hostHeader;
}
Set the name of the HTTP header used to override the value returned by Request.getServerName()
and (optionally depending on {link isChangeLocalName()
Request.getLocalName()
. Params: - hostHeader – The HTTP header name
/**
* Set the name of the HTTP header used to override the value returned
* by {@link Request#getServerName()} and (optionally depending on {link
* {@link #isChangeLocalName()} {@link Request#getLocalName()}.
*
* @param hostHeader The HTTP header name
*/
public void setHostHeader(String hostHeader) {
this.hostHeader = hostHeader;
}
public boolean isChangeLocalName() {
return changeLocalName;
}
public void setChangeLocalName(boolean changeLocalName) {
this.changeLocalName = changeLocalName;
}
public int getHttpServerPort() {
return httpServerPort;
}
public int getHttpsServerPort() {
return httpsServerPort;
}
Obtain the name of the HTTP header used to override the value returned by Request.getServerPort()
and (optionally depending on {link isChangeLocalPort()
Request.getLocalPort()
. Returns: The HTTP header name
/**
* Obtain the name of the HTTP header used to override the value returned
* by {@link Request#getServerPort()} and (optionally depending on {link
* {@link #isChangeLocalPort()} {@link Request#getLocalPort()}.
*
* @return The HTTP header name
*/
public String getPortHeader() {
return portHeader;
}
Set the name of the HTTP header used to override the value returned by Request.getServerPort()
and (optionally depending on {link isChangeLocalPort()
Request.getLocalPort()
. Params: - portHeader – The HTTP header name
/**
* Set the name of the HTTP header used to override the value returned
* by {@link Request#getServerPort()} and (optionally depending on {link
* {@link #isChangeLocalPort()} {@link Request#getLocalPort()}.
*
* @param portHeader The HTTP header name
*/
public void setPortHeader(String portHeader) {
this.portHeader = portHeader;
}
public boolean isChangeLocalPort() {
return changeLocalPort;
}
public void setChangeLocalPort(boolean changeLocalPort) {
this.changeLocalPort = changeLocalPort;
}
See Also: - setInternalProxies(String)
Returns: Regular expression that defines the internal proxies
/**
* @see #setInternalProxies(String)
* @return Regular expression that defines the internal proxies
*/
public String getInternalProxies() {
if (internalProxies == null) {
return null;
}
return internalProxies.toString();
}
See Also: - setProtocolHeader(String)
Returns: the protocol header (e.g. "X-Forwarded-Proto")
/**
* @see #setProtocolHeader(String)
* @return the protocol header (e.g. "X-Forwarded-Proto")
*/
public String getProtocolHeader() {
return protocolHeader;
}
See Also: - setProtocolHeaderHttpsValue.setProtocolHeaderHttpsValue(String)
Returns: the value of the protocol header for incoming https request (e.g. "https")
/**
* @see RemoteIpValve#setProtocolHeaderHttpsValue(String)
* @return the value of the protocol header for incoming https request (e.g. "https")
*/
public String getProtocolHeaderHttpsValue() {
return protocolHeaderHttpsValue;
}
See Also: - setProxiesHeader(String)
Returns: the proxies header name (e.g. "X-Forwarded-By")
/**
* @see #setProxiesHeader(String)
* @return the proxies header name (e.g. "X-Forwarded-By")
*/
public String getProxiesHeader() {
return proxiesHeader;
}
See Also: - setRemoteIpHeader(String)
Returns: the remote IP header name (e.g. "X-Forwarded-For")
/**
* @see #setRemoteIpHeader(String)
* @return the remote IP header name (e.g. "X-Forwarded-For")
*/
public String getRemoteIpHeader() {
return remoteIpHeader;
}
See Also: - setRequestAttributesEnabled(boolean)
Returns: true
if the attributes will be logged, otherwise
false
/**
* @see #setRequestAttributesEnabled(boolean)
* @return <code>true</code> if the attributes will be logged, otherwise
* <code>false</code>
*/
public boolean getRequestAttributesEnabled() {
return requestAttributesEnabled;
}
See Also: - setTrustedProxies(String)
Returns: Regular expression that defines the trusted proxies
/**
* @see #setTrustedProxies(String)
* @return Regular expression that defines the trusted proxies
*/
public String getTrustedProxies() {
if (trustedProxies == null) {
return null;
}
return trustedProxies.toString();
}
{@inheritDoc}
/**
* {@inheritDoc}
*/
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
final String originalRemoteAddr = request.getRemoteAddr();
final String originalRemoteHost = request.getRemoteHost();
final String originalScheme = request.getScheme();
final boolean originalSecure = request.isSecure();
final String originalServerName = request.getServerName();
final String originalLocalName = request.getLocalName();
final int originalServerPort = request.getServerPort();
final int originalLocalPort = request.getLocalPort();
final String originalProxiesHeader = request.getHeader(proxiesHeader);
final String originalRemoteIpHeader = request.getHeader(remoteIpHeader);
boolean isInternal = internalProxies != null &&
internalProxies.matcher(originalRemoteAddr).matches();
if (isInternal || (trustedProxies != null &&
trustedProxies.matcher(originalRemoteAddr).matches())) {
String remoteIp = null;
// In java 6, proxiesHeaderValue should be declared as a java.util.Deque
LinkedList<String> proxiesHeaderValue = new LinkedList<>();
StringBuilder concatRemoteIpHeaderValue = new StringBuilder();
for (Enumeration<String> e = request.getHeaders(remoteIpHeader); e.hasMoreElements();) {
if (concatRemoteIpHeaderValue.length() > 0) {
concatRemoteIpHeaderValue.append(", ");
}
concatRemoteIpHeaderValue.append(e.nextElement());
}
String[] remoteIpHeaderValue = commaDelimitedListToStringArray(concatRemoteIpHeaderValue.toString());
int idx;
if (!isInternal) {
proxiesHeaderValue.addFirst(originalRemoteAddr);
}
// loop on remoteIpHeaderValue to find the first trusted remote ip and to build the proxies chain
for (idx = remoteIpHeaderValue.length - 1; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
remoteIp = currentRemoteIp;
if (internalProxies !=null && internalProxies.matcher(currentRemoteIp).matches()) {
// do nothing, internalProxies IPs are not appended to the
} else if (trustedProxies != null &&
trustedProxies.matcher(currentRemoteIp).matches()) {
proxiesHeaderValue.addFirst(currentRemoteIp);
} else {
idx--; // decrement idx because break statement doesn't do it
break;
}
}
// continue to loop on remoteIpHeaderValue to build the new value of the remoteIpHeader
LinkedList<String> newRemoteIpHeaderValue = new LinkedList<>();
for (; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
newRemoteIpHeaderValue.addFirst(currentRemoteIp);
}
if (remoteIp != null) {
request.setRemoteAddr(remoteIp);
if (request.getConnector().getEnableLookups()) {
// This isn't a lazy lookup but that would be a little more
// invasive - mainly in Request.getRemoteHost() - and if
// enableLookups is true it seems reasonable that the
// hotsname will be required so look it up here.
try {
InetAddress inetAddress = InetAddress.getByName(remoteIp);
// We know we need a DNS look up so use getCanonicalHostName()
request.setRemoteHost(inetAddress.getCanonicalHostName());
} catch (UnknownHostException e) {
log.debug(sm.getString("remoteIpValve.invalidRemoteAddress", remoteIp), e);
request.setRemoteHost(remoteIp);
}
} else {
request.setRemoteHost(remoteIp);
}
if (proxiesHeaderValue.size() == 0) {
request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader);
} else {
String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies);
}
if (newRemoteIpHeaderValue.size() == 0) {
request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader);
} else {
String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue);
}
}
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
// Don't modify the secure, scheme and serverPort attributes
// of the request
} else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
request.setSecure(true);
request.getCoyoteRequest().scheme().setString("https");
setPorts(request, httpsServerPort);
} else {
request.setSecure(false);
request.getCoyoteRequest().scheme().setString("http");
setPorts(request, httpServerPort);
}
}
if (hostHeader != null) {
String hostHeaderValue = request.getHeader(hostHeader);
if (hostHeaderValue != null) {
try {
int portIndex = Host.parse(hostHeaderValue);
if (portIndex > -1) {
log.debug(sm.getString("remoteIpValve.invalidHostWithPort", hostHeaderValue, hostHeader));
hostHeaderValue = hostHeaderValue.substring(0, portIndex);
}
request.getCoyoteRequest().serverName().setString(hostHeaderValue);
if (isChangeLocalName()) {
request.getCoyoteRequest().localName().setString(hostHeaderValue);
}
} catch (IllegalArgumentException iae) {
log.debug(sm.getString("remoteIpValve.invalidHostHeader", hostHeaderValue, hostHeader));
