tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cyrille Le Clerc <clecl...@xebia.fr>
Subject Re: Cannot set remote address in valve (Tomcat 5.5)
Date Thu, 08 Oct 2009 08:03:40 GMT
   Hello Elli,

   I am afraid there may be a flaw in the algorythm looking for the
first IP  of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy and not by
the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing
can easily be achieved with tools like Firefox add-ons Modify Headers
(1) and X-Forwarded-For Spoofer (2) .

   The forthcoming version of Apache Httpd will offer a secure
mechanism to handle X-Forwarded-For with a module called mod_remoteip
(3). It relies on the concept of trusted proxies which IP address can
be 'swallowed'. The first IP of the list that is not a trusted proxy
is seen as the real remote ip. mod_remoteip would not have been
tricked by such x-forwarded-for header spoofing.

   Here are two java ports of mod_remoteip to handle X-Forwarded-For
at the Tomcat level with a valve and at the WAR level with a servlet
filter : RemoteIpValve (4) and XForwardedFilter (5). In addition to
handle X-Forwarded-For, they also integrate X-Forwarded-Proto (ssl).
These java ports integrate the same trusted proxies concept to prevent
spoofing.

   Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr cyrille@cyrilleleclerc.com
http://blog.xebia.fr


(1) https://addons.mozilla.org/en-US/firefox/addon/967
(2) https://addons.mozilla.org/en-US/firefox/addon/5948
(3) http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html
(4) http://code.google.com/p/xebia-france/wiki/RemoteIpValve
(5) http://code.google.com/p/xebia-france/wiki/XForwardedFilter


On Mon, Oct 5, 2009 at 11:19 PM, Elli Albek <elli@sustainlane.com> wrote:
>
> Hi,
>
> We can add the header to the custom valves, but then in addition we have to
> change a few log file configurations, create a servlet filter and maybe
> something else I cant think of now. Basically doing the same thing a few
> times and keeping track of all the places that depend on the header. Ideally
> this would all be corrected once in the beginning of the request processing
> pipeline, so log file configuration, other valves and the war files will
> remain unchanged.
>
>
>
> Attached a Valve that does that. This is the minimum code necessary, so it
> should not have any significant performance impact.
>
> Feel free to use as is, not guaranteed to work, no expressed on implied
> warranties, not FDIC insured and may loose value.
>
>
>
> To configure Tomcat add to server.xml:
>
>
>
> <Service name="Catalina">
>
>      <Connector port="8080" .../>
>
>      <Engine defaultHost="localhost" name="Catalina">
>
>            <!-- This should precede all other configuration in the engine
> -->
>
>            <Valve className="org.apache.catalina.connector.RemoteIPValve"/>
>
>
>
> Java class/jar should be placed in /server/lib or /server/classes
>
>
>
> E
>
>
>
>
>
>
>
> package org.apache.catalina.connector;
>
>
>
> import java.io.IOException;
>
> import java.util.regex.Matcher;
>
> import java.util.regex.Pattern;
>
>
>
> import javax.servlet.ServletException;
>
>
>
> import org.apache.catalina.connector.Request;
>
> import org.apache.catalina.connector.Response;
>
> import org.apache.catalina.valves.ValveBase;
>
>
>
> /**
>
>  * A valve that extracts the remote IP of the client from an HTTP header
> field
>
>  * passed by the proxy, and set it in the request as the original client IP.
>
>  * This valve should be the first valve in the engine, so log valves (and
>
>  * others) will see the real client IP without requiring the same code
> again.
>
>  *
>
>  * @author Elli Albek, www.sustainlane.com
>
>  */
>
> public class RemoteIPValve extends ValveBase {
>
>
>
>      private static final Pattern ipExpr =
> Pattern.compile("^[\\da-fA-F]+(\\.[\\da-fA-F]+)+");
>
>
>
>      private String forwardedForHeader = "X-Forwarded-For";
>
>
>
>      public void invoke(Request request, Response response) throws
> IOException, ServletException {
>
>
>
>            String header = request.getHeader(forwardedForHeader);
>
>            String forwardedIP = getFirstIP(header);
>
>            if (forwardedIP != null)
>
>                  request.remoteAddr = forwardedIP;
>
>
>
>            next.invoke(request, response);
>
>      }
>
>
>
>      /**
>
>       * Return the first IP address in a string that may contain an IP list
>
>       */
>
>      static final String getFirstIP(String header) {
>
>            if (header == null)
>
>                  return null;
>
>            Matcher m = ipExpr.matcher(header);
>
>            if (m.find()) {
>
>                  return m.group();
>
>            }
>
>            return null;
>
>      }
>
>
>
>      public void setForwardedForHeader(String forwardedForHeader) {
>
>            this.forwardedForHeader = forwardedForHeader;
>
>      }
>
>
>
>      public String getInfo() {
>
>            return "RemoteIPValve";
>
>      }
>
> }
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message