Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

fr.xebia.servlet.filter
Class XForwardedFilter

java.lang.Object
  extended by fr.xebia.servlet.filter.XForwardedFilter
All Implemented Interfaces:
javax.servlet.Filter
public class XForwardedFilter
extends Object
implements javax.servlet.Filter

Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers.

Most of the design of this Servlet Filter is a port of mod_remoteip, this servlet filter replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

Another feature of this servlet filter is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

This servlet filter proceeds as follows:

If the incoming request.getRemoteAddr() matches the servlet filter's list of internal proxies :

Configuration parameters:

XForwardedFilter property Description Equivalent mod_remoteip directive Format Default Value
remoteIPHeader Name of the Http Header read by this servlet filter that holds the list of traversed IP addresses starting from the requesting client RemoteIPHeader Compliant http header name x-forwarded-for
allowedInternalProxies List of internal proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value RemoteIPInternalProxy Comma delimited list of regular expressions (in the syntax supported by the Pattern library) 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 172.16/12, 169.254/16 and 127/8 are allowed
proxiesHeader Name of the http header created by this servlet filter to hold the list of proxies that have been processed in the incoming remoteIPHeader RemoteIPProxiesHeader Compliant http header name x-forwarded-by
trustedProxies List of trusted proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value RemoteIPTrustedProxy Comma delimited list of regular expressions (in the syntax supported by the Pattern library)  
protocolHeader Name of the http header read by this servlet filter that holds the flag that this request N/A Compliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Https null
protocolHeaderHttpsValue Value of the protocolHeader to indicate that it is an Https request N/A String like https or ON https
httpServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol N/A integer 80
httpsServerPort Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol N/A integer 443

Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as the JVM doesnt have a library similar to apr_ipsubnet_test.

Sample with internal proxies

XForwardedFilter configuration: 

 <filter>
    <filter-name>XForwardedFilter</filter-name>
    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
    <init-param>
       <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
       <param-name>protocolHeader</param-name><param-value>x-forwarded-proto</param-value>
    </init-param>
 </filter>
 
 <filter-mapping>
    <filter-name>XForwardedFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

Request values:

property Value Before XForwardedFilter Value After XForwardedFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, 192.168.0.10 null
request.header['x-forwarded-by'] null null
request.header['x-forwarded-proto'] https https
request.scheme http https
request.secure false true
request.serverPort 80 443
Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with trusted proxies

XForwardedFilter configuration: 

 <filter>
    <filter-name>XForwardedFilter</filter-name>
    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
    <init-param>
       <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
    </init-param>
 </filter>
 
 <filter-mapping>
    <filter-name>XForwardedFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

Request values:

property Value Before XForwardedFilter Value After XForwardedFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2 null
request.header['x-forwarded-by'] null proxy1, proxy2
Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with internal and trusted proxies

XForwardedFilter configuration: 

 <filter>
    <filter-name>XForwardedFilter</filter-name>
    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
    <init-param>
       <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
    </init-param>
 </filter>
 
 <filter-mapping>
    <filter-name>XForwardedFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

Request values:

property Value Before XForwardedFilter Value After XForwardedFilter
request.remoteAddr 192.168.0.10 140.211.11.130
request.header['x-forwarded-for'] 140.211.11.130, proxy1, proxy2, 192.168.0.10 null
request.header['x-forwarded-by'] null proxy1, proxy2
Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.

Sample with an untrusted proxy

XForwardedFilter configuration: 

 <filter>
    <filter-name>XForwardedFilter</filter-name>
    <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
    <init-param>
       <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
       <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
       <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
    </init-param>
 </filter>
 
 <filter-mapping>
    <filter-name>XForwardedFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

Request values:

property Value Before XForwardedFilter Value After XForwardedFilter
request.remoteAddr 192.168.0.10 untrusted-proxy
request.header['x-forwarded-for'] 140.211.11.130, untrusted-proxy, proxy1 140.211.11.130
request.header['x-forwarded-by'] null proxy1
Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP verified by proxy1.

Nested Class Summary
static class XForwardedFilter.XForwardedRequest
           
 class XForwardedFilter.XForwardedResponse
           
 
Field Summary
protected static String HTTP_SERVER_PORT_PARAMETER
           
protected static String HTTPS_SERVER_PORT_PARAMETER
           
protected static String INTERNAL_PROXIES_PARAMETER
           
protected static String PROTOCOL_HEADER_PARAMETER
           
protected static String PROTOCOL_HEADER_SSL_VALUE_PARAMETER
           
protected static String PROXIES_HEADER_PARAMETER
           
protected static String REMOTE_IP_HEADER_PARAMETER
           
protected static String TRUSTED_PROXIES_PARAMETER
           
 
Constructor Summary
XForwardedFilter()
           
 
Method Summary
protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns)
          Convert a given comma delimited list of regular expressions into an array of compiled Pattern
protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings)
          Convert a given comma delimited list of regular expressions into an array of String
 void destroy()
           
 void doFilter(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
           
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
          Wrap the incoming request in a XForwardedFilter.XForwardedRequest if the http header x-forwareded-for is not empty.
 int getHttpsServerPort()
           
 Pattern[] getInternalProxies()
           
 String getProtocolHeader()
           
 String getProtocolHeaderSslValue()
           
 String getProxiesHeader()
           
 String getRemoteIPHeader()
           
