Add group RemoteIpValve for ServerProperties.Tomcat

See gh-18302

Author: manduinca

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java

@@ -63,6 +63,7 @@
  * @author Rafiullah Hamedy
  * @author Dirk Deyne
  * @author HaiTao Zhang
+ * @author Victor Mandujano
  * @since 1.0.0
  */
 @ConfigurationProperties(prefix = "server", ignoreUnknownFields = true)
@@ -424,6 +425,11 @@ public static class Tomcat {
 		 */
 		private final Mbeanregistry mbeanregistry = new Mbeanregistry();
 
+		/**
+		 * Remote Ip Valve configuration.
+		 */
+		private final RemoteIpValve remoteIpValve = new RemoteIpValve();
+
 		public int getMaxThreads() {
 			return this.maxThreads;
 		}
@@ -468,36 +474,40 @@ public void setBasedir(File basedir) {
 			this.basedir = basedir;
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.internal-proxies")
 		public String getInternalProxies() {
-			return this.internalProxies;
+			return this.remoteIpValve.getInternalProxies();
 		}
 
 		public void setInternalProxies(String internalProxies) {
-			this.internalProxies = internalProxies;
+			this.remoteIpValve.setInternalProxies(internalProxies);
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.protocol-header")
 		public String getProtocolHeader() {
-			return this.protocolHeader;
+			return this.remoteIpValve.getProtocolHeader();
 		}
 
 		public void setProtocolHeader(String protocolHeader) {
-			this.protocolHeader = protocolHeader;
+			this.remoteIpValve.setProtocolHeader(protocolHeader);
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.protocol-header-https-value")
 		public String getProtocolHeaderHttpsValue() {
-			return this.protocolHeaderHttpsValue;
+			return this.remoteIpValve.getProtocolHeaderHttpsValue();
 		}
 
 		public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
-			this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
+			this.remoteIpValve.setProtocolHeaderHttpsValue(protocolHeaderHttpsValue);
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.port-header")
 		public String getPortHeader() {
-			return this.portHeader;
+			return this.remoteIpValve.getPortHeader();
 		}
 
 		public void setPortHeader(String portHeader) {
-			this.portHeader = portHeader;
+			this.remoteIpValve.setPortHeader(portHeader);
 		}
 
 		public Boolean getRedirectContextRoot() {
@@ -516,20 +526,22 @@ public void setUseRelativeRedirects(Boolean useRelativeRedirects) {
 			this.useRelativeRedirects = useRelativeRedirects;
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.remote-ip-header")
 		public String getRemoteIpHeader() {
-			return this.remoteIpHeader;
+			return this.remoteIpValve.getRemoteIpHeader();
 		}
 
 		public void setRemoteIpHeader(String remoteIpHeader) {
-			this.remoteIpHeader = remoteIpHeader;
+			this.remoteIpValve.setRemoteIpHeader(remoteIpHeader);
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.tomcat.remote-ip-valve.host-header")
 		public String getHostHeader() {
-			return this.hostHeader;
+			return this.remoteIpValve.getHostHeader() == null ? this.hostHeader : this.remoteIpValve.getHostHeader();
 		}
 
 		public void setHostHeader(String hostHeader) {
-			this.hostHeader = hostHeader;
+			this.remoteIpValve.setHostHeader(hostHeader);
 		}
 
 		public Charset getUriEncoding() {
@@ -604,6 +616,10 @@ public Mbeanregistry getMbeanregistry() {
 			return this.mbeanregistry;
 		}
 
+		public RemoteIpValve getRemoteIpValve() {
+			return this.remoteIpValve;
+		}
+
 		/**
 		 * Tomcat access log properties.
 		 */
@@ -890,6 +906,96 @@ public void setEnabled(boolean enabled) {
 
 		}
 
+		public static class RemoteIpValve {
+
+			/**
+			 * Name of the HTTP header from which the remote host is extracted.
+			 */
+			private String hostHeader = "X-Forwarded-Host";
+
+			/**
+			 * Regular expression that matches proxies that are to be trusted.
+			 */
+			private String internalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8
+					+ "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16
+					+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
+					+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8
+					+ "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12
+					+ "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" //
+					+ "0:0:0:0:0:0:0:1|::1";
+
+			/**
+			 * Header that holds the incoming protocol, usually named "X-Forwarded-Proto".
+			 */
+			private String protocolHeader;
+
+			/**
+			 * Value of the protocol header indicating whether the incoming request uses
+			 * SSL.
+			 */
+			private String protocolHeaderHttpsValue = "https";
+
+			/**
+			 * Name of the HTTP header used to override the original port value.
+			 */
+			private String portHeader = "X-Forwarded-Port";
+
+			/**
+			 * Name of the HTTP header from which the remote IP is extracted. For
+			 * instance, `X-FORWARDED-FOR`.
+			 */
+			private String remoteIpHeader;
+
+			public String getHostHeader() {
+				return this.hostHeader;
+			}
+
+			public void setHostHeader(String hostHeader) {
+				this.hostHeader = hostHeader;
+			}
+
+			public String getInternalProxies() {
+				return this.internalProxies;
+			}
+
+			public void setInternalProxies(String internalProxies) {
+				this.internalProxies = internalProxies;
+			}
+
+			public String getProtocolHeader() {
+				return this.protocolHeader;
+			}
+
+			public void setProtocolHeader(String protocolHeader) {
+				this.protocolHeader = protocolHeader;
+			}
+
+			public String getProtocolHeaderHttpsValue() {
+				return this.protocolHeaderHttpsValue;
+			}
+
+			public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
+				this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
+			}
+
+			public String getPortHeader() {
+				return this.portHeader;
+			}
+
+			public void setPortHeader(String portHeader) {
+				this.portHeader = portHeader;
+			}
+
+			public String getRemoteIpHeader() {
+				return this.remoteIpHeader;
+			}
+
+			public void setRemoteIpHeader(String remoteIpHeader) {
+				this.remoteIpHeader = remoteIpHeader;
+			}
+
+		}
+
 	}
 
