From 30c05b2b49feca474b0019a4dc00afb826d1cb2a Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Sun, 22 Sep 2019 08:29:30 +0100 Subject: [PATCH] Support X-Forwarded-Host header when auto-configuring RemoteIpValve Closes gh-18233 --- .../boot/autoconfigure/web/ServerProperties.java | 13 +++++++++++++ .../embedded/TomcatWebServerFactoryCustomizer.java | 1 + .../TomcatWebServerFactoryCustomizerTests.java | 2 ++ 3 files changed, 16 insertions(+) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 555d1b78a7..dd65b54e65 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -321,6 +321,11 @@ public class ServerProperties { */ private String remoteIpHeader; + /** + * Name of the HTTP header from which the remote host is extracted. + */ + private String hostHeader = "X-Forwarded-Host"; + /** * Tomcat base directory. If not specified, a temporary directory is used. */ @@ -519,6 +524,14 @@ public class ServerProperties { this.remoteIpHeader = remoteIpHeader; } + public String getHostHeader() { + return this.hostHeader; + } + + public void setHostHeader(String hostHeader) { + this.hostHeader = hostHeader; + } + public Charset getUriEncoding() { return this.uriEncoding; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java index c898af5792..7f458dfafe 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java @@ -183,6 +183,7 @@ public class TomcatWebServerFactoryCustomizer // The internal proxies default to a white list of "safe" internal IP // addresses valve.setInternalProxies(tomcatProperties.getInternalProxies()); + valve.setHostHeader(tomcatProperties.getHostHeader()); valve.setPortHeader(tomcatProperties.getPortHeader()); valve.setProtocolHeaderHttpsValue(tomcatProperties.getProtocolHeaderHttpsValue()); // ... so it's safe to add this valve by default. diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java index ebf9ff96be..f15c517cb0 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java @@ -243,6 +243,8 @@ class TomcatWebServerFactoryCustomizerTests { assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto"); assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https"); assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For"); + assertThat(remoteIpValve.getHostHeader()).isEqualTo("X-Forwarded-Host"); + assertThat(remoteIpValve.getPortHeader()).isEqualTo("X-Forwarded-Port"); String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8 + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16