This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new afd4b752c9 Remove regex support for the RemoteIp[Filter|Valve]
afd4b752c9 is described below
commit afd4b752c99a64a5ca620d765db3a709648ff287
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Oct 1 20:01:26 2025 +0100
Remove regex support for the RemoteIp[Filter|Valve]
---
.../apache/catalina/filters/RemoteIpFilter.java | 102 +++-------
java/org/apache/catalina/valves/RemoteIpValve.java | 103 +++-------
.../catalina/filters/TestRemoteIpFilter.java | 118 +++--------
.../apache/catalina/valves/TestRemoteIpValve.java | 215 +++++++--------------
webapps/docs/changelog.xml | 5 +
webapps/docs/config/filter.xml | 56 +++---
6 files changed, 181 insertions(+), 418 deletions(-)
diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java
b/java/org/apache/catalina/filters/RemoteIpFilter.java
index 1632cb7d52..17c937381a 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -29,7 +29,6 @@ import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.GenericFilter;
@@ -110,11 +109,11 @@ import org.apache.tomcat.util.res.StringManager;
* </tr>
* <tr>
* <td>internalProxies</td>
- * <td>Either a comma separated list of CIDR blocks or a single regular
expression that matches the IP addresses of
- * internal proxies. If they appear in the <code>remoteIpHeader</code> value,
they will be trusted and will not appear
- * in the <code>proxiesHeader</code> value</td>
+ * <td>A comma separated list of CIDR blocks that matches the IP addresses of
the internal proxies. If they appear in
+ * the <code>remoteIpHeader</code> value, they will be trusted and will not
appear in the <code>proxiesHeader</code>
+ * value</td>
* <td>RemoteIPInternalProxy</td>
- * <td>Comma separated list of CIDR blocks or a single regular expression
{@link Pattern}</td>
+ * <td>Comma separated list of CIDR blocks</td>
*
<td>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,100.64.0.0/10,127.0.0.0/8,::1/128,fe80::/10,fc00::/7</td>
* </tr>
* <tr>
@@ -127,11 +126,11 @@ import org.apache.tomcat.util.res.StringManager;
* </tr>
* <tr>
* <td>trustedProxies</td>
- * <td>Either a comma separated list of CIDR blocks or a single regular
expression that matches the IP addresses of
- * internal proxies. If they appear in the <code>remoteIpHeader</code> value,
they will be trusted and will appear in
- * the <code>proxiesHeader</code> value</td>
+ * <td>A comma separated list of CIDR blocks that matches the IP addresses of
the internal proxies. If they appear in
+ * the <code>remoteIpHeader</code> value, they will be trusted and will appear
in the <code>proxiesHeader</code> value
+ * </td>
* <td>RemoteIPTrustedProxy</td>
- * <td>Comma separated list of CIDR blocks or a single regular expression
{@link Pattern}</td>
+ * <td>Comma separated list of CIDR blocks</td>
* <td> </td>
* </tr>
* <tr>
@@ -670,31 +669,14 @@ public class RemoteIpFilter extends GenericFilter {
protected static final String ENABLE_LOOKUPS_PARAMETER = "enableLookups";
- /**
- * @see #setHttpServerPort(int)
- */
private int httpServerPort = 80;
- /**
- * @see #setHttpsServerPort(int)
- */
private int httpsServerPort = 443;
- /**
- * Regular expression pattern for internal proxies.
- */
- private Pattern internalProxiesRegex = null;
-
- /**
- * CIDR notation for internal proxies.
- */
- private NetMaskSet internalProxiesCidr =
+ private NetMaskSet internalProxies =
NetMaskSet.parse("10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,100.64.0.0/10,127.0.0.0/8,"
+
"::1/128,fe80::/10,fc00::/7");
- /**
- * @see #setProtocolHeader(String)
- */
private String protocolHeader = "X-Forwarded-Proto";
private String protocolHeaderHttpsValue = "https";
@@ -707,34 +689,17 @@ public class RemoteIpFilter extends GenericFilter {
private boolean changeLocalPort = false;
- /**
- * @see #setProxiesHeader(String)
- */
private String proxiesHeader = "X-Forwarded-By";
- /**
- * @see #setRemoteIpHeader(String)
- */
private String remoteIpHeader = "X-Forwarded-For";
- /**
- * @see #setRequestAttributesEnabled(boolean)
- */
private boolean requestAttributesEnabled = true;
- /**
- * Regular expression notation for trusted proxies.
- */
- private Pattern trustedProxiesRegex = null;
-
- /**
- * CIDR notation for trusted proxies.
