private void customizeRemoteIpValve(ServerProperties properties, TomcatEmbeddedServletContainerFactory factory) { String protocolHeader = getProtocolHeader(); String remoteIpHeader = getRemoteIpHeader(); // For back compatibility the valve is also enabled if protocol-header is set if (StringUtils.hasText(protocolHeader) || StringUtils.hasText(remoteIpHeader) || properties.getOrDeduceUseForwardHeaders()) { RemoteIpValve valve = new RemoteIpValve(); valve.setProtocolHeader(StringUtils.hasLength(protocolHeader) ? protocolHeader : "X-Forwarded-Proto"); if (StringUtils.hasLength(remoteIpHeader)) { valve.setRemoteIpHeader(remoteIpHeader); } // The internal proxies default to a white list of "safe" internal IP // addresses valve.setInternalProxies(getInternalProxies()); valve.setPortHeader(getPortHeader()); valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue()); // ... so it's safe to add this valve by default. factory.addEngineValves(valve); } }
private void testRemoteIpValveConfigured() { TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getEngineValves()).hasSize(1); Valve valve = container.getEngineValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For"); String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8 + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"; assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies); }
@Test public void customTomcatRemoteIpValve() throws Exception { Map<String, String> map = new HashMap<String, String>(); map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header"); map.put("server.tomcat.protocol_header", "x-my-protocol-header"); map.put("server.tomcat.internal_proxies", "192.168.0.1"); map.put("server.tomcat.port-header", "x-my-forward-port"); map.put("server.tomcat.protocol-header-https-value", "On"); bindProperties(map); TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getEngineValves()).hasSize(1); Valve valve = container.getEngineValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header"); assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port"); assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1"); }
private void customizeRemoteIpValve(ServerProperties properties, TomcatEmbeddedServletContainerFactory factory) { String protocolHeader = getProtocolHeader(); String remoteIpHeader = getRemoteIpHeader(); // For back compatibility the valve is also enabled if protocol-header is set if (StringUtils.hasText(protocolHeader) || StringUtils.hasText(remoteIpHeader) || properties.getOrDeduceUseForwardHeaders()) { RemoteIpValve valve = new RemoteIpValve(); valve.setProtocolHeader(StringUtils.hasLength(protocolHeader) ? protocolHeader : "X-Forwarded-Proto"); if (StringUtils.hasLength(remoteIpHeader)) { valve.setRemoteIpHeader(remoteIpHeader); } // The internal proxies default to a white list of "safe" internal IP // addresses valve.setInternalProxies(getInternalProxies()); valve.setPortHeader(getPortHeader()); valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue()); // ... so it's safe to add this valve by default. factory.addContextValves(valve); } }
private void testRemoteIpValveConfigured() { TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getValves()).hasSize(1); Valve valve = container.getValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For"); String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8 + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"; assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies); }
@Test public void customTomcatRemoteIpValve() throws Exception { Map<String, String> map = new HashMap<String, String>(); map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header"); map.put("server.tomcat.protocol_header", "x-my-protocol-header"); map.put("server.tomcat.internal_proxies", "192.168.0.1"); map.put("server.tomcat.port-header", "x-my-forward-port"); map.put("server.tomcat.protocol-header-https-value", "On"); bindProperties(map); TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getValves()).hasSize(1); Valve valve = container.getValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header"); assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port"); assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1"); }
private void testRemoteIpValveConfigured() { TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertEquals(1, container.getValves().size()); Valve valve = container.getValves().iterator().next(); assertThat(valve, instanceOf(RemoteIpValve.class)); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertEquals("X-Forwarded-Proto", remoteIpValve.getProtocolHeader()); assertEquals("https", remoteIpValve.getProtocolHeaderHttpsValue()); assertEquals("X-Forwarded-For", remoteIpValve.getRemoteIpHeader()); String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8 + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"; assertEquals(expectedInternalProxies, remoteIpValve.getInternalProxies()); }
@Test public void customTomcatRemoteIpValve() throws Exception { Map<String, String> map = new HashMap<String, String>(); map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header"); map.put("server.tomcat.protocol_header", "x-my-protocol-header"); map.put("server.tomcat.internal_proxies", "192.168.0.1"); map.put("server.tomcat.port-header", "x-my-forward-port"); map.put("server.tomcat.protocol-header-https-value", "On"); bindProperties(map); TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertEquals(1, container.getValves().size()); Valve valve = container.getValves().iterator().next(); assertThat(valve, instanceOf(RemoteIpValve.class)); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertEquals("x-my-protocol-header", remoteIpValve.getProtocolHeader()); assertEquals("On", remoteIpValve.getProtocolHeaderHttpsValue()); assertEquals("x-my-remote-ip-header", remoteIpValve.getRemoteIpHeader()); assertEquals("x-my-forward-port", remoteIpValve.getPortHeader()); assertEquals("192.168.0.1", remoteIpValve.getInternalProxies()); }
@Test public void initInternal() { SessionFlushValve valve = new SessionFlushValve(); StandardContext context = (StandardContext) this.manager.getContext(); context.addValve(new RemoteIpValve()); context.addValve(valve); this.store.setManager(this.manager); this.store.initInternal(); assertSame(this.store, valve.getStore()); }
@Test public void useForwardHeaders() throws Exception { TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.addContextValves(new RemoteIpValve()); assertForwardHeaderIsUsed(factory); }
