root
/
spring-boot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge pull request #18489 from manduinca

Browse Source 
* pr/18489:
  Polish "Add dedicated namespace for RemoteIpValve properties"
  Add dedicated namespace for RemoteIpValve properties

Closes gh-18489
pull/19168/head
Stephane Nicoll 5 years ago
parent f731c92b66 8888f75a41
commit 87d379cf92
5 changed files with 176 additions and 80 deletions
Show Stats Download Patch File Download Diff File

191
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
Unescape Escape View File

@ -63,6 +63,7 @@ import org.springframework.util.unit.DataSize;
* @author Rafiullah Hamedy
* @author Dirk Deyne
* @author HaiTao Zhang
* @author Victor Mandujano
* @since 1.0.0
*/
@ConfigurationProperties(prefix = "server", ignoreUnknownFields = true)
@ -299,43 +300,6 @@ public class ServerProperties {
*/
private final Accesslog accesslog = new Accesslog();
/**
* Regular expression that matches proxies that are to be trusted.
*/
private String internalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8
+ "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16
+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8
+ "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12
+ "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" //
+ "0:0:0:0:0:0:0:1|::1";
/**
* Header that holds the incoming protocol, usually named "X-Forwarded-Proto".
*/
private String protocolHeader;
/**
* Value of the protocol header indicating whether the incoming request uses SSL.
*/
private String protocolHeaderHttpsValue = "https";
/**
* Name of the HTTP header used to override the original port value.
*/
private String portHeader = "X-Forwarded-Port";
/**
* Name of the HTTP header from which the remote IP is extracted. For instance,
* `X-FORWARDED-FOR`.
*/
private String remoteIpHeader;
/**
* Name of the HTTP header from which the remote host is extracted.
*/
private String hostHeader = "X-Forwarded-Host";
/**
* Tomcat base directory. If not specified, a temporary directory is used.
*/
@ -440,6 +404,11 @@ public class ServerProperties {
*/
private final Mbeanregistry mbeanregistry = new Mbeanregistry();
/**
* Remote Ip Valve configuration.
*/
private final Remoteip remoteip = new Remoteip();
public int getMaxThreads() {
return this.maxThreads;
}
@ -495,36 +464,58 @@ public class ServerProperties {
this.basedir = basedir;
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remoteip.internal-proxies")
public String getInternalProxies() {
return this.internalProxies;
return this.remoteip.getInternalProxies();
}
public void setInternalProxies(String internalProxies) {
this.internalProxies = internalProxies;
this.remoteip.setInternalProxies(internalProxies);
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remoteip.protocol-header")
public String getProtocolHeader() {
return this.protocolHeader;
return this.remoteip.getProtocolHeader();
}
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
this.remoteip.setProtocolHeader(protocolHeader);
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remoteip.protocol-header-https-value")
public String getProtocolHeaderHttpsValue() {
return this.protocolHeaderHttpsValue;
return this.remoteip.getProtocolHeaderHttpsValue();
}
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
this.remoteip.setProtocolHeaderHttpsValue(protocolHeaderHttpsValue);
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remoteip.host-header")
public String getHostHeader() {
return this.remoteip.getHostHeader();
}
public void setHostHeader(String hostHeader) {
this.remoteip.setHostHeader(hostHeader);
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote.port-header")
public String getPortHeader() {
return this.portHeader;
return this.remoteip.getPortHeader();
}
public void setPortHeader(String portHeader) {
this.portHeader = portHeader;
this.remoteip.setPortHeader(portHeader);
}
@DeprecatedConfigurationProperty(replacement = "server.tomcat.remoteip.remote-ip-header")
public String getRemoteIpHeader() {
return this.remoteip.getRemoteIpHeader();
}
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteip.setRemoteIpHeader(remoteIpHeader);
}
public Boolean getRedirectContextRoot() {
@ -543,22 +534,6 @@ public class ServerProperties {
this.useRelativeRedirects = useRelativeRedirects;
}
public String getRemoteIpHeader() {
return this.remoteIpHeader;
}
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
public String getHostHeader() {
return this.hostHeader;
}
public void setHostHeader(String hostHeader) {
this.hostHeader = hostHeader;
}
public Charset getUriEncoding() {
return this.uriEncoding;
}
@ -639,6 +614,10 @@ public class ServerProperties {
return this.mbeanregistry;
}
public Remoteip getRemoteip() {
return this.remoteip;
}
/**
* Tomcat access log properties.
*/
@ -925,6 +904,96 @@ public class ServerProperties {
}
public static class Remoteip {
/**
* Regular expression that matches proxies that are to be trusted.
*/
private String internalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8
+ "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16
+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8
+ "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12
+ "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" //
+ "0:0:0:0:0:0:0:1|::1";
/**
* Header that holds the incoming protocol, usually named "X-Forwarded-Proto".
*/
private String protocolHeader;
/**
* Value of the protocol header indicating whether the incoming request uses
* SSL.
*/
private String protocolHeaderHttpsValue = "https";
/**
* Name of the HTTP header from which the remote host is extracted.
*/
private String hostHeader = "X-Forwarded-Host";
/**
* Name of the HTTP header used to override the original port value.
*/
private String portHeader = "X-Forwarded-Port";
/**
* Name of the HTTP header from which the remote IP is extracted. For
* instance, `X-FORWARDED-FOR`.
*/
private String remoteIpHeader;
public String getInternalProxies() {
return this.internalProxies;
}
public void setInternalProxies(String internalProxies) {
this.internalProxies = internalProxies;
}
public String getProtocolHeader() {
return this.protocolHeader;
}
public void setProtocolHeader(String protocolHeader) {
this.protocolHeader = protocolHeader;
}
public String getProtocolHeaderHttpsValue() {
return this.protocolHeaderHttpsValue;
}
public String getHostHeader() {
return this.hostHeader;
}
public void setHostHeader(String hostHeader) {
this.hostHeader = hostHeader;
}
public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
}
public String getPortHeader() {
return this.portHeader;
}
public void setPortHeader(String portHeader) {
this.portHeader = portHeader;
}
public String getRemoteIpHeader() {
return this.remoteIpHeader;
}
public void setRemoteIpHeader(String remoteIpHeader) {
this.remoteIpHeader = remoteIpHeader;
}
}
}
/**