- */
- private NetMaskSet trustedProxiesCidr = null;
-
+ private NetMaskSet trustedProxies = null;
private boolean enableLookups;
+
public void doFilter(HttpServletRequest request, HttpServletResponse
response, FilterChain chain)
throws IOException, ServletException {
@@ -889,10 +854,7 @@ public class RemoteIpFilter extends GenericFilter {
* @return {@code true} if the IP address is from an internal proxy,
otherwise {@code false}
*/
private boolean isInternalProxy(String remoteIp) {
- if (internalProxiesRegex != null &&
internalProxiesRegex.matcher(remoteIp).matches()) {
- return true;
- }
- return checkIsCidr(internalProxiesCidr, remoteIp);
+ return checkIsCidr(internalProxies, remoteIp);
}
/**
@@ -903,11 +865,7 @@ public class RemoteIpFilter extends GenericFilter {
* @return {@code true} if the IP address is from a trusted proxy,
otherwise {@code false}
*/
private boolean isTrustedProxy(String remoteIp) {
- if (trustedProxiesRegex != null &&
trustedProxiesRegex.matcher(remoteIp).matches()) {
- return true;
- }
-
- return checkIsCidr(trustedProxiesCidr, remoteIp);
+ return checkIsCidr(trustedProxies, remoteIp);
}
private boolean checkIsCidr(NetMaskSet netMaskSet, String remoteIp) {
@@ -991,10 +949,8 @@ public class RemoteIpFilter extends GenericFilter {
* @return The currently configured internal proxies.
*/
public String getInternalProxies() {
- if (internalProxiesCidr != null) {
- return internalProxiesCidr.toString();
- } else if (internalProxiesRegex != null) {
- return internalProxiesRegex.toString();
+ if (internalProxies != null) {
+ return internalProxies.toString();
} else {
return null;
}
@@ -1035,10 +991,8 @@ public class RemoteIpFilter extends GenericFilter {
* @return The currently configured trusted proxies.
*/
public String getTrustedProxies() {
- if (trustedProxiesCidr != null) {
- return trustedProxiesCidr.toString();
- } else if (trustedProxiesRegex != null) {
- return trustedProxiesRegex.toString();
+ if (trustedProxies != null) {
+ return trustedProxies.toString();
} else {
return null;
}
@@ -1175,20 +1129,15 @@ public class RemoteIpFilter extends GenericFilter {
}
/**
- * Set the internal proxies either as a comma separated list of CIDR
blocks or a single regular expression.
+ * Set the internal proxies as a comma separated list of CIDR blocks.
*
* @param internalProxies The new internal proxies
*/
public void setInternalProxies(String internalProxies) {
if (internalProxies == null || internalProxies.isEmpty()) {
- this.internalProxiesRegex = null;
- this.internalProxiesCidr = null;
- } else if (internalProxies.indexOf('/') > 0) {
- this.internalProxiesRegex = null;
- this.internalProxiesCidr = NetMaskSet.parse(internalProxies);
+ this.internalProxies = null;
} else {
- this.internalProxiesRegex = Pattern.compile(internalProxies);
- this.internalProxiesCidr = null;
+ this.internalProxies = NetMaskSet.parse(internalProxies);
}
}
@@ -1310,20 +1259,15 @@ public class RemoteIpFilter extends GenericFilter {
}
/**
- * Set the trusted proxies either as a comma separated list of CIDR blocks
or a single regular expression.
+ * Set the trusted proxies as a comma separated list of CIDR blocks.
*
* @param trustedProxies The new trusted proxies
*/
public void setTrustedProxies(String trustedProxies) {
if (trustedProxies == null || trustedProxies.isEmpty()) {
- this.trustedProxiesRegex = null;
- this.trustedProxiesCidr = null;
- } else if (trustedProxies.indexOf('/') > 0) {
- this.trustedProxiesRegex = null;
- this.trustedProxiesCidr = NetMaskSet.parse(trustedProxies);
+ this.trustedProxies = null;
} else {
- this.trustedProxiesCidr = null;
- this.trustedProxiesRegex = Pattern.compile(trustedProxies);
+ this.trustedProxies = NetMaskSet.parse(trustedProxies);
}
}
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index f54879070d..a10b09c407 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -22,7 +22,6 @@ import java.net.UnknownHostException;
import java.util.ArrayDeque;
import java.util.Deque;
import java.util.Enumeration;
-import java.util.regex.Pattern;
import jakarta.servlet.ServletException;
@@ -91,11 +90,11 @@ import org.apache.tomcat.util.http.parser.Host;
* </tr>
* <tr>
* <td>internalProxies</td>
- * <td>Either a comma separated list of CIDR blocks or a single regular
expression that matches the IP addresses of
- * internal proxies. If they appear in the <code>remoteIpHeader</code> value,
they will be trusted and will not appear
- * in the <code>proxiesHeader</code> value</td>
+ * <td>A comma separated list of CIDR blocks that matches the IP addresses of
the internal proxies. If they appear in
+ * the <code>remoteIpHeader</code> value, they will be trusted and will not
appear in the <code>proxiesHeader</code>
+ * value</td>
* <td>RemoteIPInternalProxy</td>
- * <td>Comma separated list of CIDR blocks or a single regular expression
{@link Pattern}</td>
+ * <td>Comma separated list of CIDR blocks</td>
*
<td>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,100.64.0.0/10,127.0.0.0/8,::1/128,fe80::/10,fc00::/7</td>
* </tr>
* <tr>
@@ -108,11 +107,11 @@ import org.apache.tomcat.util.http.parser.Host;
* </tr>
* <tr>
* <td>trustedProxies</td>
- * <td>Either a comma separated list of CIDR blocks or a single regular
expression that matches the IP addresses of
- * internal proxies. If they appear in the <code>remoteIpHeader</code> value,
they will be trusted and will appear in
- * the <code>proxiesHeader</code> value</td>
+ * <td>A comma separated list of CIDR blocks that matches the IP addresses of
the internal proxies. If they appear in
+ * the <code>remoteIpHeader</code> value, they will be trusted and will appear
in the <code>proxiesHeader</code> value
+ * </td>
* <td>RemoteIPTrustedProxy</td>
- * <td>Comma separated list of CIDR blocks or a single regular expression
{@link Pattern}</td>
+ * <td>Comma separated list of CIDR blocks</td>
* <td> </td>
* </tr>
* <tr>
@@ -352,66 +351,29 @@ public class RemoteIpValve extends ValveBase {
private boolean changeLocalName = false;
- /**
- * @see #setHttpServerPort(int)
- */
private int httpServerPort = 80;
- /**
- * @see #setHttpsServerPort(int)
- */
private int httpsServerPort = 443;
private String portHeader = null;
private boolean changeLocalPort = false;
- /**
- * Regular expression pattern for internal proxies.
