diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index a53171734f7..2ad7a35f75f 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -966,11 +966,6 @@ public class ServerProperties { + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // + "0:0:0:0:0:0:0:1|::1"; - /** - * Regular expression defining proxies that are trusted when they appear in the remoteIpHeader header. - */ - private String trustedProxies; - /** * Header that holds the incoming protocol, usually named "X-Forwarded-Proto". */ @@ -998,6 +993,12 @@ public class ServerProperties { */ private String remoteIpHeader; + /** + * Regular expression defining proxies that are trusted when they appear in + * the "remote-ip-header" header. + */ + private String trustedProxies; + public String getInternalProxies() { return this.internalProxies; } @@ -1047,12 +1048,13 @@ public class ServerProperties { } public String getTrustedProxies() { - return trustedProxies; + return this.trustedProxies; } public void setTrustedProxies(String trustedProxies) { this.trustedProxies = trustedProxies; } + } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java index 72feef6fe5c..3551ce3cbb9 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java @@ -227,9 +227,9 @@ public class TomcatWebServerFactoryCustomizer if (StringUtils.hasLength(remoteIpHeader)) { valve.setRemoteIpHeader(remoteIpHeader); } + valve.setTrustedProxies(remoteIpProperties.getTrustedProxies()); // The internal proxies default to a list of "safe" internal IP addresses valve.setInternalProxies(remoteIpProperties.getInternalProxies()); - valve.setTrustedProxies(remoteIpProperties.getTrustedProxies()); try { valve.setHostHeader(remoteIpProperties.getHostHeader()); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java index c0ab36c74a5..826e96303dd 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java @@ -224,10 +224,10 @@ class TomcatWebServerFactoryCustomizerTests { bind("server.tomcat.remoteip.remote-ip-header=x-my-remote-ip-header", "server.tomcat.remoteip.protocol-header=x-my-protocol-header", "server.tomcat.remoteip.internal-proxies=192.168.0.1", - "server.tomcat.remoteip.trusted-proxies=proxy1|proxy2", "server.tomcat.remoteip.host-header=x-my-forward-host", "server.tomcat.remoteip.port-header=x-my-forward-port", - "server.tomcat.remoteip.protocol-header-https-value=On"); + "server.tomcat.remoteip.protocol-header-https-value=On", + "server.tomcat.remoteip.trusted-proxies=proxy1|proxy2"); TomcatServletWebServerFactory factory = customizeAndGetFactory(); assertThat(factory.getEngineValves()).hasSize(1); Valve valve = factory.getEngineValves().iterator().next();