A question: How do you know that a proxy is trusted? Is it by providing a list of trusted IPs in the configuration of the filter?
Our load balancer is always adding the client IP as the first in the list, and it does not add its own IP to the list. The header has one IP +99% of the times, the other times there is an additional IP of a proxy that is not our load balancer (reverse proxy). So in that case, we can check that the request comes from a trusted IP list (known load balancers), and only then try to change the IP. If the client IP does not come from the load balancer, it is basically a pass through. For our system the first IP is what the load balancer sees, and the only way to spoof it is to access the server not through the load balancer. If you send a request with a spoofed header to the laod balancer, it will still add the IP of the spoofer in the beginning of the list. This may not be the general case for proxies, it is only for this case. E -----Original Message----- From: Cyrille Le Clerc [mailto:clecl...@xebia.fr] Sent: Thursday, October 08, 2009 1:04 AM To: Tomcat Users List Subject: Re: Cannot set remote address in valve (Tomcat 5.5) Hello Elli, I am afraid there may be a flaw in the algorythm looking for the first IP of the coma delimited x-forwarded-for header without ensuring that this first IP has been set by a trusted proxy and not by the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing can easily be achieved with tools like Firefox add-ons Modify Headers (1) and X-Forwarded-For Spoofer (2) . The forthcoming version of Apache Httpd will offer a secure mechanism to handle X-Forwarded-For with a module called mod_remoteip (3). It relies on the concept of trusted proxies which IP address can be 'swallowed'. The first IP of the list that is not a trusted proxy is seen as the real remote ip. mod_remoteip would not have been tricked by such x-forwarded-for header spoofing. Here are two java ports of mod_remoteip to handle X-Forwarded-For at the Tomcat level with a valve and at the WAR level with a servlet filter : RemoteIpValve (4) and XForwardedFilter (5). In addition to handle X-Forwarded-For, they also integrate X-Forwarded-Proto (ssl). These java ports integrate the same trusted proxies concept to prevent spoofing. Cyrille -- Cyrille Le Clerc clecl...@xebia.fr cyri...@cyrilleleclerc.com http://blog.xebia.fr (1) https://addons.mozilla.org/en-US/firefox/addon/967 (2) https://addons.mozilla.org/en-US/firefox/addon/5948 (3) http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html (4) http://code.google.com/p/xebia-france/wiki/RemoteIpValve (5) http://code.google.com/p/xebia-france/wiki/XForwardedFilter On Mon, Oct 5, 2009 at 11:19 PM, Elli Albek <e...@sustainlane.com> wrote: > > Hi, > > We can add the header to the custom valves, but then in addition we have to > change a few log file configurations, create a servlet filter and maybe > something else I cant think of now. Basically doing the same thing a few > times and keeping track of all the places that depend on the header. Ideally > this would all be corrected once in the beginning of the request processing > pipeline, so log file configuration, other valves and the war files will > remain unchanged. > > > > Attached a Valve that does that. This is the minimum code necessary, so it > should not have any significant performance impact. > > Feel free to use as is, not guaranteed to work, no expressed on implied > warranties, not FDIC insured and may loose value. > > > > To configure Tomcat add to server.xml: > > > > <Service name="Catalina"> > > <Connector port="8080" .../> > > <Engine defaultHost="localhost" name="Catalina"> > > <!-- This should precede all other configuration in the engine > --> > > <Valve className="org.apache.catalina.connector.RemoteIPValve"/> > > > > Java class/jar should be placed in /server/lib or /server/classes > > > > E > > > > > > > > package org.apache.catalina.connector; > > > > import java.io.IOException; > > import java.util.regex.Matcher; > > import java.util.regex.Pattern; > > > > import javax.servlet.ServletException; > > > > import org.apache.catalina.connector.Request; > > import org.apache.catalina.connector.Response; > > import org.apache.catalina.valves.ValveBase; > > > > /** > > * A valve that extracts the remote IP of the client from an HTTP header > field > > * passed by the proxy, and set it in the request as the original client IP. > > * This valve should be the first valve in the engine, so log valves (and > > * others) will see the real client IP without requiring the same code > again. > > * > > * @author Elli Albek, www.sustainlane.com > > */ > > public class RemoteIPValve extends ValveBase { > > > > private static final Pattern ipExpr = > Pattern.compile("^[\\da-fA-F]+(\\.[\\da-fA-F]+)+"); > > > > private String forwardedForHeader = "X-Forwarded-For"; > > > > public void invoke(Request request, Response response) throws > IOException, ServletException { > > > > String header = request.getHeader(forwardedForHeader); > > String forwardedIP = getFirstIP(header); > > if (forwardedIP != null) > > request.remoteAddr = forwardedIP; > > > > next.invoke(request, response); > > } > > > > /** > > * Return the first IP address in a string that may contain an IP list > > */ > > static final String getFirstIP(String header) { > > if (header == null) > > return null; > > Matcher m = ipExpr.matcher(header); > > if (m.find()) { > > return m.group(); > > } > > return null; > > } > > > > public void setForwardedForHeader(String forwardedForHeader) { > > this.forwardedForHeader = forwardedForHeader; > > } > > > > public String getInfo() { > > return "RemoteIPValve"; > > } > > } > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