- */
- private Pattern internalProxiesRegex = null;
-
- /**
- * CIDR notation for internal proxies.
- */
- private NetMaskSet internalProxiesCidr =
+ private NetMaskSet internalProxies =
NetMaskSet.parse("10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,100.64.0.0/10,127.0.0.0/8,"
+
"::1/128,fe80::/10,fc00::/7");
- /**
- * @see #setProtocolHeader(String)
- */
private String protocolHeader = "X-Forwarded-Proto";
- /**
- * @see #setProtocolHeaderHttpsValue(String)
- */
private String protocolHeaderHttpsValue = "https";
- /**
- * @see #setProxiesHeader(String)
- */
private String proxiesHeader = "X-Forwarded-By";
- /**
- * @see #setRemoteIpHeader(String)
- */
private String remoteIpHeader = "X-Forwarded-For";
- /**
- * @see #setRequestAttributesEnabled(boolean)
- */
private boolean requestAttributesEnabled = true;
- /**
- * Regular expression notation for trusted proxies.
- */
- private Pattern trustedProxiesRegex = null;
-
- /**
- * CIDR notation for trusted proxies.
- */
- private NetMaskSet trustedProxiesCidr = null;
+ private NetMaskSet trustedProxies = null;
/**
@@ -492,10 +454,8 @@ public class RemoteIpValve extends ValveBase {
* @return The currently configured internal proxies.
*/
public String getInternalProxies() {
- if (internalProxiesCidr != null) {
- return internalProxiesCidr.toString();
- } else if (internalProxiesRegex != null) {
- return internalProxiesRegex.toString();
+ if (internalProxies != null) {
+ return internalProxies.toString();
} else {
return null;
}
@@ -552,10 +512,8 @@ public class RemoteIpValve extends ValveBase {
* @return The currently configured trusted proxies.
*/
public String getTrustedProxies() {
- if (trustedProxiesCidr != null) {
- return trustedProxiesCidr.toString();
- } else if (trustedProxiesRegex != null) {
- return trustedProxiesRegex.toString();
+ if (trustedProxies != null) {
+ return trustedProxies.toString();
} else {
return null;
}
@@ -753,10 +711,7 @@ public class RemoteIpValve extends ValveBase {
* @return {@code true} if the IP address is from an internal proxy,
otherwise {@code false}
*/
private boolean isInternalProxy(String remoteIp) {
- if (internalProxiesRegex != null &&
internalProxiesRegex.matcher(remoteIp).matches()) {
- return true;
- }
- return checkIsCidr(internalProxiesCidr, remoteIp);
+ return checkIsCidr(internalProxies, remoteIp);
}
/**
@@ -767,11 +722,7 @@ public class RemoteIpValve extends ValveBase {
* @return {@code true} if the IP address is from a trusted proxy,
otherwise {@code false}
*/
private boolean isTrustedProxy(String remoteIp) {
- if (trustedProxiesRegex != null &&
trustedProxiesRegex.matcher(remoteIp).matches()) {
- return true;
- }
-
- return checkIsCidr(trustedProxiesCidr, remoteIp);
+ return checkIsCidr(trustedProxies, remoteIp);
}
private boolean checkIsCidr(NetMaskSet netMaskSet, String remoteIp) {
@@ -854,20 +805,15 @@ public class RemoteIpValve extends ValveBase {
}
/**
- * Set the internal proxies either as a comma separated list of CIDR
blocks or a single regular expression.
+ * Set the internal proxies as a comma separated list of CIDR blocks.
*
* @param internalProxies The new internal proxies
*/
public void setInternalProxies(String internalProxies) {
if (internalProxies == null || internalProxies.isEmpty()) {
- this.internalProxiesRegex = null;
- this.internalProxiesCidr = null;
- } else if (internalProxies.indexOf('/') > 0) {
- this.internalProxiesRegex = null;
- this.internalProxiesCidr = NetMaskSet.parse(internalProxies);
+ this.internalProxies = null;
} else {
- this.internalProxiesRegex = Pattern.compile(internalProxies);
- this.internalProxiesCidr = null;
+ this.internalProxies = NetMaskSet.parse(internalProxies);
}
}
@@ -960,20 +906,15 @@ public class RemoteIpValve extends ValveBase {
}
/**
- * Set the trusted proxies either as a comma separated list of CIDR blocks
or a single regular expression.
+ * Set the trusted proxies as a comma separated list of CIDR blocks.
