private void testRemoteIpValveConfigured() { TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getEngineValves()).hasSize(1); Valve valve = container.getEngineValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For"); String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8 + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"; assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies); }
private void customizeRemoteIpValve( ServerProperties properties, TomcatEmbeddedServletContainerFactory factory) { String protocolHeader = getProtocolHeader(); String remoteIpHeader = getRemoteIpHeader(); // For back compatibility the valve is also enabled if protocol-header is set if (StringUtils.hasText(protocolHeader) || StringUtils.hasText(remoteIpHeader) || properties.getOrDeduceUseForwardHeaders()) { RemoteIpValve valve = new RemoteIpValve(); valve.setProtocolHeader( StringUtils.hasLength(protocolHeader) ? protocolHeader : "X-Forwarded-Proto"); if (StringUtils.hasLength(remoteIpHeader)) { valve.setRemoteIpHeader(remoteIpHeader); } // The internal proxies default to a white list of "safe" internal IP // addresses valve.setInternalProxies(getInternalProxies()); valve.setPortHeader(getPortHeader()); valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue()); // ... so it's safe to add this valve by default. factory.addEngineValves(valve); } }
@Test public void customTomcatRemoteIpValve() throws Exception { Map<String, String> map = new HashMap<String, String>(); map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header"); map.put("server.tomcat.protocol_header", "x-my-protocol-header"); map.put("server.tomcat.internal_proxies", "192.168.0.1"); map.put("server.tomcat.port-header", "x-my-forward-port"); map.put("server.tomcat.protocol-header-https-value", "On"); bindProperties(map); TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory(); this.properties.customize(container); assertThat(container.getEngineValves()).hasSize(1); Valve valve = container.getEngineValves().iterator().next(); assertThat(valve).isInstanceOf(RemoteIpValve.class); RemoteIpValve remoteIpValve = (RemoteIpValve) valve; assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header"); assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port"); assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1"); }