private void testRemoteIpValveConfigured() {
TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory();
this.properties.customize(container);
assertThat(container.getEngineValves()).hasSize(1);
Valve valve = container.getEngineValves().iterator().next();
assertThat(valve).isInstanceOf(RemoteIpValve.class);
RemoteIpValve remoteIpValve = (RemoteIpValve) valve;
assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto");
assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https");
assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For");
String expectedInternalProxies =
"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8
+ "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16
+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8
+ "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12
+ "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|"
+ "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}";
assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies);
}
private void customizeRemoteIpValve(
ServerProperties properties, TomcatEmbeddedServletContainerFactory factory) {
String protocolHeader = getProtocolHeader();
String remoteIpHeader = getRemoteIpHeader();
// For back compatibility the valve is also enabled if protocol-header is set
if (StringUtils.hasText(protocolHeader)
|| StringUtils.hasText(remoteIpHeader)
|| properties.getOrDeduceUseForwardHeaders()) {
RemoteIpValve valve = new RemoteIpValve();
valve.setProtocolHeader(
StringUtils.hasLength(protocolHeader) ? protocolHeader : "X-Forwarded-Proto");
if (StringUtils.hasLength(remoteIpHeader)) {
valve.setRemoteIpHeader(remoteIpHeader);
}
// The internal proxies default to a white list of "safe" internal IP
// addresses
valve.setInternalProxies(getInternalProxies());
valve.setPortHeader(getPortHeader());
valve.setProtocolHeaderHttpsValue(getProtocolHeaderHttpsValue());
// ... so it's safe to add this valve by default.
factory.addEngineValves(valve);
}
}
@Test
public void customTomcatRemoteIpValve() throws Exception {
Map<String, String> map = new HashMap<String, String>();
map.put("server.tomcat.remote_ip_header", "x-my-remote-ip-header");
map.put("server.tomcat.protocol_header", "x-my-protocol-header");
map.put("server.tomcat.internal_proxies", "192.168.0.1");
map.put("server.tomcat.port-header", "x-my-forward-port");
map.put("server.tomcat.protocol-header-https-value", "On");
bindProperties(map);
TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory();
this.properties.customize(container);
assertThat(container.getEngineValves()).hasSize(1);
Valve valve = container.getEngineValves().iterator().next();
assertThat(valve).isInstanceOf(RemoteIpValve.class);
RemoteIpValve remoteIpValve = (RemoteIpValve) valve;
assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header");
assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On");
assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header");
assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port");
assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1");
}