*
* @param trustedProxies The new trusted proxies
*/
public void setTrustedProxies(String trustedProxies) {
if (trustedProxies == null || trustedProxies.isEmpty()) {
- this.trustedProxiesRegex = null;
- this.trustedProxiesCidr = null;
- } else if (trustedProxies.indexOf('/') > 0) {
- this.trustedProxiesRegex = null;
- this.trustedProxiesCidr = NetMaskSet.parse(trustedProxies);
+ this.trustedProxies = null;
} else {
- this.trustedProxiesCidr = null;
- this.trustedProxiesRegex = Pattern.compile(trustedProxies);
+ this.trustedProxies = NetMaskSet.parse(trustedProxies);
}
}
}
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index 7aca5d4dc2..5243a3c623 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -28,7 +28,6 @@ import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
@@ -260,7 +259,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -291,7 +290,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -323,8 +322,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
FilterDef filterDef = new FilterDef();
- filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("internalProxies", "192.168.0.10/31");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -333,7 +332,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
@@ -343,7 +342,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -360,16 +359,16 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies", "");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
filterDef.setFilter(remoteIpFilter);
MockHttpServletRequest request = new MockHttpServletRequest();
- request.setRemoteAddr("proxy3");
+ request.setRemoteAddr("200.0.0.3");
request.setRemoteHost("remote-host-original-value");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
@@ -379,7 +378,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2,proxy3",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -395,16 +394,16 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
FilterDef filterDef = new FilterDef();
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
filterDef.setFilter(remoteIpFilter);
MockHttpServletRequest request = new MockHttpServletRequest();
- request.setRemoteAddr("proxy3");
+ request.setRemoteAddr("200.0.0.3");
request.setRemoteHost("remote-host-original-value");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
@@ -414,7 +413,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2,proxy3",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -429,8 +428,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
FilterDef filterDef = new FilterDef();
- filterDef.addInitParameter("internalProxies",
"127\\.0\\.0\\.1|192\\.168\\..*|another-internal-proxy");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("internalProxies",
"127.0.0.1,192.168.0.0/16,10.0.0.1");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -438,8 +437,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.addHeader("x-forwarded-for", "140.211.11.130");
- request.addHeader("x-forwarded-for", "proxy1");
- request.addHeader("x-forwarded-for", "proxy2");
+ request.addHeader("x-forwarded-for", "200.0.0.1");
+ request.addHeader("x-forwarded-for", "200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
@@ -449,7 +448,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -464,8 +463,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
FilterDef filterDef = new FilterDef();
- filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("internalProxies", "192.168.0.10/31");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -473,7 +472,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2,
192.168.0.10, 192.168.0.11");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
200.0.0.2, 192.168.0.10, 192.168.0.11");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
@@ -483,7 +482,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -498,7 +497,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -506,14 +505,14 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
request.setRemoteAddr("not-allowed-internal-proxy");
request.setRemoteHost("not-allowed-internal-proxy-host");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
// VERIFY
String actualXForwardedFor =
actualRequest.getHeader("x-forwarded-for");
- Assert.assertEquals("x-forwarded-for must be unchanged",
"140.211.11.130, proxy1, proxy2", actualXForwardedFor);
+ Assert.assertEquals("x-forwarded-for must be unchanged",
"140.211.11.130, 200.0.0.1, 200.0.0.2", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
Assert.assertNull("x-forwarded-by must be null", actualXForwardedBy);
@@ -529,8 +528,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
public void testInvokeUntrustedProxyInTheChain() throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
- filterDef.addInitParameter("internalProxies",
"192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
+ filterDef.addInitParameter("internalProxies", "192.168.0.10/31");
+ filterDef.addInitParameter("trustedProxies",
"200.0.0.1,200.0.0.2,200.0.0.3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
@@ -538,18 +537,18 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
- request.setHeader("x-forwarded-for", "140.211.11.130, proxy1,
untrusted-proxy, proxy2");
+ request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1,
untrusted-proxy, 200.0.0.2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef,
request).getRequest();
// VERIFY
String actualXForwardedFor =
actualRequest.getHeader("x-forwarded-for");
- Assert.assertEquals("ip/host before untrusted-proxy must appear in
x-forwarded-for", "140.211.11.130,proxy1",
+ Assert.assertEquals("ip/host before untrusted-proxy must appear in
x-forwarded-for", "140.211.11.130,200.0.0.1",
actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
- Assert.assertEquals("ip/host after untrusted-proxy must appear in
x-forwarded-by", "proxy2",
+ Assert.assertEquals("ip/host after untrusted-proxy must appear in
x-forwarded-by", "200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
@@ -843,61 +842,6 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
}
}
- @Test
- public void testInternalProxiesRegex() throws Exception {
- RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
- // Regex equivalent of default
-
remoteIpFilter.setInternalProxies("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
- "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
- "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "0:0:0:0:0:0:0:1|::1|" + "fe[89ab]\\p{XDigit}:.*|" +
"f[cd]\\p{XDigit}{2}+:.*");
- Pattern internalProxiesPattern =
