root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Enable Tomcat RemoteIpValve by default 

Fixes gh-3782
This commit is contained in:
Dave Syer 2015-08-21 09:25:10 +01:00
parent 8543a3ca91
commit 2583f8050a
2 changed files with 32 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
View File

@ -496,13 +496,13 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer, Ord
/** /**
* Name of the HTTP header used to override the original port value. * Name of the HTTP header used to override the original port value.
*/ */
private String portHeader; private String portHeader = "x-forwarded-port";
/** /**
* Name of the http header from which the remote ip is extracted. Configured as a * Name of the http header from which the remote ip is extracted. Configured as a
* RemoteIpValve only if remoteIpHeader is also set. * RemoteIpValve only if remoteIpHeader is also set.
*/ */
private String remoteIpHeader; private String remoteIpHeader = "x-forwarded-for";
/** /**
* Tomcat base directory. If not specified a temporary directory will be used. * Tomcat base directory. If not specified a temporary directory will be used.
@ -691,13 +691,16 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer, Ord
String remoteIpHeader = getRemoteIpHeader(); String remoteIpHeader = getRemoteIpHeader();
String protocolHeader = getProtocolHeader(); String protocolHeader = getProtocolHeader();
if (StringUtils.hasText(remoteIpHeader) if (StringUtils.hasText(remoteIpHeader)
|| StringUtils.hasText(protocolHeader)) { && StringUtils.hasText(protocolHeader)) {
RemoteIpValve valve = new RemoteIpValve(); RemoteIpValve valve = new RemoteIpValve();
valve.setRemoteIpHeader(remoteIpHeader); valve.setRemoteIpHeader(remoteIpHeader);
valve.setProtocolHeader(protocolHeader); valve.setProtocolHeader(protocolHeader);
// The internal proxies default to a white list of "safe" internal IP
// addresses
valve.setInternalProxies(getInternalProxies()); valve.setInternalProxies(getInternalProxies());
valve.setPortHeader(getPortHeader()); valve.setPortHeader(getPortHeader());
valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue()); valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue());
// ... so it's safe to add this valve by default.
factory.addContextValves(valve); factory.addContextValves(valve);
} }
} }

31
spring-boot-docs/src/main/asciidoc/howto.adoc
View File

@ -525,11 +525,24 @@ HTTPS connector:
[[howto-use-tomcat-behind-a-proxy-server]] [[howto-use-tomcat-behind-a-proxy-server]]
=== Use Tomcat behind a front-end proxy server === Use Tomcat behind a front-end proxy server
Spring Boot will automatically configure Tomcat's `RemoteIpValve` if you enable it. This Your app might need to send 302 redirects, or render UI templates with
allows you to transparently use the standard `x-forwarded-for` and `x-forwarded-proto` absolute links to itself, or hypermedia links back to itself in the
headers that most front-end proxy servers add. The valve is switched on by setting one or case of a RESTful service. If the app is behind a proxy, the caller
both of these properties to something non-empty (these are the conventional values used by wants a link to the proxy not to the physical address of the app, so
most proxies, and if you only set one the other will be set automatically): something has to be done in the backend. Typically this is handled via
a contract with the proxy, which will add headers to tell the back end
how to construct links to itself. If the proxy adds conventional
headers (most do this out of the box) the absolute links should be
rendered correctly by default using the Tomcat server.
Spring Boot using Tomcat automatically adds a `RemoteIpValve`. This
transparently takes the standard `x-forwarded-for` and
`x-forwarded-proto` headers and uses them to change local URLs created
in the `HttpServletRequest`. You can configure the header names in
Spring Boot and the valve is switched on unless one or both of these
properties is empty. These values are the defaults and are the
conventional values used by most proxies, so you don't need to set
them unless you need different values:
[indent=0] [indent=0]
---- ----
@ -560,8 +573,12 @@ NOTE: The double backslashes are only required when you're using a properties fi
configuration. If you are using YAML, single backslashes are sufficient and a value configuration. If you are using YAML, single backslashes are sufficient and a value
that's equivalent to the one shown above would be `192\.168\.\d{1,3}\.\d{1,3}`. that's equivalent to the one shown above would be `192\.168\.\d{1,3}\.\d{1,3}`.
Alternatively, you can take complete control of the configuration of the `RemoteIpValve` NOTE: You can trust all proxies by setting the `internal_proxies` to empty (but don't do this in production).
by configuring and adding it in a `TomcatEmbeddedServletContainerFactory` bean.
You can take complete control of the configuration of the
`RemoteIpValve` by switching the automatic one off (i.e. set one of
the headers to empty) and adding a new valve instance in a
`TomcatEmbeddedServletContainerFactory` bean.