 Pattern[] getTrustedProxies()
           
 void init(javax.servlet.FilterConfig filterConfig)
           
protected static String listToCommaDelimitedString(List<String> stringList)
          Convert an array of strings in a comma delimited string
protected static boolean matchesOne(String str, Pattern... patterns)
          Return true if the given str matches at least one of the given patterns.
 void setAllowedInternalProxies(String allowedInternalProxies)
           Comma delimited list of internal proxies.
 void setHttpServerPort(int httpServerPort)
           Server Port value if the protocolHeader does not indicate HTTPS
 void setHttpsServerPort(int httpsServerPort)
           Server Port value if the protocolHeader indicates HTTPS
 void setProtocolHeader(String protocolHeader)
           Header that holds the incoming protocol, usally named X-Forwarded-Proto.
 void setProtocolHeaderSslValue(String protocolHeaderSslValue)
           Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
 void setProxiesHeader(String proxiesHeader)
           The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP.
 void setRemoteIPHeader(String remoteIPHeader)
           Name of the http header from which the remote ip is extracted.
 void setTrustedProxies(String trustedProxies)
           Comma delimited list of proxies that are trusted when they appear in the remoteIPHeader header.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

HTTP_SERVER_PORT_PARAMETER

protected static final String HTTP_SERVER_PORT_PARAMETER
See Also:
Constant Field Values

HTTPS_SERVER_PORT_PARAMETER

protected static final String HTTPS_SERVER_PORT_PARAMETER
See Also:
Constant Field Values

INTERNAL_PROXIES_PARAMETER

protected static final String INTERNAL_PROXIES_PARAMETER
See Also:
Constant Field Values

PROTOCOL_HEADER_PARAMETER

protected static final String PROTOCOL_HEADER_PARAMETER
See Also:
Constant Field Values

PROTOCOL_HEADER_SSL_VALUE_PARAMETER

protected static final String PROTOCOL_HEADER_SSL_VALUE_PARAMETER
See Also:
Constant Field Values

PROXIES_HEADER_PARAMETER

protected static final String PROXIES_HEADER_PARAMETER
See Also:
Constant Field Values

REMOTE_IP_HEADER_PARAMETER

protected static final String REMOTE_IP_HEADER_PARAMETER
See Also:
Constant Field Values

TRUSTED_PROXIES_PARAMETER

protected static final String TRUSTED_PROXIES_PARAMETER
See Also:
Constant Field Values
Constructor Detail

XForwardedFilter

public XForwardedFilter()
Method Detail

commaDelimitedListToPatternArray

protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns)
Convert a given comma delimited list of regular expressions into an array of compiled Pattern

Returns:
array of patterns (not null)

commaDelimitedListToStringArray

protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings)
Convert a given comma delimited list of regular expressions into an array of String

Returns:
array of patterns (non null)

listToCommaDelimitedString

protected static String listToCommaDelimitedString(List<String> stringList)
Convert an array of strings in a comma delimited string

matchesOne

protected static boolean matchesOne(String str,
                                    Pattern... patterns)
Return true if the given str matches at least one of the given patterns.

destroy

public void destroy()
Specified by:
destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
Throws:
IOException
javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
Wrap the incoming request in a XForwardedFilter.XForwardedRequest if the http header x-forwareded-for is not empty.

Specified by:
doFilter in interface javax.servlet.Filter
Throws:
IOException
javax.servlet.ServletException

getHttpsServerPort

public int getHttpsServerPort()

getInternalProxies

public Pattern[] getInternalProxies()

getProtocolHeader

public String getProtocolHeader()

getProtocolHeaderSslValue

public String getProtocolHeaderSslValue()

getProxiesHeader

public String getProxiesHeader()

getRemoteIPHeader

public String getRemoteIPHeader()

getTrustedProxies

public Pattern[] getTrustedProxies()

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
Specified by:
init in interface javax.servlet.Filter
Throws:
javax.servlet.ServletException

setAllowedInternalProxies

public void setAllowedInternalProxies(String allowedInternalProxies)

Comma delimited list of internal proxies. Expressed with regular expressions.

Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}

setHttpServerPort

public void setHttpServerPort(int httpServerPort)

Server Port value if the protocolHeader does not indicate HTTPS

Default value : 80

setHttpsServerPort

public void setHttpsServerPort(int httpsServerPort)

Server Port value if the protocolHeader indicates HTTPS

Default value : 443

setProtocolHeader

public void setProtocolHeader(String protocolHeader)

Header that holds the incoming protocol, usally named X-Forwarded-Proto. If null, request.scheme and request.secure will not be modified.

Default value : null

setProtocolHeaderSslValue

public void setProtocolHeaderSslValue(String protocolHeaderSslValue)

Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.

Default value : HTTPS

setProxiesHeader

public void setProxiesHeader(String proxiesHeader)

The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.

Name of the http header that holds the list of trusted proxies that has been traversed by the http request.

The value of this header can be comma delimited.

Default value : X-Forwarded-By

setRemoteIPHeader

public void setRemoteIPHeader(String remoteIPHeader)

Name of the http header from which the remote ip is extracted.

The value of this header can be comma delimited.

Default value : X-Forwarded-For

setTrustedProxies

public void setTrustedProxies(String trustedProxies)

Comma delimited list of proxies that are trusted when they appear in the remoteIPHeader header. Can be expressed as a regular expression.

Default value : empty list, no external proxy is trusted.

Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2012. All Rights Reserved.