Pattern.compile(remoteIpFilter.getInternalProxies());
-
- doTestPattern(internalProxiesPattern, "8.8.8.8", false);
- doTestPattern(internalProxiesPattern, "100.62.0.0", false);
- doTestPattern(internalProxiesPattern, "100.63.255.255", false);
- doTestPattern(internalProxiesPattern, "100.64.0.0", true);
- doTestPattern(internalProxiesPattern, "100.65.0.0", true);
- doTestPattern(internalProxiesPattern, "100.68.0.0", true);
- doTestPattern(internalProxiesPattern, "100.72.0.0", true);
- doTestPattern(internalProxiesPattern, "100.88.0.0", true);
- doTestPattern(internalProxiesPattern, "100.95.0.0", true);
- doTestPattern(internalProxiesPattern, "100.102.0.0", true);
- doTestPattern(internalProxiesPattern, "100.110.0.0", true);
- doTestPattern(internalProxiesPattern, "100.126.0.0", true);
- doTestPattern(internalProxiesPattern, "100.127.255.255", true);
- doTestPattern(internalProxiesPattern, "100.128.0.0", false);
- doTestPattern(internalProxiesPattern, "100.130.0.0", false);
- // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
- doTestPattern(internalProxiesPattern,
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
- doTestPattern(internalProxiesPattern,
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
- doTestPattern(internalProxiesPattern, "fe80::", true);
- doTestPattern(internalProxiesPattern,
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
- doTestPattern(internalProxiesPattern, "fe80::1", true);
- doTestPattern(internalProxiesPattern,
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
- doTestPattern(internalProxiesPattern,
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
- doTestPattern(internalProxiesPattern,
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
- doTestPattern(internalProxiesPattern, "fec0::", false);
- // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
- doTestPattern(internalProxiesPattern,
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
- doTestPattern(internalProxiesPattern,
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
- doTestPattern(internalProxiesPattern, "fc00::", true);
- doTestPattern(internalProxiesPattern,
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
- doTestPattern(internalProxiesPattern, "fc00::1", true);
- doTestPattern(internalProxiesPattern,
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
- doTestPattern(internalProxiesPattern,
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
- doTestPattern(internalProxiesPattern,
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
- doTestPattern(internalProxiesPattern, "fe00::", false);
- }
-
- private void doTestPattern(Pattern pattern, String input, boolean
expectedMatch) {
- boolean match = pattern.matcher(input).matches();
- Assert.assertEquals(input, Boolean.valueOf(expectedMatch),
Boolean.valueOf(match));
- }
-
@Test
public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeaderCidr() throws
Exception {
// PREPARE
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java
b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index 4d35fb55cc..d89a4ec601 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -21,7 +21,6 @@ import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-import java.util.regex.Pattern;
import jakarta.servlet.ServletException;
@@ -117,8 +116,8 @@ public class TestRemoteIpValve {
public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws
Exception {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10,
192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1, 200.0.0.2, 200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -157,8 +156,8 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -168,7 +167,7 @@ public class TestRemoteIpValve {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, proxy2");
+ .setString("140.211.11.130, 200.0.0.1, 200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
@@ -178,7 +177,7 @@ public class TestRemoteIpValve {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -200,17 +199,17 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
remoteIpValve.setInternalProxies("");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
Request request = new MockRequest(new org.apache.coyote.Request());
- request.setRemoteAddr("proxy3");
+ request.setRemoteAddr("200.0.0.3");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, proxy2");
+ .setString("140.211.11.130, 200.0.0.1, 200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
@@ -220,7 +219,7 @@ public class TestRemoteIpValve {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2,proxy3",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -230,7 +229,7 @@ public class TestRemoteIpValve {
Assert.assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
String actualPostInvokeRemoteAddr = request.getRemoteAddr();
- Assert.assertEquals("postInvoke remoteAddr", "proxy3",
actualPostInvokeRemoteAddr);
+ Assert.assertEquals("postInvoke remoteAddr", "200.0.0.3",
actualPostInvokeRemoteAddr);
String actualPostInvokeRemoteHost = request.getRemoteHost();
Assert.assertEquals("postInvoke remoteAddr",
"remote-host-original-value", actualPostInvokeRemoteHost);
@@ -241,17 +240,17 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
Request request = new MockRequest(new org.apache.coyote.Request());
- request.setRemoteAddr("proxy3");
+ request.setRemoteAddr("200.0.0.3");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, proxy2");
+ .setString("140.211.11.130, 200.0.0.1, 200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
@@ -261,7 +260,7 @@ public class TestRemoteIpValve {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2,proxy3",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -271,7 +270,7 @@ public class TestRemoteIpValve {
Assert.assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
String actualPostInvokeRemoteAddr = request.getRemoteAddr();
- Assert.assertEquals("postInvoke remoteAddr", "proxy3",
actualPostInvokeRemoteAddr);
+ Assert.assertEquals("postInvoke remoteAddr", "200.0.0.3",
actualPostInvokeRemoteAddr);
String actualPostInvokeRemoteHost = request.getRemoteHost();
Assert.assertEquals("postInvoke remoteAddr",
"remote-host-original-value", actualPostInvokeRemoteHost);
@@ -282,8 +281,8 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -293,7 +292,7 @@ public class TestRemoteIpValve {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10,
192.168.0.11");
+ .setString("140.211.11.130, 200.0.0.1, 200.0.0.2,
192.168.0.10, 192.168.0.11");
// TEST
remoteIpValve.invoke(request, null);
