org.apache.catalina.filters.RemoteIpFilter Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.filters;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayDeque;
import java.util.Collections;
import java.util.Deque;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.GenericFilter;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.AccessLog;
import org.apache.catalina.Globals;
import org.apache.catalina.util.RequestUtil;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.StringUtils;
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.parser.Host;
import org.apache.tomcat.util.res.StringManager;
/**
*
* Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.
*
*
* Most of the design of this Servlet Filter is a port of
* mod_remoteip, this servlet filter replaces
* the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a
* load balancer via a request headers (e.g. "X-Forwarded-For").
*
*
* Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme
* presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
*
*
* This servlet filter proceeds as follows:
*
*
* If the incoming request.getRemoteAddr() matches the servlet filter's list of internal or trusted
* proxies:
*
*
* - Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given
* request's Http header named
$remoteIpHeader (default value x-forwarded-for). Values are
* processed in right-to-left order.
* - For each ip/host of the list:
*
* - if it matches the internal proxies list, the ip/host is swallowed
* - if it matches the trusted proxies list, the ip/host is added to the created proxies header
* - otherwise, the ip/host is declared to be the remote ip and looping is stopped.
*
*
* - If the request http header named
$protocolHeader (default value X-Forwarded-Proto)
* consists only of forwards that match protocolHeaderHttpsValue configuration parameter (default
* https) then request.isSecure = true, request.scheme = https and
* request.serverPort = 443. Note that 443 can be overwritten with the $httpsServerPort
* configuration parameter.
* - Mark the request with the attribute {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} and value {@code Boolean.TRUE} to
* indicate that this request has been forwarded by one or more proxies.
*
*
* Configuration parameters
*
* XForwardedFilter property
* Description
* Equivalent mod_remoteip directive
* Format
* Default Value
*
*
* remoteIpHeader
* Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from
* the requesting client
* RemoteIPHeader
* Compliant http header name
* x-forwarded-for
*
*
* internalProxies
* Regular expression that matches the IP addresses of internal proxies. If they appear in the
* remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader
* value
* RemoteIPInternalProxy
* Regular expression (in the syntax supported by {@link java.util.regex.Pattern java.util.regex})
* 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
* 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|
* 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1
* By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
*
*
* proxiesHeader
* Name of the http header created by this servlet filter to hold the list of proxies that have been processed in
* the incoming remoteIpHeader
* RemoteIPProxiesHeader
* Compliant http header name
* x-forwarded-by
*
*
* trustedProxies
* Regular expression that matches the IP addresses of trusted proxies. If they appear in the
* remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value
* RemoteIPTrustedProxy
* Regular expression (in the syntax supported by {@link java.util.regex.Pattern java.util.regex})
*
*
*
* protocolHeader
* Name of the http header read by this servlet filter that holds the flag that this request
* N/A
* Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or
* Front-End-Https
* X-Forwarded-Proto
*
* protocolHeaderHttpsValue
* Value of the protocolHeader to indicate that it is an Https request
* N/A
* String like https or ON
* https
*
* httpServerPort
* Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates
* http protocol
* N/A
* integer
* 80
*
*
* httpsServerPort
* Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates
* https protocol
* N/A
* integer
* 443
*
*
* enableLookups
* Should a DNS lookup be performed to provide a host name when calling {@link ServletRequest#getRemoteHost()}
* N/A
* boolean
* false
*
*
*
* Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks
* (e.g. 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy
* ; as the JVM doesn't have a library similar to apr_ipsubnet_test,
* we rely on regular expressions.
*
*
*
* Sample with internal proxies
*
*
* XForwardedFilter configuration:
*
*
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>protocolHeader</param-name>
* <param-value>x-forwarded-proto</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping>
*
* Request Values
*
* property
* Value Before RemoteIpFilter
* Value After RemoteIpFilter
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, 192.168.0.10
* null
*
*
* request.header['x-forwarded-by']
* null
* null
*
*
* request.header['x-forwarded-proto']
* https
* https
*
*
* request.scheme
* http
* https
*
*
* request.secure
* false
* true
*
*
* request.serverPort
* 80
* 443
*
*
* Note : x-forwarded-by header is null because only internal proxies as been traversed by the request.
