Class RemoteIpFilter

java.lang.Object
org.apache.catalina.filters.RemoteIpFilter
All Implemented Interfaces:
Filter

public class RemoteIpFilter extends Object implements Filter

Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.

Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

This servlet filter proceeds as follows:

If the incoming request.getRemoteAddr() matches the servlet filter's list of internal or trusted proxies:

  • Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http header named $remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order.
  • For each ip/host of the list:
    • if it matches the internal proxies list, the ip/host is swallowed
    • if it matches the trusted proxies list, the ip/host is added to the created proxies header
    • otherwise, the ip/host is declared to be the remote ip and looping is stopped.
  • If the request http header named $protocolHeader (default value X-Forwarded-Proto) consists only of forwards that match protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true, request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the $httpsServerPort configuration parameter.
  • Mark the request with the attribute Globals.REQUEST_FORWARDED_ATTRIBUTE and value Boolean.TRUE to indicate that this request has been forwarded by one or more proxies.
Configuration parameters
XForwardedFilter property Description Equivalent mod_remoteip directive Format Default Value
remoteIpHeader Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client RemoteIPHeader Compliant http header name x-forwarded-for
internalProxies Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value RemoteIPInternalProxy Regular expression (in the syntax supported by java.util.regex) 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}| 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}| 0:0:0:0:0:0:0:1|::1
By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
proxiesHeader Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming remoteIpHeader RemoteIPProxiesHeader Compliant http header name x-forwarded-by
trustedProxies Regular expression that matches the IP addresses of trusted proxies. If they appear in the remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value RemoteIPTrustedProxy Regular expression (in the syntax supported by java.util.regex)  
protocolHeader Name of the http header read by this servlet filter that holds the flag that this request N/A Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https X-Forwarded-Proto
protocolHeaderHttpsValue Value of the protocolHeader to indicate that it is an Https request N/A String like https or ON https
httpServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol N/A integer 80
httpsServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol N/A integer 443
enableLookups Should a DNS lookup be performed to provide a host name when calling ServletRequest.getRemoteHost() N/A boolean false

Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM doesn't have a library similar to apr_ipsubnet_test, we rely on regular expressions.


Sample with internal proxies

XForwardedFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>protocolHeader</param-name> <param-value>x-forwarded-proto</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, 192.168.0.10 null
request.header['x-forwarded-by'] null null
request.header['x-forwarded-proto'] https https
request.scheme http https
request.secure false true
request.serverPort 80 443
Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with trusted proxies

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2 null
request.header['x-forwarded-by'] null proxy1, proxy2

Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.


Sample with internal and trusted proxies

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2, 192.168.0.10 null
request.header['x-forwarded-by'] null proxy1, proxy2

Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.


Sample with an untrusted proxy

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Request Values
property Value Before RemoteIpFilter Value After RemoteIpFilter
request.remoteAddr 192.168.0.10 untrusted-proxy
request.header['x-forwarded-for'] 140.211.11.130, untrusted-proxy, proxy1 140.211.11.130
request.header['x-forwarded-by'] null proxy1

Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds 140.211.11.130 because untrusted-proxy is not trusted and thus, we cannot trust that untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP verified by proxy1.


  • Field Details

  • Constructor Details

    • RemoteIpFilter

      public RemoteIpFilter()
  • Method Details

    • commaDelimitedListToStringArray

      protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings)
      Convert a given comma delimited list of regular expressions into an array of String
      Parameters:
      commaDelimitedStrings - The string to split
      Returns:
      array of patterns (non null)
    • listToCommaDelimitedString

      @Deprecated protected static String listToCommaDelimitedString(List<String> stringList)
      Deprecated.
      Unused. Will be removed in Tomcat 11 onwards
      Convert a list of strings in a comma delimited string.
      Parameters:
      stringList - List of strings
      Returns:
      concatenated string
    • destroy

      public void destroy()
      Description copied from interface: javax.servlet.Filter
      Called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the doFilter method again on this instance of the filter.

      This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make sure that any persistent state is synchronized with the filter's current state in memory.
      Specified by:
      destroy in interface Filter
    • doFilter

      public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException
      Throws:
      IOException
      ServletException
    • doFilter

      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
      Wrap the incoming request in a RemoteIpFilter.XForwardedRequest if the http header x-forwarded-for is not empty. The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

      A typical implementation of this method would follow the following pattern:-
      1. Examine the request
      2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
      3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
      4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
      4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
      5. Directly set headers on the response after invocation of the next entity in the filter chain.

