public class RemoteIpValve extends ValveBase
Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").
Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
This valve proceeds as follows:
 If the incoming request.getRemoteAddr() matches the valve's list
 of internal or trusted proxies:
 
$remoteIpHeader (default value x-forwarded-for). Values are processed in right-to-left order.$protocolHeader (e.g. x-forwarded-proto) consists only of forwards that match
 protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true,
 request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the
 $httpsServerPort configuration parameter.Globals.REQUEST_FORWARDED_ATTRIBUTE and value Boolean.TRUE to indicate
 that this request has been forwarded by one or more proxies.| RemoteIpValve property | Description | Equivalent mod_remoteip directive | Format | Default Value | 
|---|---|---|---|---|
| remoteIpHeader | Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client | RemoteIPHeader | Compliant http header name | x-forwarded-for | 
| internalProxies | Regular expression that matches the IP addresses of internal proxies.
 If they appear in the remoteIpHeadervalue, they will be
 trusted and will not appear
 in theproxiesHeadervalue | RemoteIPInternalProxy | Regular expression (in the syntax supported by java.util.regex) | 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
     169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
     0:0:0:0:0:0:0:1|::1 By default, 10/8, 192.168/16, 169.254/16, 127/8 and ::1 are allowed. | 
| proxiesHeader | Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming remoteIpHeader | proxiesHeader | Compliant http header name | x-forwarded-by | 
| trustedProxies | Regular expression that matches the IP addresses of trusted proxies.
 If they appear in the remoteIpHeadervalue, they will be
 trusted and will appear in theproxiesHeadervalue | RemoteIPTrustedProxy | Regular expression (in the syntax supported by java.util.regex) | |
| protocolHeader | Name of the http header read by this valve that holds the flag that this request | N/A | Compliant http header name like X-Forwarded-Proto,X-Forwarded-SslorFront-End-Https | null | 
| protocolHeaderHttpsValue | Value of the protocolHeaderto indicate that it is an Https request | N/A | String like httpsorON | https | 
| httpServerPort | Value returned by ServletRequest.getServerPort()when theprotocolHeaderindicateshttpprotocol | N/A | integer | 80 | 
| httpsServerPort | Value returned by ServletRequest.getServerPort()when theprotocolHeaderindicateshttpsprotocol | N/A | integer | 443 | 
This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
 Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g.
 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as Tomcat doesn't have a
 library similar to apr_ipsubnet_test,
 RemoteIpValve uses regular expression to configure internalProxies and trustedProxies in the same
 fashion as RequestFilterValve does.
 
Sample with internal proxies
RemoteIpValve configuration:
 <Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies="192\.168\.0\.10|192\.168\.0\.11"
   remoteIpHeader="x-forwarded-for"
   proxiesHeader="x-forwarded-by"
   protocolHeader="x-forwarded-proto"
   />
 | property | Value Before RemoteIpValve | Value After RemoteIpValve | 
|---|---|---|
| request.remoteAddr | 192.168.0.10 | 140.211.11.130 | 
| request.header['x-forwarded-for'] | 140.211.11.130, 192.168.0.10 | null | 
| request.header['x-forwarded-by'] | null | null | 
| request.header['x-forwarded-proto'] | https | https | 
| request.scheme | http | https | 
| request.secure | false | true | 
| request.serverPort | 80 | 443 | 
 Note : x-forwarded-by header is null because only internal proxies as been traversed by the request.
 x-forwarded-by is null because all the proxies are trusted or internal.
 
Sample with trusted proxies
RemoteIpValve configuration:
 <Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies="192\.168\.0\.10|192\.168\.0\.11"
   remoteIpHeader="x-forwarded-for"
   proxiesHeader="x-forwarded-by"
   trustedProxies="proxy1|proxy2"
   />
 | property | Value Before RemoteIpValve | Value After RemoteIpValve | 
|---|---|---|
| request.remoteAddr | 192.168.0.10 | 140.211.11.130 | 
| request.header['x-forwarded-for'] | 140.211.11.130, proxy1, proxy2 | null | 
| request.header['x-forwarded-by'] | null | proxy1, proxy2 | 
 Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both
 are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal.
 