}
}
}
request.setAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE, Boolean.TRUE);
if (log.isDebugEnabled()) {
log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr [" + originalRemoteAddr +
"], originalRemoteHost=[" + originalRemoteHost + "], originalSecure=[" + originalSecure +
"], originalScheme=[" + originalScheme + "], originalServerName=[" + originalServerName +
"], originalServerPort=[" + originalServerPort +
"] will be seen as newRemoteAddr=[" + request.getRemoteAddr() +
"], newRemoteHost=[" + request.getRemoteHost() + "], newSecure=[" + request.isSecure() +
"], newScheme=[" + request.getScheme() + "], newServerName=[" + request.getServerName() +
"], newServerPort=[" + request.getServerPort() + "]");
}
} else {
if (log.isDebugEnabled()) {
log.debug("Skip RemoteIpValve for request " + request.getRequestURI() + " with originalRemoteAddr '"
+ request.getRemoteAddr() + "'");
}
}
if (requestAttributesEnabled) {
request.setAttribute(AccessLog.REMOTE_ADDR_ATTRIBUTE,
request.getRemoteAddr());
request.setAttribute(Globals.REMOTE_ADDR_ATTRIBUTE,
request.getRemoteAddr());
request.setAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE,
request.getRemoteHost());
request.setAttribute(AccessLog.PROTOCOL_ATTRIBUTE,
request.getProtocol());
request.setAttribute(AccessLog.SERVER_NAME_ATTRIBUTE,
request.getServerName());
request.setAttribute(AccessLog.SERVER_PORT_ATTRIBUTE,
Integer.valueOf(request.getServerPort()));
}
try {
getNext().invoke(request, response);
} finally {
request.setRemoteAddr(originalRemoteAddr);
request.setRemoteHost(originalRemoteHost);
request.setSecure(originalSecure);
request.getCoyoteRequest().scheme().setString(originalScheme);
request.getCoyoteRequest().serverName().setString(originalServerName);
request.getCoyoteRequest().localName().setString(originalLocalName);
request.setServerPort(originalServerPort);
request.setLocalPort(originalLocalPort);
MimeHeaders headers = request.getCoyoteRequest().getMimeHeaders();
if (originalProxiesHeader == null || originalProxiesHeader.length() == 0) {
headers.removeHeader(proxiesHeader);
} else {
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
}
if (originalRemoteIpHeader == null || originalRemoteIpHeader.length() == 0) {
headers.removeHeader(remoteIpHeader);
} else {
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
}
}
}
/*
* Considers the value to be secure if it exclusively holds forwards for
* {@link #protocolHeaderHttpsValue}.
*/
private boolean isForwardedProtoHeaderValueSecure(String protocolHeaderValue) {
if (!protocolHeaderValue.contains(",")) {
return protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue);
}
String[] forwardedProtocols = commaDelimitedListToStringArray(protocolHeaderValue);
if (forwardedProtocols.length == 0) {
return false;
}
for (String forwardedProtocol : forwardedProtocols) {
if (!protocolHeaderHttpsValue.equalsIgnoreCase(forwardedProtocol)) {
return false;
}
}
return true;
}
private void setPorts(Request request, int defaultPort) {
int port = defaultPort;
if (portHeader != null) {
String portHeaderValue = request.getHeader(portHeader);
if (portHeaderValue != null) {
try {
port = Integer.parseInt(portHeaderValue);
} catch (NumberFormatException nfe) {
if (log.isDebugEnabled()) {
log.debug(sm.getString(
"remoteIpValve.invalidPortHeader",
portHeaderValue, portHeader), nfe);
}
}
}
}
request.setServerPort(port);
if (changeLocalPort) {
request.setLocalPort(port);
}
}
Server Port value if the protocolHeader
is not null
and does not indicate HTTP
Default value : 80
Params: - httpServerPort – The server port
/**
* <p>
* Server Port value if the {@link #protocolHeader} is not <code>null</code> and does not indicate HTTP
* </p>
* <p>
* Default value : 80
* </p>
* @param httpServerPort The server port
*/
public void setHttpServerPort(int httpServerPort) {
this.httpServerPort = httpServerPort;
}
Server Port value if the protocolHeader
indicates HTTPS
Default value : 443
Params: - httpsServerPort – The server port
/**
* <p>
* Server Port value if the {@link #protocolHeader} indicates HTTPS
* </p>
* <p>
* Default value : 443
* </p>
* @param httpsServerPort The server port
*/
public void setHttpsServerPort(int httpsServerPort) {
this.httpsServerPort = httpsServerPort;
}
Regular expression that defines the internal proxies.
Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
Params: - internalProxies – The proxy regular expression
/**
* <p>
* Regular expression that defines the internal proxies.
* </p>
* <p>
* Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
* </p>
* @param internalProxies The proxy regular expression
*/
public void setInternalProxies(String internalProxies) {
if (internalProxies == null || internalProxies.length() == 0) {
this.internalProxies = null;
} else {
this.internalProxies = Pattern.compile(internalProxies);
}
}
Header that holds the incoming protocol, usually named X-Forwarded-Proto
. If null
, request.scheme and
request.secure will not be modified.
Default value : null
Params: - protocolHeader – The header name
/**
* <p>
* Header that holds the incoming protocol, usually named <code>X-Forwarded-Proto</code>. If <code>null</code>, request.scheme and
* request.secure will not be modified.
* </p>
* <p>
* Default value : <code>null</code>
* </p>
* @param protocolHeader The header name
*/
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
}
Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
Default value : https
Params: - protocolHeaderHttpsValue – The header name
/**
* <p>
* Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
* </p>
* <p>
* Default value : <code>https</code>
* </p>
* @param protocolHeaderHttpsValue The header name
*/
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
}
The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
while any intermediate RemoteIPInternalProxy addresses are discarded.
Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
The value of this header can be comma delimited.
Default value : X-Forwarded-By
Params: - proxiesHeader – The header name
/**
* <p>
* The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
* addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
* while any intermediate RemoteIPInternalProxy addresses are discarded.
* </p>
* <p>
* Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
* </p>
* <p>
* The value of this header can be comma delimited.
* </p>
* <p>
* Default value : <code>X-Forwarded-By</code>
* </p>
* @param proxiesHeader The header name
*/
public void setProxiesHeader(String proxiesHeader) {
this.proxiesHeader = proxiesHeader;
}
Name of the http header from which the remote ip is extracted.
The value of this header can be comma delimited.
Default value : X-Forwarded-For
Params: - remoteIpHeader – The header name
/**
* <p>
* Name of the http header from which the remote ip is extracted.
* </p>
* <p>
* The value of this header can be comma delimited.
* </p>
* <p>
* Default value : <code>X-Forwarded-For</code>
* </p>
*
* @param remoteIpHeader The header name
*/
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
Should this valve set request attributes for IP address, Hostname, protocol and port used for the request? This are typically used in conjunction with the AccessLog
which will otherwise log the original values. Default is true
.
The attributes set are:
- org.apache.catalina.AccessLog.RemoteAddr
- org.apache.catalina.AccessLog.RemoteHost
- org.apache.catalina.AccessLog.Protocol
- org.apache.catalina.AccessLog.ServerPort
- org.apache.tomcat.remoteAddr
Params: - requestAttributesEnabled –
true
causes the attributes
to be set, false
disables
the setting of the attributes.
/**
* Should this valve set request attributes for IP address, Hostname,
* protocol and port used for the request? This are typically used in
* conjunction with the {@link AccessLog} which will otherwise log the
* original values. Default is <code>true</code>.
*
* The attributes set are:
* <ul>
* <li>org.apache.catalina.AccessLog.RemoteAddr</li>
* <li>org.apache.catalina.AccessLog.RemoteHost</li>
* <li>org.apache.catalina.AccessLog.Protocol</li>
* <li>org.apache.catalina.AccessLog.ServerPort</li>
* <li>org.apache.tomcat.remoteAddr</li>
* </ul>
*
* @param requestAttributesEnabled <code>true</code> causes the attributes
* to be set, <code>false</code> disables
* the setting of the attributes.
*/
public void setRequestAttributesEnabled(boolean requestAttributesEnabled) {
this.requestAttributesEnabled = requestAttributesEnabled;
}
Regular expression defining proxies that are trusted when they appear in the remoteIpHeader
header.
Default value : empty list, no external proxy is trusted.
Params: - trustedProxies – The regular expression
/**
* <p>
* Regular expression defining proxies that are trusted when they appear in
* the {@link #remoteIpHeader} header.
* </p>
* <p>
* Default value : empty list, no external proxy is trusted.
* </p>
* @param trustedProxies The regular expression
*/
public void setTrustedProxies(String trustedProxies) {
if (trustedProxies == null || trustedProxies.length() == 0) {
this.trustedProxies = null;
} else {
this.trustedProxies = Pattern.compile(trustedProxies);
}
}
}