17
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java
Unescape Escape View File

@ -31,8 +31,8 @@ import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.springframework.boot.autoconfigure.web.ErrorProperties;
import org.springframework.boot.autoconfigure.web.ErrorProperties.IncludeStacktrace;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties.Tomcat;
import org.springframework.boot.autoconfigure.web.ServerProperties.Tomcat.Accesslog;
import org.springframework.boot.autoconfigure.web.ServerProperties.Tomcat.Remoteip;
import org.springframework.boot.cloud.CloudPlatform;
import org.springframework.boot.context.properties.PropertyMapper;
import org.springframework.boot.web.embedded.tomcat.ConfigurableTomcatWebServerFactory;
@ -55,6 +55,7 @@ import org.springframework.util.unit.DataSize;
* @author Andrew McGhie
* @author Dirk Deyne
* @author Rafiullah Hamedy
* @author Victor Mandujano
* @since 2.0.0
*/
public class TomcatWebServerFactoryCustomizer
@ -172,9 +173,9 @@ public class TomcatWebServerFactoryCustomizer
}
private void customizeRemoteIpValve(ConfigurableTomcatWebServerFactory factory) {
Tomcat tomcatProperties = this.serverProperties.getTomcat();
String protocolHeader = tomcatProperties.getProtocolHeader();
String remoteIpHeader = tomcatProperties.getRemoteIpHeader();
Remoteip remoteIpProperties = this.serverProperties.getTomcat().getRemoteip();
String protocolHeader = remoteIpProperties.getProtocolHeader();
String remoteIpHeader = remoteIpProperties.getRemoteIpHeader();
// For back compatibility the valve is also enabled if protocol-header is set
if (StringUtils.hasText(protocolHeader) || StringUtils.hasText(remoteIpHeader)
|| getOrDeduceUseForwardHeaders()) {
@ -185,10 +186,10 @@ public class TomcatWebServerFactoryCustomizer
}
// The internal proxies default to a white list of "safe" internal IP
// addresses
valve.setInternalProxies(tomcatProperties.getInternalProxies());
valve.setHostHeader(tomcatProperties.getHostHeader());
valve.setPortHeader(tomcatProperties.getPortHeader());
valve.setProtocolHeaderHttpsValue(tomcatProperties.getProtocolHeaderHttpsValue());
valve.setInternalProxies(remoteIpProperties.getInternalProxies());
valve.setHostHeader(remoteIpProperties.getHostHeader());
valve.setPortHeader(remoteIpProperties.getPortHeader());
valve.setProtocolHeaderHttpsValue(remoteIpProperties.getProtocolHeaderHttpsValue());
// ... so it's safe to add this valve by default.
factory.addEngineValves(valve);
}

6
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
Unescape Escape View File

@ -125,9 +125,9 @@ class ServerPropertiesTests {
map.put("server.tomcat.accesslog.rename-on-rotate", "true");
map.put("server.tomcat.accesslog.ipv6Canonical", "true");
map.put("server.tomcat.accesslog.request-attributes-enabled", "true");
map.put("server.tomcat.protocol-header", "X-Forwarded-Protocol");
map.put("server.tomcat.remote-ip-header", "Remote-Ip");
map.put("server.tomcat.internal-proxies", "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}");
map.put("server.tomcat.remoteip.protocol-header", "X-Forwarded-Protocol");
map.put("server.tomcat.remoteip.remote-ip-header", "Remote-Ip");
map.put("server.tomcat.remoteip.internal-proxies", "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}");
map.put("server.tomcat.background-processor-delay", "10");
map.put("server.tomcat.relaxed-path-chars", "|,<");
map.put("server.tomcat.relaxed-query-chars", "^ , | ");