* x-forwarded-by is null because all the proxies are trusted or internal.
*
*
* Sample with trusted proxies
*
*
* RemoteIpFilter configuration:
*
*
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping>
*
* Request Values
*
* property
* Value Before RemoteIpFilter
* Value After RemoteIpFilter
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, proxy1, proxy2
* null
*
*
* request.header['x-forwarded-by']
* null
* proxy1, proxy2
*
*
*
* Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for
* header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all
* the proxies are trusted or internal.
*
*
*
* Sample with internal and trusted proxies
*
*
* RemoteIpFilter configuration:
*
*
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping>
*
* Request Values
*
* property
* Value Before RemoteIpFilter
* Value After RemoteIpFilter
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, proxy1, proxy2, 192.168.0.10
* null
*
*
* request.header['x-forwarded-by']
* null
* proxy1, proxy2
*
*
*
* Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for
* header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an internal
* proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies
* are trusted or internal.
*
*
*
* Sample with an untrusted proxy
*
*
* RemoteIpFilter configuration:
*
*
* <filter>
* <filter-name>RemoteIpFilter</filter-name>
* <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
* <init-param>
* <param-name>internalProxies</param-name>
* <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpHeader</param-name>
* <param-value>x-forwarded-for</param-value>
* </init-param>
* <init-param>
* <param-name>remoteIpProxiesHeader</param-name>
* <param-value>x-forwarded-by</param-value>
* </init-param>
* <init-param>
* <param-name>trustedProxies</param-name>
* <param-value>proxy1|proxy2</param-value>
* </init-param>
* </filter>
*
* <filter-mapping>
* <filter-name>RemoteIpFilter</filter-name>
* <url-pattern>/*</url-pattern>
* <dispatcher>REQUEST</dispatcher>
* </filter-mapping>
*
* Request Values
*
* property
* Value Before RemoteIpFilter
* Value After RemoteIpFilter
*
*
* request.remoteAddr
* 192.168.0.10
* untrusted-proxy
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, untrusted-proxy, proxy1
* 140.211.11.130
*
*
* request.header['x-forwarded-by']
* null
* proxy1
*
*
*
* Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds
* 140.211.11.130 because untrusted-proxy is not trusted and thus, we cannot trust that
* untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy
* that is an IP verified by proxy1.
*
*
*/
public class RemoteIpFilter extends GenericFilter {
private static final long serialVersionUID = 1L;
public static class XForwardedRequest extends HttpServletRequestWrapper {
protected final Map> headers;
protected String localName;
protected int localPort;
protected String remoteAddr;
protected String remoteHost;
protected String scheme;
protected boolean secure;
protected String serverName;
protected int serverPort;
public XForwardedRequest(HttpServletRequest request) {
super(request);
this.localName = request.getLocalName();
this.localPort = request.getLocalPort();
this.remoteAddr = request.getRemoteAddr();
this.remoteHost = request.getRemoteHost();
this.scheme = request.getScheme();
this.secure = request.isSecure();
this.serverName = request.getServerName();
this.serverPort = request.getServerPort();
headers = new HashMap<>();
for (Enumeration headerNames = request.getHeaderNames(); headerNames.hasMoreElements();) {
String header = headerNames.nextElement();
headers.put(header, Collections.list(request.getHeaders(header)));
}
}
@Override
public long getDateHeader(String name) {
String value = getHeader(name);
if (value == null) {
return -1;
}
long date = FastHttpDateFormat.parseDate(value);
if (date == -1) {
throw new IllegalArgumentException(value);
