From 0dc46a2fe7a6ca571500ece29df5c667076147c9 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Thu, 25 Sep 2014 12:58:23 -0700 Subject: [PATCH 1/2] Drop protocolHeader and remoteIpHeader defaults The `protocolHeader` and `remoteIpHeader` no longer have default values and must be opt-in. Fixes gh-1624 --- .../boot/autoconfigure/web/ServerProperties.java | 4 ++-- .../boot/autoconfigure/web/ServerPropertiesTests.java | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 40004ab7ec6..8f46de2e56f 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -207,9 +207,9 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer { + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"; // 127/8 - private String protocolHeader = "x-forwarded-proto"; + private String protocolHeader; - private String remoteIpHeader = "x-forwarded-for"; + private String remoteIpHeader; private File basedir; diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java index 0f0b936069b..7c26398bb9a 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java @@ -147,6 +147,12 @@ public class ServerPropertiesTests { @Test public void defaultTomcatRemoteIpValve() throws Exception { + Map map = new HashMap(); + // Since 1.1.7 you need to specify at least the protocol and ip properties + map.put("server.tomcat.protocol_header", "x-forwarded-proto"); + map.put("server.tomcat.remote_ip_header", "x-forwarded-for"); + bindProperties(map); + TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); From bff39e954eb6ecf69d4dcb54e271e9bdbdd1d5c6 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Thu, 25 Sep 2014 13:04:12 -0700 Subject: [PATCH 2/2] Add `server.tomcat.port-header` support Update Tomcat ServerProperties to support the RemoteIpValve portHeader property. Fixes gh-1616 --- .../boot/autoconfigure/web/ServerProperties.java | 11 +++++++++++ .../boot/autoconfigure/web/ServerPropertiesTests.java | 2 ++ .../asciidoc/appendix-application-properties.adoc | 3 ++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 8f46de2e56f..421e24488c3 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -209,6 +209,8 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer { private String protocolHeader; + private String portHeader; + private String remoteIpHeader; private File basedir; @@ -285,6 +287,14 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer { this.protocolHeader = protocolHeader; } + public String getPortHeader() { + return this.portHeader; + } + + public void setPortHeader(String portHeader) { + this.portHeader = portHeader; + } + public String getRemoteIpHeader() { return this.remoteIpHeader; } @@ -321,6 +331,7 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer { valve.setRemoteIpHeader(remoteIpHeader); valve.setProtocolHeader(protocolHeader); valve.setInternalProxies(getInternalProxies()); + valve.setPortHeader(getPortHeader()); factory.addContextValves(valve); } diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java index 7c26398bb9a..66f75e86049 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java @@ -177,6 +177,7 @@ public class ServerPropertiesTests { map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header"); map.put("server.tomcat.protocol_header", "x-my-protocol-header"); map.put("server.tomcat.internal_proxies", "192.168.0.1"); + map.put("server.tomcat.port-header", "x-my-forward-port"); bindProperties(map); TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); @@ -188,6 +189,7 @@ public class ServerPropertiesTests { RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertEquals("x-my-protocol-header", remoteIpValve.getProtocolHeader()); assertEquals("x-my-remote-ip-header", remoteIpValve.getRemoteIpHeader()); + assertEquals("x-my-forward-port", remoteIpValve.getPortHeader()); assertEquals("192.168.0.1", remoteIpValve.getInternalProxies()); } diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index a14029430b3..9acdee71ee7 100644 --- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -74,7 +74,8 @@ content into your application; rather pick only the properties that you need. 192\.168\.\d{1,3}\.\d{1,3}|\ 169\.254\.\d{1,3}\.\d{1,3}|\ 127\.\d{1,3}\.\d{1,3}\.\d{1,3} # regular expression matching trusted IP addresses - server.tomcat.protocol-header=x-forwarded-proto # ssl forward headers + server.tomcat.protocol-header=x-forwarded-proto # front end proxy forward header + server.tomcat.port-header= # front end proxy port header server.tomcat.remote-ip-header=x-forwarded-for server.tomcat.basedir=/tmp # base dir (usually not needed, defaults to tmp) server.tomcat.background-processor-delay=30; # in seconds