Sample with internal and trusted proxies
RemoteIpValve configuration:
 <Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies="192\.168\.0\.10|192\.168\.0\.11"
   remoteIpHeader="x-forwarded-for"
   proxiesHeader="x-forwarded-by"
   trustedProxies="proxy1|proxy2"
   />
 | property | Value Before RemoteIpValve | Value After RemoteIpValve | 
|---|---|---|
| request.remoteAddr | 192.168.0.10 | 140.211.11.130 | 
| request.header['x-forwarded-for'] | 140.211.11.130, proxy1, proxy2, 192.168.0.10 | null | 
| request.header['x-forwarded-by'] | null | proxy1, proxy2 | 
 Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both
 are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in
 x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal.
 
Sample with an untrusted proxy
RemoteIpValve configuration:
 <Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies="192\.168\.0\.10|192\.168\.0\.11"
   remoteIpHeader="x-forwarded-for"
   proxiesHeader="x-forwarded-by"
   trustedProxies="proxy1|proxy2"
   />
 | property | Value Before RemoteIpValve | Value After RemoteIpValve | 
|---|---|---|
| request.remoteAddr | 192.168.0.10 | untrusted-proxy | 
| request.header['x-forwarded-for'] | 140.211.11.130, untrusted-proxy, proxy1 | 140.211.11.130 | 
| request.header['x-forwarded-by'] | null | proxy1 | 
 Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds
 140.211.11.130 because untrusted-proxy is not trusted and thus, we cannot trust that
 untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP
 verified by proxy1.
 
Lifecycle.SingleUseasyncSupported, container, containerLog, next, smmserverAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT| Constructor and Description | 
|---|
| RemoteIpValve()Default constructor that ensures  ValveBase.ValveBase(boolean)is
 called withtrue. | 
| Modifier and Type | Method and Description | 
|---|---|
| protected static String[] | commaDelimitedListToStringArray(String commaDelimitedStrings)Convert a given comma delimited String into an array of String | 
| String | getHostHeader()Obtain the name of the HTTP header used to override the value returned
 by  Request.getServerName()and (optionally depending on {linkisChangeLocalName()Request.getLocalName(). | 
| int | getHttpServerPort() | 
| int | getHttpsServerPort() | 
| String | getInfo()Return descriptive information about this Valve implementation. | 
| String | getInternalProxies() | 
| String | getPortHeader()Obtain the name of the HTTP header used to override the value returned
 by  Request.getServerPort()and (optionally depending on {linkisChangeLocalPort()Request.getLocalPort(). | 
| String | getProtocolHeader() | 
| String | getProtocolHeaderHttpsValue() | 
| String | getProxiesHeader() | 
| String | getRemoteIpHeader() | 
| boolean | getRequestAttributesEnabled() | 
| String | getTrustedProxies() | 
| void | invoke(Request request,
      Response response)The implementation-specific logic represented by this Valve. | 
| boolean | isChangeLocalName() | 
| boolean | isChangeLocalPort() | 
| protected static String | listToCommaDelimitedString(List<String> stringList)Convert an array of strings in a comma delimited string | 
| void | setChangeLocalName(boolean changeLocalName) | 
| void | setChangeLocalPort(boolean changeLocalPort) | 
| void | setHostHeader(String hostHeader)Set the name of the HTTP header used to override the value returned
 by  Request.getServerName()and (optionally depending on {linkisChangeLocalName()Request.getLocalName(). | 
| void | setHttpServerPort(int httpServerPort)
 Server Port value if the  protocolHeaderis notnulland does not indicate HTTP
 
 
 Default value : 80 | 
| void | setHttpsServerPort(int httpsServerPort)
 Server Port value if the  protocolHeaderindicates HTTPS
 