}
return date;
}
@Override
public String getHeader(String name) {
Map.Entry> header = getHeaderEntry(name);
if (header == null || header.getValue() == null || header.getValue().isEmpty()) {
return null;
}
return header.getValue().get(0);
}
protected Map.Entry> getHeaderEntry(String name) {
for (Map.Entry> entry : headers.entrySet()) {
if (entry.getKey().equalsIgnoreCase(name)) {
return entry;
}
}
return null;
}
@Override
public Enumeration getHeaderNames() {
return Collections.enumeration(headers.keySet());
}
@Override
public Enumeration getHeaders(String name) {
Map.Entry> header = getHeaderEntry(name);
if (header == null || header.getValue() == null) {
return Collections.enumeration(Collections.emptyList());
}
return Collections.enumeration(header.getValue());
}
@Override
public int getIntHeader(String name) {
String value = getHeader(name);
if (value == null) {
return -1;
}
return Integer.parseInt(value);
}
@Override
public String getLocalName() {
return localName;
}
@Override
public int getLocalPort() {
return localPort;
}
@Override
public String getRemoteAddr() {
return this.remoteAddr;
}
@Override
public String getRemoteHost() {
return this.remoteHost;
}
@Override
public String getScheme() {
return scheme;
}
@Override
public String getServerName() {
return serverName;
}
@Override
public int getServerPort() {
return serverPort;
}
public void removeHeader(String name) {
Map.Entry> header = getHeaderEntry(name);
if (header != null) {
headers.remove(header.getKey());
}
}
public void setHeader(String name, String value) {
List values = Collections.singletonList(value);
Map.Entry> header = getHeaderEntry(name);
if (header == null) {
headers.put(name, values);
} else {
header.setValue(values);
}
}
public void setLocalName(String localName) {
this.localName = localName;
}
public void setLocalPort(int localPort) {
this.localPort = localPort;
}
public void setRemoteAddr(String remoteAddr) {
this.remoteAddr = remoteAddr;
}
public void setRemoteHost(String remoteHost) {
this.remoteHost = remoteHost;
}
public void setScheme(String scheme) {
this.scheme = scheme;
}
public void setSecure(boolean secure) {
super.getRequest().setAttribute(Globals.REMOTE_IP_FILTER_SECURE, Boolean.valueOf(secure));
}
public void setServerName(String serverName) {
this.serverName = serverName;
}
public void setServerPort(int serverPort) {
this.serverPort = serverPort;
}
@Override
public StringBuffer getRequestURL() {
return RequestUtil.getRequestURL(this);
}
}
protected static final String HTTP_SERVER_PORT_PARAMETER = "httpServerPort";
protected static final String HTTPS_SERVER_PORT_PARAMETER = "httpsServerPort";
protected static final String INTERNAL_PROXIES_PARAMETER = "internalProxies";
// Log must be non-static as loggers are created per class-loader and this
// Filter may be used in multiple class loaders
private transient Log log = LogFactory.getLog(RemoteIpFilter.class);
protected static final StringManager sm = StringManager.getManager(RemoteIpFilter.class);
protected static final String PROTOCOL_HEADER_PARAMETER = "protocolHeader";
protected static final String PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER = "protocolHeaderHttpsValue";
protected static final String HOST_HEADER_PARAMETER = "hostHeader";
protected static final String PORT_HEADER_PARAMETER = "portHeader";
protected static final String CHANGE_LOCAL_NAME_PARAMETER = "changeLocalName";
protected static final String CHANGE_LOCAL_PORT_PARAMETER = "changeLocalPort";
protected static final String PROXIES_HEADER_PARAMETER = "proxiesHeader";
protected static final String REMOTE_IP_HEADER_PARAMETER = "remoteIpHeader";
protected static final String TRUSTED_PROXIES_PARAMETER = "trustedProxies";
protected static final String ENABLE_LOOKUPS_PARAMETER = "enableLookups";
/**
* @see #setHttpServerPort(int)