@@ -303,7 +302,7 @@ public class TestRemoteIpValve {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -324,8 +323,8 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -365,8 +364,8 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("127\\.0\\.0\\.1|192\\.168\\..*|another-internal-proxy");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("127.0.0.1,192.168.0.0/16,10.0.0.1");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -376,8 +375,8 @@ public class TestRemoteIpValve {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130");
-
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("proxy1");
-
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("proxy2");
+
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("200.0.0.1");
+
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
@@ -387,7 +386,7 @@ public class TestRemoteIpValve {
Assert.assertNull("all proxies are trusted, x-forwarded-for must be
null", actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "proxy1,proxy2",
+ Assert.assertEquals("all proxies are trusted, they must appear in
x-forwarded-by", "200.0.0.1,200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -408,8 +407,6 @@ public class TestRemoteIpValve {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
- remoteIpValve.setInternalProxies(
-
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProtocolHeader("x-forwarded-proto");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -954,8 +951,8 @@ public class TestRemoteIpValve {
public void testInvokeNotAllowedRemoteAddr() throws Exception {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -965,14 +962,14 @@ public class TestRemoteIpValve {
request.setRemoteAddr("not-allowed-internal-proxy");
request.setRemoteHost("not-allowed-internal-proxy-host");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, proxy2");
+ .setString("140.211.11.130, 200.0.0.1, 200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
// VERIFY
String actualXForwardedFor = request.getHeader("x-forwarded-for");
- Assert.assertEquals("x-forwarded-for must be unchanged",
"140.211.11.130, proxy1, proxy2", actualXForwardedFor);
+ Assert.assertEquals("x-forwarded-for must be unchanged",
"140.211.11.130, 200.0.0.1, 200.0.0.2", actualXForwardedFor);
String actualXForwardedBy = request.getHeader("x-forwarded-by");
Assert.assertNull("x-forwarded-by must be null", actualXForwardedBy);
@@ -994,8 +991,8 @@ public class TestRemoteIpValve {
public void testInvokeUntrustedProxyInTheChain() throws Exception {
// PREPARE
RemoteIpValve remoteIpValve = new RemoteIpValve();
-
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11");
- remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3");
+ remoteIpValve.setInternalProxies("192.168.0.10/31");
+ remoteIpValve.setTrustedProxies("200.0.0.1,200.0.0.2,200.0.0.3");
remoteIpValve.setRemoteIpHeader("x-forwarded-for");
remoteIpValve.setProxiesHeader("x-forwarded-by");
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
@@ -1005,18 +1002,18 @@ public class TestRemoteIpValve {
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2");
+ .setString("140.211.11.130, 200.0.0.1, untrusted-proxy,
200.0.0.2");
// TEST
remoteIpValve.invoke(request, null);
// VERIFY
String actualXForwardedFor =
remoteAddrAndHostTrackerValve.getForwardedFor();
- Assert.assertEquals("ip/host before untrusted-proxy must appear in
x-forwarded-for", "140.211.11.130,proxy1",
+ Assert.assertEquals("ip/host before untrusted-proxy must appear in
x-forwarded-for", "140.211.11.130,200.0.0.1",
actualXForwardedFor);
String actualXForwardedBy =
remoteAddrAndHostTrackerValve.getForwardedBy();
- Assert.assertEquals("ip/host after untrusted-proxy must appear in
x-forwarded-by", "proxy2",
+ Assert.assertEquals("ip/host after untrusted-proxy must appear in
x-forwarded-by", "200.0.0.2",
actualXForwardedBy);
String actualRemoteAddr =
remoteAddrAndHostTrackerValve.getRemoteAddr();
@@ -1106,61 +1103,6 @@ public class TestRemoteIpValve {
request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE));
}
- @Test
- public void testRequestForwardedForWithPortNumber() throws Exception {
-
- // PREPARE
- RemoteIpValve remoteIpValve = new RemoteIpValve();
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
-
- Request request = new MockRequest(new org.apache.coyote.Request());
- // client ip
- request.setRemoteAddr("192.168.0.10");
- request.setRemoteHost("192.168.0.10");
-
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130:1234");
- // protocol
- request.setServerPort(8080);
- request.getCoyoteRequest().scheme().setString("http");
-
- // TEST
- remoteIpValve.invoke(request, null);
-
- // VERIFY
-
- Assert.assertEquals("140.211.11.130:1234",
remoteAddrAndHostTrackerValve.getRemoteAddr());
- }
-
- @Test
- public void testRequestForwardedForWithProxyPortNumber() throws Exception {
-
- // PREPARE
- RemoteIpValve remoteIpValve = new RemoteIpValve();
- // remoteIpValve.setRemoteIpHeader("x-forwarded-for");
- // remoteIpValve.setProtocolHeader("x-forwarded-proto");
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new
RemoteAddrAndHostTrackerValve();
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
-
- Request request = new MockRequest(new org.apache.coyote.Request());
- // client ip
- request.setRemoteAddr("192.168.0.10");
- request.setRemoteHost("192.168.0.10");
- // Trust c.d
- remoteIpValve.setTrustedProxies("foo\\.bar:123");
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
- .setString("140.211.11.130:1234, foo.bar:123");
- // protocol
- request.setServerPort(8080);
- request.getCoyoteRequest().scheme().setString("http");
-
- // TEST
- remoteIpValve.invoke(request, null);
-
- // VERIFY
-
- Assert.assertEquals("140.211.11.130:1234",
remoteAddrAndHostTrackerValve.getRemoteAddr());
- }
-
private void assertArrayEquals(String[] expected, String[] actual) {
if (expected == null) {
Assert.assertNull(actual);
@@ -1180,56 +1122,45 @@ public class TestRemoteIpValve {
@Test
public void testInternalProxies() throws Exception {
RemoteIpValve remoteIpValve = new RemoteIpValve();
- // Regex equivalent of default
-
remoteIpValve.setInternalProxies("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
- "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
- "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
- "0:0:0:0:0:0:0:1|::1|" + "fe[89ab]\\p{XDigit}:.*|" +
"f[cd]\\p{XDigit}{2}+:.*");
- Pattern internalProxiesPattern =
Pattern.compile(remoteIpValve.getInternalProxies());
-
