Servlet filter to integrate “ X-Forwarded-For ” and “ X-Forwarded-Proto ” HTTP headers .
Most of the purpose of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent node remote IP address and hostname for the request with the IP address list presented by a proxy or a cargo balancer via a request headers ( e.g. “ X-Forwarded-For ” ) .
Another have of this servlet percolate is to replace the apparent scheme ( http/https ) and server port with the scheme presented by a proxy or a cargo balancer via a request header ( e.g. “ X-Forwarded-Proto ” ) .
This servlet filter proceeds as follows :

If the entrance request.getRemoteAddr() matches the servlet percolate ‘s number of internal or trust proxies :

  • Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request’s Http
    header named $remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order.
  • For each ip/host of the list:
    • if it matches the internal proxies list, the ip/host is swallowed
    • if it matches the trusted proxies list, the ip/host is added to the created proxies header
    • otherwise, the ip/host is declared to be the remote ip and looping is stopped.
  • If the request http header named $protocolHeader (e.g. x-forwarded-proto) consists only of forwards that match
    protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true,
    request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the
    $httpsServerPort configuration parameter.
  • Mark the request with the attribute Globals.REQUEST_FORWARDED_ATTRIBUTE and value Boolean.TRUE to indicate
    that this request has been forwarded by one or more proxies.
Configuration parameters
XForwardedFilter property Description Equivalent mod_remoteip directive Format Default Value
remoteIpHeader Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client RemoteIPHeader Compliant http header name x-forwarded-for
internalProxies Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be
trusted and will not appear
in the proxiesHeader value
RemoteIPInternalProxy Regular expression (in the syntax supported by
java.util.regex)
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
0:0:0:0:0:0:0:1|::1

By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
proxiesHeader Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming
remoteIpHeader
RemoteIPProxiesHeader Compliant http header name x-forwarded-by
trustedProxies Regular expression that matches the IP addresses of trusted proxies.
If they appear in the remoteIpHeader value, they will be
trusted and will appear in the proxiesHeader value
RemoteIPTrustedProxy Regular expression (in the syntax supported by
java.util.regex)
 
protocolHeader Name of the http header read by this servlet filter that holds the flag that this request N/A Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https null
protocolHeaderHttpsValue Value of the protocolHeader to indicate that it is an Https request N/A String like https or ON https
httpServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol N/A integer 80
httpsServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol N/A integer 443
enableLookups Should a DNS lookup be performed to provide a host name when calling ServletRequest.getRemoteHost() N/A boolean false

Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks ( e.g. 192.168/16 ) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM does n’t have a library exchangeable to apr_ipsubnet_test, we rely on regular expressions .
Sample with internal proxies
XForwardedFilter configuration :


RemoteIpFilter
org.apache.catalina.filters.RemoteIpFilter
internalProxies 192\.168\.0\.10|192\.168\.0\.11
remoteIpHeader x-forwarded-for
remoteIpProxiesHeader x-forwarded-by
protocolHeader x-forwarded-proto


RemoteIpFilter
/*
REQUEST

Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header[‘x-forwarded-for’] 140.211.11.130, 192.168.0.10 null
request.header[‘x-forwarded-by’] null null
request.header[‘x-forwarded-proto’] https https
request.scheme http https
request.secure false true
request.serverPort 80 443

Note : x-forwarded-by header is null because only internal proxies as been traversed by the request.
x-forwarded-by is null because all the proxies are trusted or internal.

note : header is null because only inner proxies as been traversed by the request.is nothing because all the proxies are trusted or internal. Sample with trusted proxies

RemoteIpFilter shape :


RemoteIpFilter
org.apache.catalina.filters.RemoteIpFilter
internalProxies 192\.168\.0\.10|192\.168\.0\.11
remoteIpHeader x-forwarded-for
remoteIpProxiesHeader x-forwarded-by
trustedProxies proxy1|proxy2


RemoteIpFilter
/*
REQUEST

Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header[‘x-forwarded-for’] 140.211.11.130, proxy1, proxy2 null
request.header[‘x-forwarded-by’] null proxy1, proxy2

note : proxy1 and proxy2 are both trust proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or inner .
Sample with internal and trusted proxies
RemoteIpFilter configuration :


RemoteIpFilter
org.apache.catalina.filters.RemoteIpFilter
internalProxies 192\.168\.0\.10|192\.168\.0\.11
remoteIpHeader x-forwarded-for
remoteIpProxiesHeader x-forwarded-by
trustedProxies proxy1|proxy2


RemoteIpFilter
/*
REQUEST

Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header[‘x-forwarded-for’] 140.211.11.130, proxy1, proxy2, 192.168.0.10 null
request.header[‘x-forwarded-by’] null proxy1, proxy2

notice : proxy1 and proxy2 are both trust proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an inner proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with an untrusted proxy
RemoteIpFilter configuration :


RemoteIpFilter
org.apache.catalina.filters.RemoteIpFilter
internalProxies 192\.168\.0\.10|192\.168\.0\.11
remoteIpHeader x-forwarded-for
remoteIpProxiesHeader x-forwarded-by
trustedProxies proxy1|proxy2


RemoteIpFilter
/*
REQUEST

Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 untrusted-proxy
request.header[‘x-forwarded-for’] 140.211.11.130, untrusted-proxy, proxy1 140.211.11.130
request.header[‘x-forwarded-by’] null proxy1

eminence : x-forwarded-by holds the entrust proxy proxy1. x-forwarded-by holds 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that untrusted-proxy is the actual distant information science. request.remoteAddr is untrusted-proxy that is an IP verified by proxy1 .

informant : https://themedipia.com
Category : Website hosting

Leave a Reply

Your email address will not be published.