org.apache.catalina.filters

Class RemoteIpFilter

java.lang.Object

javax.servlet.GenericFilter

org.apache.catalina.filters.RemoteIpFilter

All Implemented Interfaces:

java.io.Serializable, Filter, FilterConfig

public class RemoteIpFilter
extends GenericFilter

Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.

Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

This servlet filter proceeds as follows:

If the incoming request.getRemoteAddr() matches the servlet filter's list of internal or trusted proxies:

• Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http header named $remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order.
• For each ip/host of the list:
  • if it matches the internal proxies list, the ip/host is swallowed
  • if it matches the trusted proxies list, the ip/host is added to the created proxies header
  • otherwise, the ip/host is declared to be the remote ip and looping is stopped.
• If the request http header named $protocolHeader (default value X-Forwarded-Proto) consists only of forwards that match protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true, request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the $httpsServerPort configuration parameter.
• Mark the request with the attribute Globals.REQUEST_FORWARDED_ATTRIBUTE and value Boolean.TRUE to indicate that this request has been forwarded by one or more proxies.

Configuration parameters

XForwardedFilter property	Description	Equivalent mod_remoteip directive	Format	Default Value
remoteIpHeader	Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client	RemoteIPHeader	Compliant http header name	x-forwarded-for
internalProxies	Regular expression that matches the IP addresses of internal proxies. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value	RemoteIPInternalProxy	Regular expression (in the syntax supported by java.util.regex)	10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}| 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}| 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}| 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}| 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}| 0:0:0:0:0:0:0:1|::1 By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.
proxiesHeader	Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming remoteIpHeader	RemoteIPProxiesHeader	Compliant http header name	x-forwarded-by
trustedProxies	Regular expression that matches the IP addresses of trusted proxies. If they appear in the remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value	RemoteIPTrustedProxy	Regular expression (in the syntax supported by java.util.regex)
protocolHeader	Name of the http header read by this servlet filter that holds the flag that this request	N/A	Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https	X-Forwarded-Proto
protocolHeaderHttpsValue	Value of the protocolHeader to indicate that it is an Https request	N/A	String like https or ON	https
httpServerPort	Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol	N/A	integer	80
httpsServerPort	Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol	N/A	integer	443
enableLookups	Should a DNS lookup be performed to provide a host name when calling ServletRequest.getRemoteHost()	N/A	boolean	false

Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM doesn't have a library similar to apr_ipsubnet_test, we rely on regular expressions.

Sample with internal proxies

XForwardedFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>protocolHeader</param-name> <param-value>x-forwarded-proto</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>

Request Values

property	Value Before RemoteIpFilter	Value After RemoteIpFilter
request.remoteAddr	192.168.0.10	140.211.11.130
request.header['x-forwarded-for']	140.211.11.130, 192.168.0.10	null
request.header['x-forwarded-by']	null	null
request.header['x-forwarded-proto']	https	https
request.scheme	http	https
request.secure	false	true
request.serverPort	80	443

Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with trusted proxies

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>

Request Values

property	Value Before RemoteIpFilter	Value After RemoteIpFilter
request.remoteAddr	192.168.0.10	140.211.11.130
request.header['x-forwarded-for']	140.211.11.130, proxy1, proxy2	null
request.header['x-forwarded-by']	null	proxy1, proxy2

Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with internal and trusted proxies

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>

Request Values

property	Value Before RemoteIpFilter	Value After RemoteIpFilter
request.remoteAddr	192.168.0.10	140.211.11.130
request.header['x-forwarded-for']	140.211.11.130, proxy1, proxy2, 192.168.0.10	null
request.header['x-forwarded-by']	null	proxy1, proxy2

Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with an untrusted proxy

RemoteIpFilter configuration:

<filter> <filter-name>RemoteIpFilter</filter-name> <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class> <init-param> <param-name>internalProxies</param-name> <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value> </init-param> <init-param> <param-name>remoteIpHeader</param-name> <param-value>x-forwarded-for</param-value> </init-param> <init-param> <param-name>remoteIpProxiesHeader</param-name> <param-value>x-forwarded-by</param-value> </init-param> <init-param> <param-name>trustedProxies</param-name> <param-value>proxy1|proxy2</param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteIpFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>