*/
private int httpServerPort = 80;
/**
* @see #setHttpsServerPort(int)
*/
private int httpsServerPort = 443;
/**
* @see #setInternalProxies(String)
*/
private Pattern internalProxies =
Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "0:0:0:0:0:0:0:1|::1");
/**
* @see #setProtocolHeader(String)
*/
private String protocolHeader = "X-Forwarded-Proto";
private String protocolHeaderHttpsValue = "https";
private String hostHeader = null;
private boolean changeLocalName = false;
private String portHeader = null;
private boolean changeLocalPort = false;
/**
* @see #setProxiesHeader(String)
*/
private String proxiesHeader = "X-Forwarded-By";
/**
* @see #setRemoteIpHeader(String)
*/
private String remoteIpHeader = "X-Forwarded-For";
/**
* @see #setRequestAttributesEnabled(boolean)
*/
private boolean requestAttributesEnabled = true;
/**
* @see #setTrustedProxies(String)
*/
private Pattern trustedProxies = null;
private boolean enableLookups;
public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
boolean isInternal = internalProxies != null && internalProxies.matcher(request.getRemoteAddr()).matches();
if (isInternal || (trustedProxies != null && trustedProxies.matcher(request.getRemoteAddr()).matches())) {
String remoteIp = null;
Deque proxiesHeaderValue = new ArrayDeque<>();
StringBuilder concatRemoteIpHeaderValue = new StringBuilder();
for (Enumeration e = request.getHeaders(remoteIpHeader); e.hasMoreElements();) {
if (concatRemoteIpHeaderValue.length() > 0) {
concatRemoteIpHeaderValue.append(", ");
}
concatRemoteIpHeaderValue.append(e.nextElement());
}
String[] remoteIpHeaderValue = StringUtils.splitCommaSeparated(concatRemoteIpHeaderValue.toString());
int idx;
if (!isInternal) {
proxiesHeaderValue.addFirst(request.getRemoteAddr());
}
// loop on remoteIpHeaderValue to find the first trusted remote ip and to build the proxies chain
for (idx = remoteIpHeaderValue.length - 1; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
remoteIp = currentRemoteIp;
if (internalProxies != null && internalProxies.matcher(currentRemoteIp).matches()) {
// do nothing, internalProxies IPs are not appended to the
} else if (trustedProxies != null && trustedProxies.matcher(currentRemoteIp).matches()) {
proxiesHeaderValue.addFirst(currentRemoteIp);
} else {
idx--; // decrement idx because break statement doesn't do it
break;
}
}
// continue to loop on remoteIpHeaderValue to build the new value of the remoteIpHeader
LinkedList newRemoteIpHeaderValue = new LinkedList<>();
for (; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
newRemoteIpHeaderValue.addFirst(currentRemoteIp);
}
XForwardedRequest xRequest = new XForwardedRequest(request);
if (remoteIp != null) {
xRequest.setRemoteAddr(remoteIp);
if (getEnableLookups()) {
// This isn't a lazy lookup but that would be a little more
// invasive - mainly in XForwardedRequest - and if
// enableLookups is true is seems reasonable that the
// hostname will be required so look it up here.
try {
InetAddress inetAddress = InetAddress.getByName(remoteIp);
// We know we need a DNS look up so use getCanonicalHostName()
xRequest.setRemoteHost(inetAddress.getCanonicalHostName());
} catch (UnknownHostException e) {
log.debug(sm.getString("remoteIpFilter.invalidRemoteAddress", remoteIp), e);
xRequest.setRemoteHost(remoteIp);
}
} else {
xRequest.setRemoteHost(remoteIp);
}
if (proxiesHeaderValue.size() == 0) {
xRequest.removeHeader(proxiesHeader);
} else {
String commaDelimitedListOfProxies = StringUtils.join(proxiesHeaderValue);
xRequest.setHeader(proxiesHeader, commaDelimitedListOfProxies);
}
if (newRemoteIpHeaderValue.size() == 0) {
xRequest.removeHeader(remoteIpHeader);
} else {
String commaDelimitedRemoteIpHeaderValue = StringUtils.join(newRemoteIpHeaderValue);
xRequest.setHeader(remoteIpHeader, commaDelimitedRemoteIpHeaderValue);
}
}
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
// Don't modify the secure, scheme and serverPort attributes
// of the request
} else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
xRequest.setSecure(true);
xRequest.setScheme("https");
setPorts(xRequest, httpsServerPort);
} else {
xRequest.setSecure(false);
xRequest.setScheme("http");
setPorts(xRequest, httpServerPort);
}
}
if (hostHeader != null) {
String hostHeaderValue = request.getHeader(hostHeader);
if (hostHeaderValue != null) {
try {
int portIndex = Host.parse(hostHeaderValue);
if (portIndex > -1) {
log.debug(sm.getString("remoteIpFilter.invalidHostWithPort", hostHeaderValue, hostHeader));
hostHeaderValue = hostHeaderValue.substring(0, portIndex);
}
xRequest.setServerName(hostHeaderValue);
if (isChangeLocalName()) {
xRequest.setLocalName(hostHeaderValue);
}
} catch (IllegalArgumentException iae) {
log.debug(sm.getString("remoteIpFilter.invalidHostHeader", hostHeaderValue, hostHeader));
}
}
}
request.setAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE, Boolean.TRUE);
if (log.isTraceEnabled()) {
log.trace("Incoming request " + request.getRequestURI() + " with originalRemoteAddr [" +
request.getRemoteAddr() + "], originalRemoteHost=[" + request.getRemoteHost() +
"], originalSecure=[" + request.isSecure() + "], originalScheme=[" + request.getScheme() +
"], originalServerName=[" + request.getServerName() + "], originalServerPort=[" +
request.getServerPort() + "] will be seen as newRemoteAddr=[" + xRequest.getRemoteAddr() +
"], newRemoteHost=[" + xRequest.getRemoteHost() + "], newSecure=[" + xRequest.isSecure() +
"], newScheme=[" + xRequest.getScheme() + "], newServerName=[" + xRequest.getServerName() +
"], newServerPort=[" + xRequest.getServerPort() + "]");
}
if (requestAttributesEnabled) {
request.setAttribute(AccessLog.REMOTE_ADDR_ATTRIBUTE, xRequest.getRemoteAddr());
request.setAttribute(Globals.REMOTE_ADDR_ATTRIBUTE, xRequest.getRemoteAddr());
request.setAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE, xRequest.getRemoteHost());
request.setAttribute(AccessLog.PROTOCOL_ATTRIBUTE, xRequest.getProtocol());
request.setAttribute(AccessLog.SERVER_NAME_ATTRIBUTE, xRequest.getServerName());
request.setAttribute(AccessLog.SERVER_PORT_ATTRIBUTE, Integer.valueOf(xRequest.getServerPort()));
}
chain.doFilter(xRequest, response);
} else {
if (log.isTraceEnabled()) {
log.trace("Skip RemoteIpFilter for request " + request.getRequestURI() + " with originalRemoteAddr '" +
request.getRemoteAddr() + "'");
}
chain.doFilter(request, response);
}
}
/*
* Considers the value to be secure if it exclusively holds forwards for {@link #protocolHeaderHttpsValue}.
*/
private boolean isForwardedProtoHeaderValueSecure(String protocolHeaderValue) {
if (!protocolHeaderValue.contains(",")) {
return protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue);
}
String[] forwardedProtocols = StringUtils.splitCommaSeparated(protocolHeaderValue);
if (forwardedProtocols.length == 0) {
return false;
}
for (String forwardedProtocol : forwardedProtocols) {
if (!protocolHeaderHttpsValue.equalsIgnoreCase(forwardedProtocol)) {
return false;
}
}
return true;
}
private void setPorts(XForwardedRequest xrequest, int defaultPort) {
int port = defaultPort;
if (getPortHeader() != null) {
String portHeaderValue = xrequest.getHeader(getPortHeader());
if (portHeaderValue != null) {
try {
port = Integer.parseInt(portHeaderValue);
} catch (NumberFormatException nfe) {
log.debug(sm.getString("remoteIpFilter.invalidPort", portHeaderValue, getPortHeader()));
}
}
}
xrequest.setServerPort(port);
if (isChangeLocalPort()) {
xrequest.setLocalPort(port);
}
}
/**
* Wrap the incoming request in a {@link XForwardedRequest} if the http header
* x-forwarded-for is not empty. {@inheritDoc}
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
doFilter((HttpServletRequest) request, (HttpServletResponse) response, chain);
} else {
chain.doFilter(request, response);
}
}
public boolean isChangeLocalName() {
return changeLocalName;
}
public boolean isChangeLocalPort() {
return changeLocalPort;
}
public int getHttpsServerPort() {
return httpsServerPort;
}
public Pattern getInternalProxies() {
return internalProxies;
}
public String getProtocolHeader() {
return protocolHeader;
}
public String getPortHeader() {
return portHeader;
}
public String getProtocolHeaderHttpsValue() {
return protocolHeaderHttpsValue;
}
public String getProxiesHeader() {
return proxiesHeader;
}
public String getRemoteIpHeader() {
return remoteIpHeader;
}
/**
* @see #setRequestAttributesEnabled(boolean)
*
* @return true if the attributes will be logged, otherwise false
*/
public boolean getRequestAttributesEnabled() {
return requestAttributesEnabled;
}
public Pattern getTrustedProxies() {
return trustedProxies;
}
public boolean getEnableLookups() {
return enableLookups;
}
@Override
public void init() throws ServletException {
if (getInitParameter(INTERNAL_PROXIES_PARAMETER) != null) {
setInternalProxies(getInitParameter(INTERNAL_PROXIES_PARAMETER));
}
if (getInitParameter(PROTOCOL_HEADER_PARAMETER) != null) {
setProtocolHeader(getInitParameter(PROTOCOL_HEADER_PARAMETER));
}
if (getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER) != null) {
setProtocolHeaderHttpsValue(getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER));
}
if (getInitParameter(HOST_HEADER_PARAMETER) != null) {
setHostHeader(getInitParameter(HOST_HEADER_PARAMETER));
}
if (getInitParameter(PORT_HEADER_PARAMETER) != null) {
setPortHeader(getInitParameter(PORT_HEADER_PARAMETER));
}
if (getInitParameter(CHANGE_LOCAL_NAME_PARAMETER) != null) {
setChangeLocalName(Boolean.parseBoolean(getInitParameter(CHANGE_LOCAL_NAME_PARAMETER)));
}
if (getInitParameter(CHANGE_LOCAL_PORT_PARAMETER) != null) {
setChangeLocalPort(Boolean.parseBoolean(getInitParameter(CHANGE_LOCAL_PORT_PARAMETER)));
}
if (getInitParameter(PROXIES_HEADER_PARAMETER) != null) {
setProxiesHeader(getInitParameter(PROXIES_HEADER_PARAMETER));
}
if (getInitParameter(REMOTE_IP_HEADER_PARAMETER) != null) {
setRemoteIpHeader(getInitParameter(REMOTE_IP_HEADER_PARAMETER));
}
if (getInitParameter(TRUSTED_PROXIES_PARAMETER) != null) {
setTrustedProxies(getInitParameter(TRUSTED_PROXIES_PARAMETER));
}
if (getInitParameter(HTTP_SERVER_PORT_PARAMETER) != null) {
try {
setHttpServerPort(Integer.parseInt(getInitParameter(HTTP_SERVER_PORT_PARAMETER)));
} catch (NumberFormatException e) {
throw new NumberFormatException(sm.getString("remoteIpFilter.invalidNumber", HTTP_SERVER_PORT_PARAMETER,
e.getLocalizedMessage()));
}
}
if (getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null) {
try {
setHttpsServerPort(Integer.parseInt(getInitParameter(HTTPS_SERVER_PORT_PARAMETER)));
} catch (NumberFormatException e) {
throw new NumberFormatException(sm.getString("remoteIpFilter.invalidNumber",
HTTPS_SERVER_PORT_PARAMETER, e.getLocalizedMessage()));
}
}
if (getInitParameter(ENABLE_LOOKUPS_PARAMETER) != null) {
setEnableLookups(Boolean.parseBoolean(getInitParameter(ENABLE_LOOKUPS_PARAMETER)));
}
}
/**
*
* If true, the return values for both {@link ServletRequest#getLocalName()} and
* {@link ServletRequest#getServerName()} will be modified by this Filter rather than just
* {@link ServletRequest#getServerName()}.
*
*
* Default value : false
*
*
* @param changeLocalName The new flag value
*/
public void setChangeLocalName(boolean changeLocalName) {
this.changeLocalName = changeLocalName;
}
/**
*
* If true, the return values for both {@link ServletRequest#getLocalPort()} and
* {@link ServletRequest#getServerPort()} will be modified by this Filter rather than just
* {@link ServletRequest#getServerPort()}.
