tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Elli Albek" <e...@sustainlane.com>
Subject RE: Cannot set remote address in valve (Tomcat 5.5)
Date Wed, 21 Oct 2009 04:57:45 GMT
A question: How do you know that a proxy is trusted? Is it by providing a list of trusted IPs
in the configuration of the filter?

Our load balancer is always adding the client IP as the first in the list, and it does not
add its own IP to the list. The header
has one IP +99% of the times, the other times there is an additional IP of a proxy that is
not our load balancer (reverse proxy).

So in that case, we can check that the request comes from a trusted IP list (known load balancers),
and only then try to change the
IP. If the client IP does not come from the load balancer, it is basically a pass through.

For our system the first IP is what the load balancer sees, and the only way to spoof it is
to access the server not through the
load balancer. If you send a request with a spoofed header to the laod balancer, it will still
add the IP of the spoofer in the
beginning of the list.

This may not be the general case for proxies, it is only for this case.

E

-----Original Message-----
From: Cyrille Le Clerc [mailto:cleclerc@xebia.fr] 
Sent: Thursday, October 08, 2009 1:04 AM
To: Tomcat Users List
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)

   Hello Elli,

   I am afraid there may be a flaw in the algorythm looking for the
first IP  of the coma delimited x-forwarded-for header without
ensuring that this first IP has been set by a trusted proxy and not by
the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing
can easily be achieved with tools like Firefox add-ons Modify Headers
(1) and X-Forwarded-For Spoofer (2) .

   The forthcoming version of Apache Httpd will offer a secure
mechanism to handle X-Forwarded-For with a module called mod_remoteip
(3). It relies on the concept of trusted proxies which IP address can
be 'swallowed'. The first IP of the list that is not a trusted proxy
is seen as the real remote ip. mod_remoteip would not have been
tricked by such x-forwarded-for header spoofing.

   Here are two java ports of mod_remoteip to handle X-Forwarded-For
at the Tomcat level with a valve and at the WAR level with a servlet
filter : RemoteIpValve (4) and XForwardedFilter (5). In addition to
handle X-Forwarded-For, they also integrate X-Forwarded-Proto (ssl).
These java ports integrate the same trusted proxies concept to prevent
spoofing.

   Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr cyrille@cyrilleleclerc.com
http://blog.xebia.fr


(1) https://addons.mozilla.org/en-US/firefox/addon/967
(2) https://addons.mozilla.org/en-US/firefox/addon/5948
(3) http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html
(4) http://code.google.com/p/xebia-france/wiki/RemoteIpValve
(5) http://code.google.com/p/xebia-france/wiki/XForwardedFilter


On Mon, Oct 5, 2009 at 11:19 PM, Elli Albek <elli@sustainlane.com> wrote:
>
> Hi,
>
> We can add the header to the custom valves, but then in addition we have to
> change a few log file configurations, create a servlet filter and maybe
> something else I cant think of now. Basically doing the same thing a few
> times and keeping track of all the places that depend on the header. Ideally
> this would all be corrected once in the beginning of the request processing
> pipeline, so log file configuration, other valves and the war files will
> remain unchanged.
>
>
>
> Attached a Valve that does that. This is the minimum code necessary, so it
> should not have any significant performance impact.
>
> Feel free to use as is, not guaranteed to work, no expressed on implied
> warranties, not FDIC insured and may loose value.
>
>
>
> To configure Tomcat add to server.xml:
>
>
>
> <Service name="Catalina">
>
>      <Connector port="8080" .../>
>
>      <Engine defaultHost="localhost" name="Catalina">
>
>            <!-- This should precede all other configuration in the engine
> -->
>
>            <Valve className="org.apache.catalina.connector.RemoteIPValve"/>
>
>
>
> Java class/jar should be placed in /server/lib or /server/classes
>
>
>
> E
>
>
>
>
>
>
>
> package org.apache.catalina.connector;
>
>
>
> import java.io.IOException;
>
> import java.util.regex.Matcher;
>
> import java.util.regex.Pattern;
>
>
>
> import javax.servlet.ServletException;
>
>
>
> import org.apache.catalina.connector.Request;
>
> import org.apache.catalina.connector.Response;
>
> import org.apache.catalina.valves.ValveBase;
>
>
>
> /**
>
>  * A valve that extracts the remote IP of the client from an HTTP header
> field
>
>  * passed by the proxy, and set it in the request as the original client IP.
>
>  * This valve should be the first valve in the engine, so log valves (and
>
>  * others) will see the real client IP without requiring the same code
> again.
>
>  *
>
>  * @author Elli Albek, www.sustainlane.com
>
>  */
>
> public class RemoteIPValve extends ValveBase {
>
>
>
>      private static final Pattern ipExpr =
> Pattern.compile("^[\\da-fA-F]+(\\.[\\da-fA-F]+)+");
>
>
>
>      private String forwardedForHeader = "X-Forwarded-For";
>
>
>
>      public void invoke(Request request, Response response) throws
> IOException, ServletException {
>
>
>
>            String header = request.getHeader(forwardedForHeader);
>
>            String forwardedIP = getFirstIP(header);
>
>            if (forwardedIP != null)
>
>                  request.remoteAddr = forwardedIP;
>
>
>
>            next.invoke(request, response);
>
>      }
>
>
>
>      /**
>
>       * Return the first IP address in a string that may contain an IP list
>
>       */
>
>      static final String getFirstIP(String header) {
>
>            if (header == null)
>
>                  return null;
>
>            Matcher m = ipExpr.matcher(header);
>
>            if (m.find()) {
>
>                  return m.group();
>
>            }
>
>            return null;
>
>      }
>
>
>
>      public void setForwardedForHeader(String forwardedForHeader) {
>
>            this.forwardedForHeader = forwardedForHeader;
>
>      }
>
>
>
>      public String getInfo() {
>
>            return "RemoteIPValve";
>
>      }
>
> }
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message