 	/**

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java

@@ -54,6 +54,7 @@
  * @author Chentao Qu
  * @author Andrew McGhie
  * @author Dirk Deyne
+ * @author Victor Mandujano
  * @since 2.0.0
  */
 public class TomcatWebServerFactoryCustomizer
@@ -170,8 +171,8 @@ private String joinCharacters(List<Character> content) {
 
 	private void customizeRemoteIpValve(ConfigurableTomcatWebServerFactory factory) {
 		Tomcat tomcatProperties = this.serverProperties.getTomcat();
-		String protocolHeader = tomcatProperties.getProtocolHeader();
-		String remoteIpHeader = tomcatProperties.getRemoteIpHeader();
+		String protocolHeader = tomcatProperties.getRemoteIpValve().getProtocolHeader();
+		String remoteIpHeader = tomcatProperties.getRemoteIpValve().getRemoteIpHeader();
 		// For back compatibility the valve is also enabled if protocol-header is set
 		if (StringUtils.hasText(protocolHeader) || StringUtils.hasText(remoteIpHeader)
 				|| getOrDeduceUseForwardHeaders()) {
@@ -182,10 +183,10 @@ private void customizeRemoteIpValve(ConfigurableTomcatWebServerFactory factory)
 			}
 			// The internal proxies default to a white list of "safe" internal IP
 			// addresses
-			valve.setInternalProxies(tomcatProperties.getInternalProxies());
-			valve.setHostHeader(tomcatProperties.getHostHeader());
-			valve.setPortHeader(tomcatProperties.getPortHeader());
-			valve.setProtocolHeaderHttpsValue(tomcatProperties.getProtocolHeaderHttpsValue());
+			valve.setInternalProxies(tomcatProperties.getRemoteIpValve().getInternalProxies());
+			valve.setHostHeader(tomcatProperties.getRemoteIpValve().getHostHeader());
+			valve.setPortHeader(tomcatProperties.getRemoteIpValve().getPortHeader());
+			valve.setProtocolHeaderHttpsValue(tomcatProperties.getRemoteIpValve().getProtocolHeaderHttpsValue());
 			// ... so it's safe to add this valve by default.
 			factory.addEngineValves(valve);
 		}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java

@@ -52,6 +52,7 @@
  * @author Artsiom Yudovin
  * @author Stephane Nicoll
  * @author Andrew McGhie
+ * @author Victor Mandujano
  */
 class TomcatWebServerFactoryCustomizerTests {
 
@@ -178,6 +179,25 @@ void customRemoteIpValve() {
 		assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1");
 	}
 
+	@Test
+	void customNewPropertiesForRemoteIpValve() {
+		bind("server.tomcat.remote-ip-valve.remote-ip-header=x-my-remote-ip-header",
+				"server.tomcat.remote-ip-valve.protocol-header=x-my-protocol-header",
+				"server.tomcat.remote-ip-valve.internal-proxies=192.168.0.1",
+				"server.tomcat.remote-ip-valve.port-header=x-my-forward-port",
+				"server.tomcat.remote-ip-valve.protocol-header-https-value=On");
+		TomcatServletWebServerFactory factory = customizeAndGetFactory();
+		assertThat(factory.getEngineValves()).hasSize(1);
+		Valve valve = factory.getEngineValves().iterator().next();
+		assertThat(valve).isInstanceOf(RemoteIpValve.class);
+		RemoteIpValve remoteIpValve = (RemoteIpValve) valve;
+		assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("x-my-protocol-header");
+		assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("On");
+		assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("x-my-remote-ip-header");
+		assertThat(remoteIpValve.getPortHeader()).isEqualTo("x-my-forward-port");
+		assertThat(remoteIpValve.getInternalProxies()).isEqualTo("192.168.0.1");
+	}
+
 	@Test
 	void customStaticResourceAllowCaching() {
 		bind("server.tomcat.resource.allow-caching=false");