Add support for Forwarded / X-Forwarded-* headers #249

bclozel · 2017-12-21T14:13:31Z

This is a proposal for gh-220.

This implementation supports both the standard header "Forward", but also non-standard but quite common ones, such as "X-Forwarded-For", "X-Forwarded-Host", "X-Forwarded-Port" and "X-Forwarded-Proto".

I've made available that information directly in the HttpServerRequest. Of course this feature is opt-in and disabled by default.

Possible improvements:

support trusted proxies; the current implementation considers only the first information provided in the list of values. We could configure trusted proxies, walk back the listed values and stop at the first unknown proxy
refine the configuration; it's currently an on/off thing, but we could only enable support for the rfc or the non-standard X-Forwarded-*

simonbasle · 2017-12-21T15:03:31Z

src/main/java/reactor/ipc/netty/http/server/ConnectionInfo.java

+		InetSocketAddress remoteAddress = channel.remoteAddress();
+		String scheme = channel.pipeline().get(SslHandler.class) != null ? "https" : "http";
+
+		String forwarded = request.requestHeaders().get(FORWARDED_HEADER).split(",")[0];


is splitting on the comma , character ok? quoted strings in header values are allowed to contain commas BUT in this particular case:

proto= definition is same as URI scheme (no commas allowed 👍 )

for= definition is that of a Node identifier (no commas allowed 👍 )

host= definition is that of the Host header field / HTTP URI. This one is a bit more complex, but I don't think unencoded commas can appear (🤔)

So this should be ok, but might want to dig into the host one.

See rfc7239 section 5.3 and rfc7230 section 3.2.6.

, is part of the US-ASCII delimiters, so not allowed there AFAIU.

that's for the token part (here host), but the value can be a quoted string, which may contain characters in the %x23-5B range (including the comma %x2C), in addition to %x21 (!) but not %x22 (double quotes)

I don't get it - isn't that encoded still at that point?
I just tried sending a Forward: for="exa%x2Cmple.com" header and serverRequest.remoteAddress().getHostString() does return "exa%x2Cmple.com". Do you have a test case in mind that reproduces the issue?

nope, just had a gut feeling splitting on , might be "too simple". I have thus briefly looked at the RFC, which I have a limited understanding of (since I don't deal with as often as you guys ;) )

from what I understand of the ABNF notation used in the RFC, %x2C means "a literal comma", not "a comma encoded as %x2C" [1] (so that might be were I'm interpreting things wrong).

rfc7230 section 3.2.6 defines the quoted string qdtext with such a range: %x23-5B (which I assume would mean "the literal characters between # an [, including A-Z and the comma.

if that's working well enough for SPR, then that's probably good 👍 just challenging the assumptions a bit.

[1] see ABNF rfc section 3.4

You may be right, actually.
At the same time it seems commas aren't allowed in hostnames (in other RFCs) and it looks like Tomcat is doing the same: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/valves/RemoteIpValve.java#L354

violetagg · 2018-01-09T08:46:18Z

src/main/java/reactor/ipc/netty/http/server/HttpServerOperations.java

@@ -107,9 +112,13 @@ static HttpServerOperations bindHttp(Channel channel,
 		this.nettyResponse = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK);
 		this.responseHeaders = nettyResponse.headers();
 		this.cookieHolder = Cookies.newServerRequestHolder(requestHeaders());
+		if (ch.attr(USE_FORWARDED).get()) {


Check for null
Something like

Attribute<Boolean> useForwarded = ch.attr(USE_FORWARDED); if (useForwarded != null && useForwarded.get() != null && useForwarded.get()) {

violetagg · 2018-01-09T08:48:55Z