Impl Check: ServletRequest.getRemoteAddr and intermediaries #368
Comments
|
#Question |
|
should be nginx b, but this should be easy to test if you are not sure? and if you want to pass the cloudflare ip, what is stopping you by setting cloudflare ip in the http header? |
|
From a pure Servlet spec perspective the Servlet container will see NGINX as the user agent. There are various ways to make the reverse proxies transparent so Servlet container sees the "real" user agent but they are all outside of the Servlet spec. The support channel for your Servlet container of choice is the place to see container specific advice. |
|
This method was present in Servlet 2.3, in 2002. Back then, there was I am not contesting your closing this, but I do wonder what you think is What do you think @markt-asf Mark? Ed |
|
Note that there are several variations of defacto standards for dealing with intermediaries: Perhaps the spec could encourage that to be supported as too many clients/intermediaries/servers are still futzing with the old badly defined X-Some-Proxies-Do-This headers. Currently the javadoc for /**
* Returns the Internet Protocol (IP) address of the client
* or last proxy that sent the request.
* For HTTP servlets, same as the value of the
* CGI variable <code>REMOTE_ADDR</code>.
*
* @return a <code>String</code> containing the
* IP address of the client that sent the request
*/So it is not even internally consistent in the description of the value returned and does not allow for the server to do such things as RFC7239. /**
* Returns the Internet Protocol (IP) address of the
* remote source of the request. Depending on the server
* configuration this may be of <ul>
* <li>the originating client; </li>
* <li>the last intermediary in the connection that delivered the request;</li>
* <li>the address provided by a protocol specific mechanism
* such as <a href="https://tools.ietf.org/html/rfc7239">RFC7239</a>.</li>
* <ul>
* @return a <code>String</code> containing the
* IP address of the remote source of the request.
*/So I'll reopen and depending on feedback may do a PR (or Ed feel free to do a PR if I don't get around to it). |
|
To Ed's point, HTTP reverse proxies have been a common feature of Servlet container deployments from the beginning. Handling the scenario where the service boundary is the other side of one or more reverse proxies is nothing new. PaaS moves the hardware to someone else's server room but doesn't change the problem. "Right way to behave" depends on your point of view and/or the requirements of any given situation. I've no objection to clarifying the text. I'd add some text to Greg's proposal to specify what the default behaviour is expected to be in the absence of container specific configuration. Something like "The default behaviour is to return the IP address of the source of the IP connection (whether user agent or intermediary) to the Servlet container.". I'm sure that can be improved but you get the idea. A separate question - probably for the Servlet 6.0 timescale - is should the Servlet spec require containers to support RFC 7239? I'm currently leaning towards making it a recommendation rather than a requirement. |
Fixes #368 with javadoc updates for: + reference to RFC 7239 for obtaining local/remote IP and ports + removed historic references to CGI variables + relaxed the dependence on the host header, which may not be present in HTTP/2
|
I think it should be a recommendation rather than a requirement. It's definitely not something that should be enabled by default as it has security implications if it is enabled and it is possible for the remote clients to craft the |
Fixes #368 Updates javadoc for getRemoteAddr
Hello Experts,
I have a customer with a question about ServletRequest.getRemoteAddr. Consider the following network layout.
Please confirm that
getRemoteAddrin the tomcat should return the CloudFlare not the NGINX B.Thanks,
Ed
The text was updated successfully, but these errors were encountered: