org.apache.catalina.valves.RemoteIpValve Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.valves;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import org.apache.tomcat.util.res.StringManager;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.Constants;
import org.apache.catalina.valves.RequestFilterValve;
import org.apache.catalina.valves.ValveBase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
/**
*
* Tomcat port of mod_remoteip, this valve replaces the apparent
* client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request
* headers (e.g. "X-Forwarded-For").
*
*
* Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a
* load balancer via a request header (e.g. "X-Forwarded-Proto").
*
*
* This valve proceeds as follows:
*
*
* If the incoming request.getRemoteAddr() matches the valve's list of internal proxies :
*
* - Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
* header named
$remoteIPHeader (default value x-forwarded-for). Values are processed in right-to-left order.
* - For each ip/host of the list:
*
* - if it matches the internal proxies list, the ip/host is swallowed
* - if it matches the trusted proxies list, the ip/host is added to the created proxies header
* - otherwise, the ip/host is declared to be the remote ip and looping is stopped.
*
*
* - If the request http header named
$protocolHeader (e.g. x-forwarded-for) equals to the value of
* protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true,
* request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the
* $httpsServerPort configuration parameter.
*
*
*
* Configuration parameters:
*
*
* RemoteIpValve property
* Description
* Equivalent mod_remoteip directive
* Format
* Default Value
*
*
* remoteIPHeader
* Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client
* RemoteIPHeader
* Compliant http header name
* x-forwarded-for
*
*
* internalProxies
* List of internal proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will not appear
* in the proxiesHeader value
* RemoteIPInternalProxy
* Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)
* 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
* By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to
* describe with regular expressions
*
*
*
* proxiesHeader
* Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming
* remoteIPHeader
* RemoteIPProxiesHeader
* Compliant http header name
* x-forwarded-by
*
*
* trustedProxies
* List of trusted proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will appear
* in the proxiesHeader value
* RemoteIPTrustedProxy
* Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)
*
*
*
* protocolHeader
* Name of the http header read by this valve that holds the flag that this request
* N/A
* Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https
* null
*
* protocolHeaderHttpsValue
* Value of the protocolHeader to indicate that it is an Https request
* N/A
* String like https or ON
* https
*
* httpServerPort
* Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates http protocol
* N/A
* integer
* 80
*
*
* httpsServerPort
* Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates https protocol
* N/A
* integer
* 443
*
*
*
*
*
* This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
*
*
* Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g.
* 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as Tomcat doesn't have a
* library similar to apr_ipsubnet_test,
* RemoteIpValve uses regular expression to configure internalProxies and trustedProxies in the same
* fashion as {@link RequestFilterValve} does.
*
*
*
* Sample with internal proxies
*
*
* RemoteIpValve configuration:
*
*
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
* remoteIPHeader="x-forwarded-for"
* remoteIPProxiesHeader="x-forwarded-by"
* protocolHeader="x-forwarded-proto"
* />
* Request values:
*
*
* property
* Value Before RemoteIpValve
* Value After RemoteIpValve
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, 192.168.0.10
* null
*
*
* request.header['x-forwarded-by']
* null
* null
*
*
* request.header['x-forwarded-proto']
* https
* https
*
*
* request.scheme
* http
* https
*
*
* request.secure
* false
* true
*
*
* request.serverPort
* 80
* 443
*
*
* Note : x-forwarded-by header is null because only internal proxies as been traversed by the request.
* x-forwarded-by is null because all the proxies are trusted or internal.
*
*
*
* Sample with trusted proxies
*
*
* RemoteIpValve configuration:
*
*
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
* remoteIPHeader="x-forwarded-for"
* remoteIPProxiesHeader="x-forwarded-by"
* trustedProxies="proxy1, proxy2"
* />
* Request values:
*
*
* property
* Value Before RemoteIpValve
* Value After RemoteIpValve
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, proxy1, proxy2
* null
*
*
* request.header['x-forwarded-by']
* null
* proxy1, proxy2
*
*
* Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both
* are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.
*
*
*
* Sample with internal and trusted proxies
*
*
* RemoteIpValve configuration:
*
*
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
* remoteIPHeader="x-forwarded-for"
* remoteIPProxiesHeader="x-forwarded-by"
* trustedProxies="proxy1, proxy2"
* />
* Request values:
*
*
* property
* Value Before RemoteIpValve
* Value After RemoteIpValve
*
*
* request.remoteAddr
* 192.168.0.10
* 140.211.11.130
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, proxy1, proxy2, 192.168.0.10
* null
*
*
* request.header['x-forwarded-by']
* null
* proxy1, proxy2
*
*
* Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both
* are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in
* x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.
*
*
*
* Sample with an untrusted proxy
*
*
* RemoteIpValve configuration:
*
*
* <Valve
* className="org.apache.catalina.valves.RemoteIpValve"
* internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
* remoteIPHeader="x-forwarded-for"
* remoteIPProxiesHeader="x-forwarded-by"
* trustedProxies="proxy1, proxy2"
* />
* Request values:
*
*
* property
* Value Before RemoteIpValve
* Value After RemoteIpValve
*
*
* request.remoteAddr
* 192.168.0.10
* untrusted-proxy
*
*
* request.header['x-forwarded-for']
* 140.211.11.130, untrusted-proxy, proxy1
* 140.211.11.130
*
*
* request.header['x-forwarded-by']
* null
* proxy1
*
*
* Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds
* 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that
* untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP
* verified by proxy1.
*
*/
public class RemoteIpValve extends ValveBase {
/**
* {@link Pattern} for a comma delimited string that support whitespace characters
*/
private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
/**
* The descriptive information related to this implementation.
*/
private static final String info = "org.apache.catalina.valves.RemoteIpValve/1.0";
/**
* Logger
*/
private static final Log log = LogFactory.getLog(RemoteIpValve.class);
/**
* The StringManager for this package.
*/
protected static final StringManager sm = StringManager.getManager(Constants.Package);
/**
* Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern}
*
* @return array of patterns (not null)
*/
protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) {
String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);
List patternsList = new ArrayList();
for (String pattern : patterns) {
try {
patternsList.add(Pattern.compile(pattern));
} catch (PatternSyntaxException e) {
throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e);
}
}
return patternsList.toArray(new Pattern[0]);
}
/**
* Convert a given comma delimited list of regular expressions into an array of String
*
* @return array of patterns (non null)
*/
protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {
return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern
.split(commaDelimitedStrings);
}
/**
* Convert an array of strings in a comma delimited string
*/
protected static String listToCommaDelimitedString(List stringList) {
if (stringList == null) {
return "";
}
StringBuilder result = new StringBuilder();
for (Iterator it = stringList.iterator(); it.hasNext();) {
Object element = it.next();
if (element != null) {
result.append(element);
if (it.hasNext()) {
result.append(", ");
}
}
}
return result.toString();
}
/**
* Return true if the given str matches at least one of the given patterns.
*/
protected static boolean matchesOne(String str, Pattern... patterns) {
for (Pattern pattern : patterns) {
if (pattern.matcher(str).matches()) {
return true;
}
}
return false;
}
/**
* @see #setHttpServerPort(int)
*/
private int httpServerPort = 80;
/**
* @see #setHttpsServerPort(int)
*/
private int httpsServerPort = 443;
/**
* @see #setInternalProxies(String)
*/
private Pattern[] internalProxies = new Pattern[] {
Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}")
};
/**
* @see #setProtocolHeader(String)
*/
private String protocolHeader = null;
/**
* @see #setProtocolHeaderHttpsValue(String)
*/
private String protocolHeaderHttpsValue = "https";
/**
* @see #setProxiesHeader(String)
*/
private String proxiesHeader = "X-Forwarded-By";
/**
* @see #setRemoteIpHeader(String)
*/
private String remoteIpHeader = "X-Forwarded-For";
/**
* @see RemoteIpValve#setTrustedProxies(String)
*/
private Pattern[] trustedProxies = new Pattern[0];
public int getHttpsServerPort() {
return httpsServerPort;
}
public int getHttpServerPort() {
return httpServerPort;
}
/**
* Return descriptive information about this Valve implementation.
*/
@Override
public String getInfo() {
return info;
}
/**
* @see #setInternalProxies(String)
* @return comma delimited list of internal proxies
*/
public String getInternalProxies() {
List internalProxiesAsStringList = new ArrayList();
for (Pattern internalProxyPattern : internalProxies) {
internalProxiesAsStringList.add(String.valueOf(internalProxyPattern));
}
return listToCommaDelimitedString(internalProxiesAsStringList);
}
/**
* @see #setProtocolHeader(String)
* @return the protocol header (e.g. "X-Forwarded-Proto")
*/
public String getProtocolHeader() {
return protocolHeader;
}
/**
* @see RemoteIpValve#setProtocolHeaderHttpsValue(String)
* @return the value of the protocol header for incoming https request (e.g. "https")
*/
public String getProtocolHeaderHttpsValue() {
return protocolHeaderHttpsValue;
}
/**
* @see #setProxiesHeader(String)
* @return the proxies header name (e.g. "X-Forwarded-By")
*/
public String getProxiesHeader() {
return proxiesHeader;
}
/**
* @see #setRemoteIpHeader(String)
* @return the remote IP header name (e.g. "X-Forwarded-For")
*/
public String getRemoteIpHeader() {
return remoteIpHeader;
}
/**
* @see #setTrustedProxies(String)
* @return comma delimited list of trusted proxies
*/
public String getTrustedProxies() {
List trustedProxiesAsStringList = new ArrayList();
for (Pattern trustedProxy : trustedProxies) {
trustedProxiesAsStringList.add(String.valueOf(trustedProxy));
}
return listToCommaDelimitedString(trustedProxiesAsStringList);
}
/**
* {@inheritDoc}
*/
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
final String originalRemoteAddr = request.getRemoteAddr();
final String originalRemoteHost = request.getRemoteHost();
final String originalScheme = request.getScheme();
final boolean originalSecure = request.isSecure();
final int originalServerPort = request.getServerPort();
if (matchesOne(originalRemoteAddr, internalProxies)) {
String remoteIp = null;
// In java 6, proxiesHeaderValue should be declared as a java.util.Deque
LinkedList proxiesHeaderValue = new LinkedList();
String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader));
int idx;
// loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain
for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) {
String currentRemoteIp = remoteIPHeaderValue[idx];
remoteIp = currentRemoteIp;
if (matchesOne(currentRemoteIp, internalProxies)) {
// do nothing, internalProxies IPs are not appended to the
} else if (matchesOne(currentRemoteIp, trustedProxies)) {
proxiesHeaderValue.addFirst(currentRemoteIp);
} else {
idx--; // decrement idx because break statement doesn't do it
break;
}
}
// continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader
LinkedList newRemoteIpHeaderValue = new LinkedList();
for (; idx >= 0; idx--) {
String currentRemoteIp = remoteIPHeaderValue[idx];
newRemoteIpHeaderValue.addFirst(currentRemoteIp);
}
if (remoteIp != null) {
request.setRemoteAddr(remoteIp);
request.setRemoteHost(remoteIp);
// use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat
// 6.0
if (proxiesHeaderValue.size() == 0) {
request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader);
} else {
String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies);
}
if (newRemoteIpHeaderValue.size() == 0) {
request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader);
} else {
String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue);
}
}
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
// don't modify the secure,scheme and serverPort attributes
// of the request
} else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
request.setSecure(true);
// use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
request.getCoyoteRequest().scheme().setString("https");
request.setServerPort(httpsServerPort);
} else {
request.setSecure(false);
// use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
request.getCoyoteRequest().scheme().setString("http");
request.setServerPort(httpServerPort);
}
}
if (log.isDebugEnabled()) {
log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr
+ "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='"
+ originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='"
+ request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'");
}
} else {
if (log.isDebugEnabled()) {
log.debug("Skip RemoteIpValve for request " + request.getRequestURI() + " with originalRemoteAddr '"
+ request.getRemoteAddr() + "'");
}
}
try {
getNext().invoke(request, response);
} finally {
request.setRemoteAddr(originalRemoteAddr);
request.setRemoteHost(originalRemoteHost);
request.setSecure(originalSecure);
// use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
request.getCoyoteRequest().scheme().setString(originalScheme);
request.setServerPort(originalServerPort);
}
}
/**
*
* Server Port value if the {@link #protocolHeader} is not null and does not indicate HTTP
*
*
* Default value : 80
*
*/
public void setHttpServerPort(int httpServerPort) {
this.httpServerPort = httpServerPort;
}
/**
*
* Server Port value if the {@link #protocolHeader} indicates HTTPS
*
*
* Default value : 443
*
*/
public void setHttpsServerPort(int httpsServerPort) {
this.httpsServerPort = httpsServerPort;
}
/**
*
* Comma delimited list of internal proxies. Can be expressed with regular expressions.
*
*
* Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
*
*/
public void setInternalProxies(String commaDelimitedInternalProxies) {
this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies);
}
/**
*
* Header that holds the incoming protocol, usally named X-Forwarded-Proto. If null, request.scheme and
* request.secure will not be modified.
*
*
* Default value : null
*
*/
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
}
/**
*
* Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
*
*
* Default value : https
*
*/
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
}
/**
*
* The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
* addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
* while any intermediate RemoteIPInternalProxy addresses are discarded.
*
*
* Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
*
*
* The value of this header can be comma delimited.
*
*
* Default value : X-Forwarded-By
*
*/
public void setProxiesHeader(String proxiesHeader) {
this.proxiesHeader = proxiesHeader;
}
/**
*
* Name of the http header from which the remote ip is extracted.
*
*
* The value of this header can be comma delimited.
*
*
* Default value : X-Forwarded-For
*
*
* @param remoteIpHeader
*/
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
/**
*
* Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIpHeader} header. Can be expressed as a
* regular expression.
*
*
* Default value : empty list, no external proxy is trusted.
*
*/
public void setTrustedProxies(String commaDelimitedTrustedProxies) {
this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies);
}
}