 
 Default value : 443 | 
| void | setInternalProxies(String internalProxies)
 Regular expression that defines the internal proxies. | 
| void | setPortHeader(String portHeader)Set the name of the HTTP header used to override the value returned
 by  Request.getServerPort()and (optionally depending on {linkisChangeLocalPort()Request.getLocalPort(). | 
| void | setProtocolHeader(String protocolHeader)
 Header that holds the incoming protocol, usually named  X-Forwarded-Proto. | 
| void | setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue)
 Case insensitive value of the protocol header to indicate that the incoming http request uses SSL. | 
| void | setProxiesHeader(String proxiesHeader)
 The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
 addresses trusted to resolve the actual remote IP. | 
| void | setRemoteIpHeader(String remoteIpHeader)
 Name of the http header from which the remote ip is extracted. | 
| void | setRequestAttributesEnabled(boolean requestAttributesEnabled)Should this valve set request attributes for IP address, Hostname,
 protocol and port used for the request? | 
| void | setTrustedProxies(String trustedProxies)
 Regular expression defining proxies that are trusted when they appear in
 the  remoteIpHeaderheader. | 
backgroundProcess, event, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, startInternal, stopInternal, toStringdestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregisteraddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stoppublic RemoteIpValve()
ValveBase.ValveBase(boolean) is
 called with true.protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings)
commaDelimitedStrings - The string to convertnull)protected static String listToCommaDelimitedString(List<String> stringList)
stringList - The string list to convertpublic String getHostHeader()
Request.getServerName() and (optionally depending on {link
 isChangeLocalName() Request.getLocalName().public void setHostHeader(String hostHeader)
Request.getServerName() and (optionally depending on {link
 isChangeLocalName() Request.getLocalName().hostHeader - The HTTP header namepublic boolean isChangeLocalName()
public void setChangeLocalName(boolean changeLocalName)
public int getHttpServerPort()
public int getHttpsServerPort()
public String getPortHeader()
Request.getServerPort() and (optionally depending on {link
 isChangeLocalPort() Request.getLocalPort().public void setPortHeader(String portHeader)
Request.getServerPort() and (optionally depending on {link
 isChangeLocalPort() Request.getLocalPort().portHeader - The HTTP header namepublic boolean isChangeLocalPort()
public void setChangeLocalPort(boolean changeLocalPort)
public String getInfo()
public String getInternalProxies()
setInternalProxies(String)public String getProtocolHeader()
setProtocolHeader(String)public String getProtocolHeaderHttpsValue()
setProtocolHeaderHttpsValue(String)public String getProxiesHeader()
setProxiesHeader(String)public String getRemoteIpHeader()
setRemoteIpHeader(String)public boolean getRequestAttributesEnabled()
true if the attributes will be logged, otherwise
         falsesetRequestAttributesEnabled(boolean)public String getTrustedProxies()
setTrustedProxies(String)public void invoke(Request request, Response response) throws IOException, ServletException
This method MUST be provided by a subclass.
invoke in interface Valveinvoke in class ValveBaserequest - The servlet request to be processedresponse - The servlet response to be createdIOException - if an input/output error occursServletException - if a servlet error occurspublic void setHttpServerPort(int httpServerPort)
 Server Port value if the protocolHeader is not null and does not indicate HTTP
 
Default value : 80
httpServerPort - The server portpublic void setHttpsServerPort(int httpsServerPort)
 Server Port value if the protocolHeader indicates HTTPS
 
Default value : 443
httpsServerPort - The server portpublic void setInternalProxies(String internalProxies)
Regular expression that defines the internal proxies.
Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
internalProxies - The proxy regular expressionpublic void setProtocolHeader(String protocolHeader)
 Header that holds the incoming protocol, usually named X-Forwarded-Proto. If null, request.scheme and
 request.secure will not be modified.
 
 Default value : null
 
protocolHeader - The header namepublic void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue)
Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
 Default value : https
 
protocolHeaderHttpsValue - The header namepublic void setProxiesHeader(String proxiesHeader)
The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.
Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
The value of this header can be comma delimited.
 Default value : X-Forwarded-By
 
proxiesHeader - The header namepublic void setRemoteIpHeader(String remoteIpHeader)
Name of the http header from which the remote ip is extracted.
The value of this header can be comma delimited.
 Default value : X-Forwarded-For
 
remoteIpHeader - The header namepublic void setRequestAttributesEnabled(boolean requestAttributesEnabled)
AccessLog which will otherwise log the
 original values. Default is true.
 The attributes set are:
 requestAttributesEnabled - true causes the attributes
                                  to be set, false disables
                                  the setting of the attributes.public void setTrustedProxies(String trustedProxies)
 Regular expression defining proxies that are trusted when they appear in
 the remoteIpHeader header.
 
Default value : empty list, no external proxy is trusted.
trustedProxies - The regular expressionCopyright © 2000-2020 Apache Software Foundation. All Rights Reserved.