      Specified by:
      doFilter in interface Filter
      Parameters:
      request - The request to process
      response - The response associated with the request
      chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
      Throws:
      IOException - if an I/O error occurs during this filter's processing of the request
      ServletException - if the processing fails for any other reason
    • isChangeLocalName

      public boolean isChangeLocalName()
    • isChangeLocalPort

      public boolean isChangeLocalPort()
    • getHttpsServerPort

      public int getHttpsServerPort()
    • getInternalProxies

      public Pattern getInternalProxies()
    • getProtocolHeader

      public String getProtocolHeader()
    • getPortHeader

      public String getPortHeader()
    • getProtocolHeaderHttpsValue

      public String getProtocolHeaderHttpsValue()
    • getProxiesHeader

      public String getProxiesHeader()
    • getRemoteIpHeader

      public String getRemoteIpHeader()
    • getRequestAttributesEnabled

      public boolean getRequestAttributesEnabled()
      Returns:
      true if the attributes will be logged, otherwise false
      See Also:
    • getTrustedProxies

      public Pattern getTrustedProxies()
    • getEnableLookups

      public boolean getEnableLookups()
    • init

      public void init(FilterConfig filterConfig) throws ServletException
      Description copied from interface: javax.servlet.Filter
      Called by the web container to indicate to a filter that it is being placed into service. The servlet container calls the init method exactly once after instantiating the filter. The init method must complete successfully before the filter is asked to do any filtering work.

      The web container cannot place the filter into service if the init method either:

      • Throws a ServletException
      • Does not return within a time period defined by the web container
      Specified by:
      init in interface Filter
      Parameters:
      filterConfig - The configuration information associated with the filter instance being initialised
      Throws:
      ServletException - if the initialisation fails
    • setChangeLocalName

      public void setChangeLocalName(boolean changeLocalName)

      If true, the return values for both ServletRequest.getLocalName() and ServletRequest.getServerName() will be modified by this Filter rather than just ServletRequest.getServerName().

      Default value : false

      Parameters:
      changeLocalName - The new flag value
    • setChangeLocalPort

      public void setChangeLocalPort(boolean changeLocalPort)

      If true, the return values for both ServletRequest.getLocalPort() and ServletRequest.getServerPort() will be modified by this Filter rather than just ServletRequest.getServerPort().

      Default value : false

      Parameters:
      changeLocalPort - The new flag value
    • setHttpServerPort

      public void setHttpServerPort(int httpServerPort)

      Server Port value if the protocolHeader indicates HTTP (i.e. protocolHeader is not null and has a value different of protocolHeaderHttpsValue).

      Default value : 80

      Parameters:
      httpServerPort - The server port to use
    • setHttpsServerPort

      public void setHttpsServerPort(int httpsServerPort)

      Server Port value if the protocolHeader indicates HTTPS

      Default value : 443

      Parameters:
      httpsServerPort - The server port to use
    • setInternalProxies

      public void setInternalProxies(String internalProxies)

      Regular expression that defines the internal proxies.

      Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1

      Parameters:
      internalProxies - The regexp
    • setHostHeader

      public void setHostHeader(String hostHeader)

      Header that holds the incoming host, usually named X-Forwarded-Host.

      Default value : null

      Parameters:
      hostHeader - The header name
    • setPortHeader

      public void setPortHeader(String portHeader)

      Header that holds the incoming port, usually named X-Forwarded-Port. If null, httpServerPort or httpsServerPort will be used.

      Default value : null

      Parameters:
      portHeader - The header name
    • setProtocolHeader

      public void setProtocolHeader(String protocolHeader)

      Header that holds the incoming protocol, usually named X-Forwarded-Proto. If null, request.scheme and request.secure will not be modified.

      Default value : X-Forwarded-Proto

      Parameters:
      protocolHeader - The header name
    • setProtocolHeaderHttpsValue

      public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue)

      Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.

      Default value : https

      Parameters:
      protocolHeaderHttpsValue - The header value
    • setProxiesHeader

      public void setProxiesHeader(String proxiesHeader)

      The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.

      Name of the http header that holds the list of trusted proxies that has been traversed by the http request.

      The value of this header can be comma delimited.

      Default value : X-Forwarded-By

      Parameters:
      proxiesHeader - The header name
    • setRemoteIpHeader

      public void setRemoteIpHeader(String remoteIpHeader)

      Name of the http header from which the remote ip is extracted.

      The value of this header can be comma delimited.

      Default value : X-Forwarded-For

      Parameters:
      remoteIpHeader - The header name
    • setRequestAttributesEnabled

      public void setRequestAttributesEnabled(boolean requestAttributesEnabled)
      Should this filter set request attributes for IP address, Hostname, protocol and port used for the request? This are typically used in conjunction with an AccessLog which will otherwise log the original values. Default is true. The attributes set are:
      • org.apache.catalina.AccessLog.RemoteAddr
      • org.apache.catalina.AccessLog.RemoteHost
      • org.apache.catalina.AccessLog.Protocol
      • org.apache.catalina.AccessLog.ServerPort
      • org.apache.tomcat.remoteAddr
      Parameters:
      requestAttributesEnabled - true causes the attributes to be set, false disables the setting of the attributes.
    • setTrustedProxies

      public void setTrustedProxies(String trustedProxies)

      Regular expression defining proxies that are trusted when they appear in the remoteIpHeader header.

      Default value : empty list, no external proxy is trusted.

      Parameters:
      trustedProxies - The trusted proxies regexp
    • setEnableLookups

      public void setEnableLookups(boolean enableLookups)