Support for X-Forwarded-For and Forwarded for="..."

[larsgrefer]

The ForwardedHeaderFilter seems to ignore the X-Forwarded-For header and it's Forwarded complement: https://tools.ietf.org/html/rfc7239#section-5.2

As user of this filter, I would expect X-Forwarded-For or Forwarded for= to be handled and removed from the request. If there is a reason to not handle X-Forwarded-For this should be documented.

[luvarqpp]

I am trying not to make separate issue, so please look, if this is same problem: spring-projects/spring-security#7081

[rstoyanchev]

@luvarqpp, the server.use-forward-headers property in Spring Boot relies on the server, and does not use the ForwardedHeaderFilter. The two are actually mutually exclusive, and you should either enable server.use-forward-headers property or configure the ForwardedHeaderFilter, but not both.

Related to this, it does look like in Spring Boot 2.2 you'll be able to choose where you get your forwarded header (server or Spring Framework).

[rstoyanchev]

@larsgrefer can you clarify what handling you would expect to see? Overrides to getRemoteAddr, getRemoteHost, and getRemotePort in HttpServletRequest?

[larsgrefer]

I'd expect overrides to getRemoteAddr and getRemoteHost (the same way like Tomcat's RemoteIpValve does it)

We've migrated our application from Tomcat's RemoteIpValve to Spring's ForwardedHeaderFilter, because we need the support of X-Forwarded-Host. But then we noticed that X-Forwarded-For isn't handled anymore.