- doTestPattern(internalProxiesPattern, "8.8.8.8", false);
- doTestPattern(internalProxiesPattern, "100.62.0.0", false);
- doTestPattern(internalProxiesPattern, "100.63.255.255", false);
- doTestPattern(internalProxiesPattern, "100.64.0.0", true);
- doTestPattern(internalProxiesPattern, "100.65.0.0", true);
- doTestPattern(internalProxiesPattern, "100.68.0.0", true);
- doTestPattern(internalProxiesPattern, "100.72.0.0", true);
- doTestPattern(internalProxiesPattern, "100.88.0.0", true);
- doTestPattern(internalProxiesPattern, "100.95.0.0", true);
- doTestPattern(internalProxiesPattern, "100.102.0.0", true);
- doTestPattern(internalProxiesPattern, "100.110.0.0", true);
- doTestPattern(internalProxiesPattern, "100.126.0.0", true);
- doTestPattern(internalProxiesPattern, "100.127.255.255", true);
- doTestPattern(internalProxiesPattern, "100.128.0.0", false);
- doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+ NetMaskSet internalProxiesCidr =
NetMaskSet.parse(remoteIpValve.getInternalProxies());
+
+ doTestNetMaskSet(internalProxiesCidr, "192.168.0.0", true);
+
+ doTestNetMaskSet(internalProxiesCidr, "8.8.8.8", false);
+ doTestNetMaskSet(internalProxiesCidr, "100.62.0.0", false);
+ doTestNetMaskSet(internalProxiesCidr, "100.63.255.255", false);
+ doTestNetMaskSet(internalProxiesCidr, "100.64.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.65.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.68.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.72.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.88.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.95.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.102.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.110.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.126.0.0", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.127.255.255", true);
+ doTestNetMaskSet(internalProxiesCidr, "100.128.0.0", false);
+ doTestNetMaskSet(internalProxiesCidr, "100.130.0.0", false);
// Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
- doTestPattern(internalProxiesPattern,
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
- doTestPattern(internalProxiesPattern,
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
- doTestPattern(internalProxiesPattern, "fe80::", true);
- doTestPattern(internalProxiesPattern,
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
- doTestPattern(internalProxiesPattern, "fe80::1", true);
- doTestPattern(internalProxiesPattern,
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
- doTestPattern(internalProxiesPattern,
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
- doTestPattern(internalProxiesPattern,
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
- doTestPattern(internalProxiesPattern, "fec0::", false);
+ doTestNetMaskSet(internalProxiesCidr,
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+ doTestNetMaskSet(internalProxiesCidr,
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
+ doTestNetMaskSet(internalProxiesCidr, "fe80::", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
+ doTestNetMaskSet(internalProxiesCidr, "fe80::1", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
+ doTestNetMaskSet(internalProxiesCidr,
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
+ doTestNetMaskSet(internalProxiesCidr, "fec0::", false);
// Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
- doTestPattern(internalProxiesPattern,
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
- doTestPattern(internalProxiesPattern,
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
- doTestPattern(internalProxiesPattern, "fc00::", true);
- doTestPattern(internalProxiesPattern,
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
- doTestPattern(internalProxiesPattern, "fc00::1", true);
- doTestPattern(internalProxiesPattern,
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
- doTestPattern(internalProxiesPattern,
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
- doTestPattern(internalProxiesPattern,
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
- doTestPattern(internalProxiesPattern, "fe00::", false);
- }
-
- private void doTestPattern(Pattern pattern, String input, boolean
expectedMatch) {
- boolean match = pattern.matcher(input).matches();
- Assert.assertEquals(input, Boolean.valueOf(expectedMatch),
Boolean.valueOf(match));
+ doTestNetMaskSet(internalProxiesCidr,
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+ doTestNetMaskSet(internalProxiesCidr,
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
+ doTestNetMaskSet(internalProxiesCidr, "fc00::", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
+ doTestNetMaskSet(internalProxiesCidr, "fc00::1", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+ doTestNetMaskSet(internalProxiesCidr,
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
+ doTestNetMaskSet(internalProxiesCidr, "fe00::", false);
}
@Test
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8e65b88d85..beeb008678 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -171,6 +171,11 @@
to <code>bloom</code> to improve web application class loading
performance. (markt)
</update>
+ <update>
+ Remove regular expression support for the configuration of internal and
+ trusted proxies for the <code>RemoteIpFilter</code> and
+ <code>RemoteIpValve</code>. (markt)
+ </update>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
<add>
Add CIDR support for the configuration of internal and trusted proxies
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index b7f6d27798..ed2ffb91c8 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1553,7 +1553,7 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
- <param-value>proxy1|proxy2</param-value>
+ <param-value>200.0.0.1,200.0.0.2</param-value>
</init-param>
</filter>
@@ -1576,18 +1576,18 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
- <td> 140.211.11.130, proxy1, proxy2 </td>
+ <td> 140.211.11.130, 200.0.0.1, 200.0.0.2 </td>
<td> null </td>
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
<td> null </td>
- <td> proxy1, proxy2 </td>
+ <td> 200.0.0.1, 200.0.0.2 </td>
</tr>
</table>
<p>
- Note : <code>proxy1</code> and <code>proxy2</code> are both trusted
proxies that
+ Note : <code>200.0.0.1</code> and <code>200.0.0.2</code> are both trusted
proxies that
come in <code>x-forwarded-for</code> header, they both are migrated in
<code>x-forwarded-by</code> header. <code>x-forwarded-for</code> is
<code>null</code>
because all the proxies are trusted or internal.
