Class RemoteIpFilter

  • All Implemented Interfaces:
    Filter

    public class RemoteIpFilter
    extends Object
    implements Filter

    Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.

    Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

    Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

    This servlet filter proceeds as follows:

    If the incoming request.getRemoteAddr() matches the servlet filter's list of internal or trusted proxies:

    • Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http header named $remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order.
    • For each ip/host of the list:
      • if it matches the internal proxies list, the ip/host is swallowed
      • if it matches the trusted proxies list, the ip/host is added to the created proxies header
      • otherwise, the ip/host is declared to be the remote ip and looping is stopped.
    • If the request http header named $protocolHeader (e.g. x-forwarded-proto) consists only of forwards that match protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true, request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the $httpsServerPort configuration parameter.
    • Mark the request with the attribute Globals.REQUEST_FORWARDED_ATTRIBUTE and value Boolean.TRUE to indicate that this request has been forwarded by one or more proxies.
    Configuration parameters
    XForwardedFilter property Description Equivalent mod_remoteip directive Format Default Value
    remoteIpHeader Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client RemoteIPHeader Compliant http header name x-forwarded-for
    internalProxies Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value RemoteIPInternalProxy Regular expression (in the syntax supported by java.util.regex) 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}| 0:0:0:0:0:0:0:1|::1
    By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
    proxiesHeader Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming remoteIpHeader RemoteIPProxiesHeader Compliant http header name x-forwarded-by
    trustedProxies Regular expression that matches the IP addresses of trusted proxies. If they appear in the remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value RemoteIPTrustedProxy Regular expression (in the syntax supported by java.util.regex)  
    protocolHeader Name of the http header read by this servlet filter that holds the flag that this request N/A Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https null
    protocolHeaderHttpsValue Value of the protocolHeader to indicate that it is an Https request N/A String like https or ON https
    httpServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol N/A integer 80
    httpsServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol N/A integer 443
    enableLookups Should a DNS lookup be performed to provide a host name when calling ServletRequest.getRemoteHost() N/A boolean false

    Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM doesn't have a library similar to apr_ipsubnet_test, we rely on regular expressions.


    Sample with internal proxies

    XForwardedFilter configuration:

    <filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>protocolHeader</param-name> <param-value>x-forwarded-proto</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
    Request Values
    property Value Before RemoteIpFilter Value After RemoteIpFilter
    request.remoteAddr 192.168.0.10 140.211.11.130
    request.header['x-forwarded-for'] 140.211.11.130, 192.168.0.10 null
    request.header['x-forwarded-by'] null null
    request.header['x-forwarded-proto'] https https
    request.scheme http https
    request.secure false true
    request.serverPort 80 443
    Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. x-forwarded-by is null because all the proxies are trusted or internal.

    Sample with trusted proxies

    RemoteIpFilter configuration:

    <filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
    Request Values
    property Value Before RemoteIpFilter Value After RemoteIpFilter
    request.remoteAddr 192.168.0.10 140.211.11.130
    request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2 null
    request.header['x-forwarded-by'] null proxy1, proxy2

    Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.


    Sample with internal and trusted proxies

    RemoteIpFilter configuration:

    <filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
    Request Values
    property Value Before RemoteIpFilter Value After RemoteIpFilter
    request.remoteAddr 192.168.0.10 140.211.11.130
    request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2, 192.168.0.10 null
    request.header['x-forwarded-by'] null proxy1, proxy2

    Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.


    Sample with an untrusted proxy

    RemoteIpFilter configuration:

    <filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
    Request Values
    property Value Before RemoteIpFilter Value After RemoteIpFilter
    request.remoteAddr 192.168.0.10 untrusted-proxy
    request.header['x-forwarded-for'] 140.211.11.130, untrusted-proxy, proxy1 140.211.11.130
    request.header['x-forwarded-by'] null proxy1

    Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds 140.211.11.130 because untrusted-proxy is not trusted and thus, we cannot trust that untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP verified by proxy1.


    • Constructor Detail

      • RemoteIpFilter

        public RemoteIpFilter()
    • Method Detail

      • commaDelimitedListToStringArray

        protected static String[] commaDelimitedListToStringArray​(String commaDelimitedStrings)
        Convert a given comma delimited list of regular expressions into an array of String
        Parameters:
        commaDelimitedStrings - The string to split
        Returns:
        array of patterns (non null)
      • listToCommaDelimitedString

        protected static String listToCommaDelimitedString​(List<String> stringList)
        Convert a list of strings in a comma delimited string.
        Parameters:
        stringList - List of strings
        Returns:
        concatenated string
      • destroy

        public void destroy()
        Description copied from interface: javax.servlet.Filter
        Called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the doFilter method again on this instance of the filter.

        This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make sure that any persistent state is synchronized with the filter's current state in memory.
        Specified by:
        destroy in interface Filter
      • doFilter

        public void doFilter​(ServletRequest request,
                             ServletResponse response,
                             FilterChain chain)
                      throws IOException,
                             ServletException
        Wrap the incoming request in a RemoteIpFilter.XForwardedRequest if the http header x-forwarded-for is not empty. The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

        A typical implementation of this method would follow the following pattern:-
        1. Examine the request
        2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
        3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
        4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
        4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
        5. Directly set headers on the response after invocation of the next entity in the filter chain.

        Specified by:
        doFilter in interface Filter
        Parameters:
        request - The request to process
        response - The response associated with the request
        chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
        Throws:
        IOException - if an I/O error occurs during this filter's processing of the request
        ServletException - if the processing fails for any other reason
      • isChangeLocalName

        public boolean isChangeLocalName()
      • isChangeLocalPort

        public boolean isChangeLocalPort()
      • getHttpsServerPort

        public int getHttpsServerPort()
      • getInternalProxies

        public Pattern getInternalProxies()
      • getProtocolHeader

        public String getProtocolHeader()
      • getPortHeader

        public String getPortHeader()
      • getProtocolHeaderHttpsValue

        public String getProtocolHeaderHttpsValue()
      • getProxiesHeader

        public String getProxiesHeader()
      • getRemoteIpHeader

        public String getRemoteIpHeader()
      • getRequestAttributesEnabled

        public boolean getRequestAttributesEnabled()
        Returns:
        true if the attributes will be logged, otherwise false
        See Also:
        setRequestAttributesEnabled(boolean)
      • getTrustedProxies

        public Pattern getTrustedProxies()
      • getEnableLookups

        public boolean getEnableLookups()
      • init

        public void init​(FilterConfig filterConfig)
                  throws ServletException
        Description copied from interface: javax.servlet.Filter
        Called by the web container to indicate to a filter that it is being placed into service. The servlet container calls the init method exactly once after instantiating the filter. The init method must complete successfully before the filter is asked to do any filtering work.

        The web container cannot place the filter into service if the init method either:

        • Throws a ServletException
        • Does not return within a time period defined by the web container
        Specified by:
        init in interface Filter
        Parameters:
        filterConfig - The configuration information associated with the filter instance being initialised
        Throws:
        ServletException - if the initialisation fails
      • setHttpServerPort

        public void setHttpServerPort​(int httpServerPort)

        Server Port value if the protocolHeader indicates HTTP (i.e. protocolHeader is not null and has a value different of protocolHeaderHttpsValue).

        Default value : 80

        Parameters:
        httpServerPort - The server port to use
      • setHttpsServerPort

        public void setHttpsServerPort​(int httpsServerPort)

        Server Port value if the protocolHeader indicates HTTPS

        Default value : 443

        Parameters:
        httpsServerPort - The server port to use
      • setInternalProxies

        public void setInternalProxies​(String internalProxies)

        Regular expression that defines the internal proxies.

        Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1

        Parameters:
        internalProxies - The regexp
      • setHostHeader

        public void setHostHeader​(String hostHeader)

        Header that holds the incoming host, usually named X-Forwarded-Host.

        Default value : null

        Parameters:
        hostHeader - The header name
      • setPortHeader

        public void setPortHeader​(String portHeader)

        Header that holds the incoming port, usually named X-Forwarded-Port. If null, httpServerPort or httpsServerPort will be used.

        Default value : null

        Parameters:
        portHeader - The header name
      • setProtocolHeader

        public void setProtocolHeader​(String protocolHeader)

        Header that holds the incoming protocol, usually named X-Forwarded-Proto. If null, request.scheme and request.secure will not be modified.

        Default value : null

        Parameters:
        protocolHeader - The header name
      • setProtocolHeaderHttpsValue

        public void setProtocolHeaderHttpsValue​(String protocolHeaderHttpsValue)

        Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.

        Default value : https

        Parameters:
        protocolHeaderHttpsValue - The header value
      • setProxiesHeader

        public void setProxiesHeader​(String proxiesHeader)

        The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.

        Name of the http header that holds the list of trusted proxies that has been traversed by the http request.

        The value of this header can be comma delimited.

        Default value : X-Forwarded-By

        Parameters:
        proxiesHeader - The header name
      • setRemoteIpHeader

        public void setRemoteIpHeader​(String remoteIpHeader)

        Name of the http header from which the remote ip is extracted.

        The value of this header can be comma delimited.

        Default value : X-Forwarded-For

        Parameters:
        remoteIpHeader - The header name
      • setRequestAttributesEnabled

        public void setRequestAttributesEnabled​(boolean requestAttributesEnabled)
        Should this filter set request attributes for IP address, Hostname, protocol and port used for the request? This are typically used in conjunction with an AccessLog which will otherwise log the original values. Default is true. The attributes set are:
        • org.apache.catalina.AccessLog.RemoteAddr
        • org.apache.catalina.AccessLog.RemoteHost
        • org.apache.catalina.AccessLog.Protocol
        • org.apache.catalina.AccessLog.ServerPort
        • org.apache.tomcat.remoteAddr
        Parameters:
        requestAttributesEnabled - true causes the attributes to be set, false disables the setting of the attributes.
      • setTrustedProxies

        public void setTrustedProxies​(String trustedProxies)

        Regular expression defining proxies that are trusted when they appear in the remoteIpHeader header.

        Default value : empty list, no external proxy is trusted.

        Parameters:
        trustedProxies - The trusted proxies regexp
      • setEnableLookups

        public void setEnableLookups​(boolean enableLookups)