Request Values

property	Value Before RemoteIpFilter	Value After RemoteIpFilter
request.remoteAddr	192.168.0.10	untrusted-proxy
request.header['x-forwarded-for']	140.211.11.130, untrusted-proxy, proxy1	140.211.11.130
request.header['x-forwarded-by']	null	proxy1

Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds 140.211.11.130 because untrusted-proxy is not trusted and thus, we cannot trust that untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP verified by proxy1.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	RemoteIpFilter.XForwardedRequest

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	CHANGE_LOCAL_NAME_PARAMETER
protected static java.lang.String	CHANGE_LOCAL_PORT_PARAMETER
protected static java.lang.String	ENABLE_LOOKUPS_PARAMETER
protected static java.lang.String	HOST_HEADER_PARAMETER
protected static java.lang.String	HTTP_SERVER_PORT_PARAMETER
protected static java.lang.String	HTTPS_SERVER_PORT_PARAMETER
protected static java.lang.String	INTERNAL_PROXIES_PARAMETER
protected static java.lang.String	PORT_HEADER_PARAMETER
protected static java.lang.String	PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER
protected static java.lang.String	PROTOCOL_HEADER_PARAMETER
protected static java.lang.String	PROXIES_HEADER_PARAMETER
protected static java.lang.String	REMOTE_IP_HEADER_PARAMETER
protected static StringManager	sm
protected static java.lang.String	TRUSTED_PROXIES_PARAMETER

Constructor Summary

Constructors

Constructor and Description
RemoteIpFilter()

Method Summary

Modifier and Type	Method and Description
protected static java.lang.String[]	commaDelimitedListToStringArray(java.lang.String commaDelimitedStrings) Convert a given comma delimited list of regular expressions into an array of String
void	doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain) Wrap the incoming request in a RemoteIpFilter.XForwardedRequest if the http header x-forwarded-for is not empty.
boolean	getEnableLookups()
int	getHttpsServerPort()
java.util.regex.Pattern	getInternalProxies()
java.lang.String	getPortHeader()
java.lang.String	getProtocolHeader()
java.lang.String	getProtocolHeaderHttpsValue()
java.lang.String	getProxiesHeader()
java.lang.String	getRemoteIpHeader()
boolean	getRequestAttributesEnabled()
java.util.regex.Pattern	getTrustedProxies()
void	init() Convenience method for sub-classes to save them having to call super.init(config).
boolean	isChangeLocalName()
boolean	isChangeLocalPort()
protected static java.lang.String	listToCommaDelimitedString(java.util.List<java.lang.String> stringList) Deprecated. Unused. Will be removed in Tomcat 11 onwards
void	setChangeLocalName(boolean changeLocalName) If true, the return values for both ServletRequest.getLocalName() and ServletRequest.getServerName() will be modified by this Filter rather than just ServletRequest.getServerName().
void	setChangeLocalPort(boolean changeLocalPort) If true, the return values for both ServletRequest.getLocalPort() and ServletRequest.getServerPort() will be modified by this Filter rather than just ServletRequest.getServerPort().
void	setEnableLookups(boolean enableLookups)
void	setHostHeader(java.lang.String hostHeader) Header that holds the incoming host, usually named X-Forwarded-Host.
void	setHttpServerPort(int httpServerPort) Server Port value if the protocolHeader indicates HTTP (i.e.
void	setHttpsServerPort(int httpsServerPort) Server Port value if the protocolHeader indicates HTTPS Default value : 443
void	setInternalProxies(java.lang.String internalProxies) Regular expression that defines the internal proxies.
void	setPortHeader(java.lang.String portHeader) Header that holds the incoming port, usually named X-Forwarded-Port.
void	setProtocolHeader(java.lang.String protocolHeader) Header that holds the incoming protocol, usually named X-Forwarded-Proto.
void	setProtocolHeaderHttpsValue(java.lang.String protocolHeaderHttpsValue) Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.
void	setProxiesHeader(java.lang.String proxiesHeader) The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP.
void	setRemoteIpHeader(java.lang.String remoteIpHeader) Name of the http header from which the remote ip is extracted.
void	setRequestAttributesEnabled(boolean requestAttributesEnabled) Should this filter set request attributes for IP address, Hostname, protocol and port used for the request?
void	setTrustedProxies(java.lang.String trustedProxies) Regular expression defining proxies that are trusted when they appear in the remoteIpHeader header.