32
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java
Unescape Escape View File

@ -53,6 +53,7 @@ import static org.assertj.core.api.Assertions.assertThat;
* @author Stephane Nicoll
* @author Andrew McGhie
* @author Rafiullah Hamedy
* @author Victor Mandujano
*/
class TomcatWebServerFactoryCustomizerTests {
@ -177,9 +178,32 @@ class TomcatWebServerFactoryCustomizerTests {
@Test
void customRemoteIpValve() {
bind("server.tomcat.remoteip.remote-ip-header=x-my-remote-ip-header",
"server.tomcat.remoteip.protocol-header=x-my-protocol-header",
"server.tomcat.remoteip.internal-proxies=192.168.0.1",
"server.tomcat.remoteip.host-header=x-my-forward-host",
"server.tomcat.remoteip.port-header=x-my-forward-port",
"server.tomcat.remoteip.protocol-header-https-value=On");
TomcatServletWebServerFactory factory = customizeAndGetFactory();
assertThat(factory.getEngineValves()).hasSize(1);
Valve valve = factory.getEngineValves().iterator().next();
assertThat(valve).isInstanceOf(RemoteIpValve.class);
RemoteIpValve remoteIpValve = (RemoteIpValve) valve;
assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header");
assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On");
assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header");
assertThat(remoteIpValve.getHostHeader()).isEqualTo("x-my-forward-host");
assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port");
assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1");
}
@Test
@Deprecated
void customRemoteIpValveWithDeprecatedProperties() {
bind("server.tomcat.remote-ip-header=x-my-remote-ip-header",
"server.tomcat.protocol-header=x-my-protocol-header", "server.tomcat.internal-proxies=192.168.0.1",
"server.tomcat.port-header=x-my-forward-port", "server.tomcat.protocol-header-https-value=On");
"server.tomcat.host-header=x-my-forward-host", "server.tomcat.port-header=x-my-forward-port",
"server.tomcat.protocol-header-https-value=On");
TomcatServletWebServerFactory factory = customizeAndGetFactory();
assertThat(factory.getEngineValves()).hasSize(1);
Valve valve = factory.getEngineValves().iterator().next();
@ -188,6 +212,7 @@ class TomcatWebServerFactoryCustomizerTests {
assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header");
assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On");
assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header");
assertThat(remoteIpValve.getHostHeader()).isEqualTo("x-my-forward-host");
assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port");
assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1");
}
@ -237,7 +262,8 @@ class TomcatWebServerFactoryCustomizerTests {
@Test
void defaultRemoteIpValve() {
// Since 1.1.7 you need to specify at least the protocol
bind("server.tomcat.protocol-header=X-Forwarded-Proto", "server.tomcat.remote-ip-header=X-Forwarded-For");
bind("server.tomcat.remoteip.protocol-header=X-Forwarded-Proto",
"server.tomcat.remoteip.remote-ip-header=X-Forwarded-For");
testRemoteIpValveConfigured();
}
@ -277,7 +303,7 @@ class TomcatWebServerFactoryCustomizerTests {
@Test
void disableRemoteIpValve() {
bind("server.tomcat.remote-ip-header=", "server.tomcat.protocol-header=");
bind("server.tomcat.remoteip.remote-ip-header=", "server.tomcat.remoteip.protocol-header=");
TomcatServletWebServerFactory factory = customizeAndGetFactory();
assertThat(factory.getEngineValves()).isEmpty();
}

10
spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc
Unescape Escape View File

@ -804,8 +804,8 @@ If you use Tomcat, you can additionally configure the names of the headers used
[indent=0]
----
server.tomcat.remote-ip-header=x-your-remote-ip-header
server.tomcat.protocol-header=x-your-protocol-header
server.tomcat.remoteip.remote-ip-header=x-your-remote-ip-header
server.tomcat.remoteip.protocol-header=x-your-protocol-header
----
Tomcat is also configured with a default regular expression that matches internal proxies that are to be trusted.
@ -814,7 +814,7 @@ You can customize the valve's configuration by adding an entry to `application.p
[indent=0]
----
server.tomcat.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}
server.tomcat.remoteip.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}
----
NOTE: The double backslashes are required only when you use a properties file for configuration.
@ -2203,8 +2203,8 @@ You can switch on the valve by adding some entries to `application.properties`,
[source,properties,indent=0,configprops]
----
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for
server.tomcat.remoteip.protocol-header=x-forwarded-proto
----
(The presence of either of those properties switches on the valve.

Write Preview
Loading…
Cancel
Save