@@ -1613,7 +1613,7 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
- <param-value>proxy1|proxy2</param-value>
+ <param-value>200.0.0.1,200.0.0.2</param-value>
</init-param>
</filter>
@@ -1636,18 +1636,18 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
- <td> 140.211.11.130, proxy1, proxy2, 192.168.0.10 </td>
+ <td> 140.211.11.130, 200.0.0.1, 200.0.0.2, 192.168.0.10 </td>
<td> null </td>
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
<td> null </td>
- <td> proxy1, proxy2 </td>
+ <td> 200.0.0.1, 200.0.0.2 </td>
</tr>
</table>
<p>
- Note : <code>proxy1</code> and <code>proxy2</code> are both trusted
proxies that
+ Note : <code>200.0.0.1</code> and <code>200.0.0.2</code> are both trusted
proxies that
come in <code>x-forwarded-for</code> header, they both are migrated in
<code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an
internal
proxy, it does not appear in <code>x-forwarded-by</code>.
@@ -1676,7 +1676,7 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
- <param-value>proxy1|proxy2</param-value>
+ <param-value>200.0.0.1,200.0.0.2</param-value>
</init-param>
</filter>
@@ -1695,27 +1695,27 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
<tr>
<td> request.remoteAddr </td>
<td> 192.168.0.10 </td>
- <td> untrusted-proxy </td>
+ <td> 200.99.99.99 </td>
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
- <td> 140.211.11.130, untrusted-proxy, proxy1 </td>
+ <td> 140.211.11.130, 200.99.99.99, 200.0.0.1 </td>
<td> 140.211.11.130 </td>
</tr>
<tr>
<td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
<td> null </td>
- <td> proxy1 </td>
+ <td> 200.0.0.1 </td>
</tr>
</table>
<p>
- Note : <code>x-forwarded-by</code> holds the trusted proxy
<code>proxy1</code>.
+ Note : <code>x-forwarded-by</code> holds the trusted proxy
<code>200.0.0.1</code>.
<code>x-forwarded-by</code> holds <code>140.211.11.130</code> because
- <code>untrusted-proxy</code> is not trusted and thus, we cannot trust that
- <code>untrusted-proxy</code> is the actual remote ip.
- <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an
IP
- verified by <code>proxy1</code>.
+ <code>200.99.99.99</code> is not trusted and thus, we cannot trust that
+ <code>200.99.99.99</code> is the actual remote ip.
+ <code>request.remoteAddr</code> is <code>200.99.99.99</code> that is an IP
+ verified by <code>200.0.0.1</code>.
</p>
</subsection>
@@ -1739,12 +1739,11 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</attribute>
<attribute name="internalProxies" required="false">
- <p>Either a comma separated list of CIDR blocks or a single regular
- expression that a proxy's IP address must match to be considered
an
- internal proxy. Internal proxies that appear in the
- <strong>remoteIpHeader</strong> will be trusted and will not appear in
- the <strong>proxiesHeader</strong> value. If not specified the default
- value of <code>10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
+ <p>A comma separated list of CIDR blocks that a proxy's IP address
+ must match to be considered an internal proxy. Internal proxies that
+ appear in the <strong>remoteIpHeader</strong> will be trusted and will
+ not appear in the <strong>proxiesHeader</strong> value. If not
specified
+ the default value of <code>10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
169.254.0.0/16, 100.64.0.0/10, 127.0.0.0/8, ::1/128, fe80::/10,
fc00::/7
</code> will be used.</p>
</attribute>
@@ -1766,12 +1765,11 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</attribute>
<attribute name="trustedProxies" required="false">
- <p>Either a comma separated list of CIDR blocks or a single regular
- expression that a proxy's IP address must match to be considered a
- trusted proxy. Trusted proxies that appear in the
- <strong>remoteIpHeader</strong> will be trusted and will appear in the
- <strong>proxiesHeader</strong> value. If not specified, no proxies will
- be trusted.</p>
+ <p>A comma separated list of CIDR blocks that a proxy's IP address
+ must match to be considered a trusted proxy. Trusted proxies that
appear
+ in the <strong>remoteIpHeader</strong> will be trusted and will appear
+ in the <strong>proxiesHeader</strong> value. If not specified, no
+ proxies will be trusted.</p>
</attribute>
<attribute name="protocolHeader" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