Methods inherited from class javax.servlet.GenericFilter

getFilterConfig, getFilterName, getInitParameter, getInitParameterNames, getServletContext, init

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.servlet.Filter

destroy

Field Detail

HTTP_SERVER_PORT_PARAMETER

protected static final java.lang.String HTTP_SERVER_PORT_PARAMETER

See Also:

Constant Field Values

HTTPS_SERVER_PORT_PARAMETER

protected static final java.lang.String HTTPS_SERVER_PORT_PARAMETER

See Also:

Constant Field Values

INTERNAL_PROXIES_PARAMETER

protected static final java.lang.String INTERNAL_PROXIES_PARAMETER

See Also:

Constant Field Values

sm

protected static final StringManager sm

PROTOCOL_HEADER_PARAMETER

protected static final java.lang.String PROTOCOL_HEADER_PARAMETER

See Also:

Constant Field Values

PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER

protected static final java.lang.String PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER

See Also:

Constant Field Values

HOST_HEADER_PARAMETER

protected static final java.lang.String HOST_HEADER_PARAMETER

See Also:

Constant Field Values

PORT_HEADER_PARAMETER

protected static final java.lang.String PORT_HEADER_PARAMETER

See Also:

Constant Field Values

CHANGE_LOCAL_NAME_PARAMETER

protected static final java.lang.String CHANGE_LOCAL_NAME_PARAMETER

See Also:

Constant Field Values

CHANGE_LOCAL_PORT_PARAMETER

protected static final java.lang.String CHANGE_LOCAL_PORT_PARAMETER

See Also:

Constant Field Values

PROXIES_HEADER_PARAMETER

protected static final java.lang.String PROXIES_HEADER_PARAMETER

See Also:

Constant Field Values

REMOTE_IP_HEADER_PARAMETER

protected static final java.lang.String REMOTE_IP_HEADER_PARAMETER

See Also:

Constant Field Values

TRUSTED_PROXIES_PARAMETER

protected static final java.lang.String TRUSTED_PROXIES_PARAMETER

See Also:

Constant Field Values

ENABLE_LOOKUPS_PARAMETER

protected static final java.lang.String ENABLE_LOOKUPS_PARAMETER

See Also:

Constant Field Values

Constructor Detail

RemoteIpFilter

public RemoteIpFilter()

Method Detail

commaDelimitedListToStringArray

protected static java.lang.String[] commaDelimitedListToStringArray(java.lang.String commaDelimitedStrings)

Convert a given comma delimited list of regular expressions into an array of String

Parameters:

commaDelimitedStrings - The string to split

Returns:

array of patterns (non null)

listToCommaDelimitedString

@Deprecated
protected static java.lang.String listToCommaDelimitedString(java.util.List<java.lang.String> stringList)

Deprecated. Unused. Will be removed in Tomcat 11 onwards

Convert a list of strings in a comma delimited string.

Parameters:

stringList - List of strings

Returns:

concatenated string

doFilter

public void doFilter(HttpServletRequest request,
                     HttpServletResponse response,
                     FilterChain chain)
              throws java.io.IOException,
                     ServletException

Throws:

java.io.IOException

ServletException

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws java.io.IOException,
                     ServletException

Wrap the incoming request in a RemoteIpFilter.XForwardedRequest if the http header x-forwarded-for is not empty. The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.

Parameters:

request - The request to process

response - The response associated with the request

chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing

Throws:

java.io.IOException - if an I/O error occurs during this filter's processing of the request

ServletException - if the processing fails for any other reason

isChangeLocalName

public boolean isChangeLocalName()

isChangeLocalPort

public boolean isChangeLocalPort()

getHttpsServerPort

public int getHttpsServerPort()

getInternalProxies

public java.util.regex.Pattern getInternalProxies()

getProtocolHeader

public java.lang.String getProtocolHeader()

getPortHeader

public java.lang.String getPortHeader()

getProtocolHeaderHttpsValue

public java.lang.String getProtocolHeaderHttpsValue()

getProxiesHeader

public java.lang.String getProxiesHeader()

getRemoteIpHeader

public java.lang.String getRemoteIpHeader()

getRequestAttributesEnabled

public boolean getRequestAttributesEnabled()

Returns:

true if the attributes will be logged, otherwise false

See Also:

setRequestAttributesEnabled(boolean)

getTrustedProxies

public java.util.regex.Pattern getTrustedProxies()

getEnableLookups

public boolean getEnableLookups()

init

public void init()
          throws ServletException

Description copied from class: javax.servlet.GenericFilter

Convenience method for sub-classes to save them having to call super.init(config). This is a NO-OP by default.