*
*
* Default value : false
*
*
* @param changeLocalPort The new flag value
*/
public void setChangeLocalPort(boolean changeLocalPort) {
this.changeLocalPort = changeLocalPort;
}
/**
*
* Server Port value if the {@link #protocolHeader} indicates HTTP (i.e. {@link #protocolHeader} is not null and has
* a value different of {@link #protocolHeaderHttpsValue}).
*
*
* Default value : 80
*
*
* @param httpServerPort The server port to use
*/
public void setHttpServerPort(int httpServerPort) {
this.httpServerPort = httpServerPort;
}
/**
*
* Server Port value if the {@link #protocolHeader} indicates HTTPS
*
*
* Default value : 443
*
*
* @param httpsServerPort The server port to use
*/
public void setHttpsServerPort(int httpsServerPort) {
this.httpsServerPort = httpsServerPort;
}
/**
*
* Regular expression that defines the internal proxies.
*
*
* Default value :
* 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
*
*
* @param internalProxies The regexp
*/
public void setInternalProxies(String internalProxies) {
if (internalProxies == null || internalProxies.length() == 0) {
this.internalProxies = null;
} else {
this.internalProxies = Pattern.compile(internalProxies);
}
}
/**
*
* Header that holds the incoming host, usually named X-Forwarded-Host.
*
*
* Default value : null
*
*
* @param hostHeader The header name
*/
public void setHostHeader(String hostHeader) {
this.hostHeader = hostHeader;
}
/**
*
* Header that holds the incoming port, usually named X-Forwarded-Port. If null,
* {@link #httpServerPort} or {@link #httpsServerPort} will be used.
*
*
* Default value : null
*
*
* @param portHeader The header name
*/
public void setPortHeader(String portHeader) {
this.portHeader = portHeader;
}
/**
*
* Header that holds the incoming protocol, usually named X-Forwarded-Proto. If null,
* request.scheme and request.secure will not be modified.
*
*
* Default value : X-Forwarded-Proto
*
*
* @param protocolHeader The header name
*/
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
}
/**
*
* Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.
*
*
* Default value : https
*
*
* @param protocolHeaderHttpsValue The header value
*/
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
}
/**
*
* The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the
* intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate
* RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy
* addresses are discarded.
*
*
* Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
*
*
* The value of this header can be comma delimited.
*
*
* Default value : X-Forwarded-By
*
*
* @param proxiesHeader The header name
*/
public void setProxiesHeader(String proxiesHeader) {
this.proxiesHeader = proxiesHeader;
}
/**
*
* Name of the http header from which the remote ip is extracted.
*
*
* The value of this header can be comma delimited.
*
*
* Default value : X-Forwarded-For
*
*
* @param remoteIpHeader The header name
*/
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
/**
* Should this filter set request attributes for IP address, Hostname, protocol and port used for the request? This
* are typically used in conjunction with an {@link AccessLog} which will otherwise log the original values. Default
* is true. The attributes set are:
*
* - org.apache.catalina.AccessLog.RemoteAddr
* - org.apache.catalina.AccessLog.RemoteHost
* - org.apache.catalina.AccessLog.Protocol
* - org.apache.catalina.AccessLog.ServerPort
* - org.apache.tomcat.remoteAddr
*
*
* @param requestAttributesEnabled true causes the attributes to be set, false disables
* the setting of the attributes.
*/
public void setRequestAttributesEnabled(boolean requestAttributesEnabled) {
this.requestAttributesEnabled = requestAttributesEnabled;
}
/**
*
* Regular expression defining proxies that are trusted when they appear in the {@link #remoteIpHeader} header.
*
*
* Default value : empty list, no external proxy is trusted.
*
*
* @param trustedProxies The trusted proxies regexp
*/
public void setTrustedProxies(String trustedProxies) {
if (trustedProxies == null || trustedProxies.length() == 0) {
this.trustedProxies = null;
} else {
this.trustedProxies = Pattern.compile(trustedProxies);
}
}
public void setEnableLookups(boolean enableLookups) {
this.enableLookups = enableLookups;
}
/*
* Log objects are not Serializable but this Filter is because it extends GenericFilter. Tomcat won't serialize a
* Filter but in case something else does...
*/
private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException {
ois.defaultReadObject();
log = LogFactory.getLog(RemoteIpFilter.class);
}
}