Overrides:

init in class GenericFilter

Throws:

ServletException - If an exception occurs that interrupts the Filter's normal operation

setChangeLocalName

public void setChangeLocalName(boolean changeLocalName)

If true, the return values for both ServletRequest.getLocalName() and ServletRequest.getServerName() will be modified by this Filter rather than just ServletRequest.getServerName().

Default value : false

Parameters:

changeLocalName - The new flag value

setChangeLocalPort

public void setChangeLocalPort(boolean changeLocalPort)

If true, the return values for both ServletRequest.getLocalPort() and ServletRequest.getServerPort() will be modified by this Filter rather than just ServletRequest.getServerPort().

Default value : false

Parameters:

changeLocalPort - The new flag value

setHttpServerPort

public void setHttpServerPort(int httpServerPort)

Server Port value if the protocolHeader indicates HTTP (i.e. protocolHeader is not null and has a value different of protocolHeaderHttpsValue).

Default value : 80

Parameters:

httpServerPort - The server port to use

setHttpsServerPort

public void setHttpsServerPort(int httpsServerPort)

Server Port value if the protocolHeader indicates HTTPS

Default value : 443

Parameters:

httpsServerPort - The server port to use

setInternalProxies

public void setInternalProxies(java.lang.String internalProxies)

Regular expression that defines the internal proxies.

Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1

Parameters:

internalProxies - The regexp

setHostHeader

public void setHostHeader(java.lang.String hostHeader)

Header that holds the incoming host, usually named X-Forwarded-Host.

Default value : null

Parameters:

hostHeader - The header name

setPortHeader

public void setPortHeader(java.lang.String portHeader)

Header that holds the incoming port, usually named X-Forwarded-Port. If null, httpServerPort or httpsServerPort will be used.

Default value : null

Parameters:

portHeader - The header name

setProtocolHeader

public void setProtocolHeader(java.lang.String protocolHeader)

Header that holds the incoming protocol, usually named X-Forwarded-Proto. If null, request.scheme and request.secure will not be modified.

Default value : X-Forwarded-Proto

Parameters:

protocolHeader - The header name

setProtocolHeaderHttpsValue

public void setProtocolHeaderHttpsValue(java.lang.String protocolHeaderHttpsValue)

Case insensitive value of the protocol header to indicate that the incoming http request uses HTTPS.

Default value : https

Parameters:

protocolHeaderHttpsValue - The header value

setProxiesHeader

public void setProxiesHeader(java.lang.String proxiesHeader)

The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.

Name of the http header that holds the list of trusted proxies that has been traversed by the http request.

The value of this header can be comma delimited.

Default value : X-Forwarded-By

Parameters:

proxiesHeader - The header name

setRemoteIpHeader

public void setRemoteIpHeader(java.lang.String remoteIpHeader)

Name of the http header from which the remote ip is extracted.

The value of this header can be comma delimited.

Default value : X-Forwarded-For

Parameters:

remoteIpHeader - The header name

setRequestAttributesEnabled

public void setRequestAttributesEnabled(boolean requestAttributesEnabled)

Should this filter set request attributes for IP address, Hostname, protocol and port used for the request? This are typically used in conjunction with an AccessLog which will otherwise log the original values. Default is true. The attributes set are:

• org.apache.catalina.AccessLog.RemoteAddr
• org.apache.catalina.AccessLog.RemoteHost
• org.apache.catalina.AccessLog.Protocol
• org.apache.catalina.AccessLog.ServerPort
• org.apache.tomcat.remoteAddr

Parameters:

requestAttributesEnabled - true causes the attributes to be set, false disables the setting of the attributes.

setTrustedProxies

public void setTrustedProxies(java.lang.String trustedProxies)

Regular expression defining proxies that are trusted when they appear in the remoteIpHeader header.

Default value : empty list, no external proxy is trusted.

Parameters:

trustedProxies - The trusted proxies regexp

setEnableLookups

public void setEnableLookups(boolean enableLookups)