Support for X-Forwarded-For and Forwarded for="..."

[larsgrefer]

The ForwardedHeaderFilter seems to ignore the X-Forwarded-For header and it's Forwarded complement: https://tools.ietf.org/html/rfc7239#section-5.2

As user of this filter, I would expect X-Forwarded-For or Forwarded for= to be handled and removed from the request. If there is a reason to not handle X-Forwarded-For this should be documented.

[luvarqpp]

I am trying not to make separate issue, so please look, if this is same problem: spring-projects/spring-security#7081

[rstoyanchev]

@luvarqpp, the server.use-forward-headers property in Spring Boot relies on the server, and does not use the ForwardedHeaderFilter. The two are actually mutually exclusive, and you should either enable server.use-forward-headers property or configure the ForwardedHeaderFilter, but not both.

Related to this, it does look like in Spring Boot 2.2 you'll be able to choose where you get your forwarded header (server or Spring Framework).

[rstoyanchev]

@larsgrefer can you clarify what handling you would expect to see? Overrides to getRemoteAddr, getRemoteHost, and getRemotePort in HttpServletRequest?

[larsgrefer]

I'd expect overrides to getRemoteAddr and getRemoteHost (the same way like Tomcat's RemoteIpValve does it)

We've migrated our application from Tomcat's RemoteIpValve to Spring's ForwardedHeaderFilter, because we need the support of X-Forwarded-Host. But then we noticed that X-Forwarded-For isn't handled anymore.

[luvarqpp]

@rstoyanchev Thanks for clarification, but setting server.use-forward-headers to true does not help making simple login project to work correctly. Still first redirect does have wrong Location header. I have my experiment based on spring security example called hello world.

PS: I have made given project to work, when Forwarded header is in use (instead of X-Forwarded-* family). Does tomcat require standardized header for forwarding?

[rstoyanchev]

Thanks for the comment but this isn't the place to ask about Tomcat.

[yawo]

Nice ! this filter saved me

[hlang]

Is there a general idea how to handle the presence of both Forwarded and X-Forwarded- headers at the same time?
The Forwarded header can contain some or all of the parameters: by, for, host, proto
The implementation in UriComponentsBuilder#adaptFromForwardedHeaders right now is not really symetric.
First it checks if there is a Forwarded header, if yes it tries to take the parameters proto, host from this.
Only for proto there is a fallback implemented. Meaning that if proto is not found in Forwarded header, the X-Forwarded-Ssl is checked additionally.
This is not done for host. So if there is a Forwarded header but if this does not contain host-parameter, host and port are not extracted at all.
Wouldn't it be better to also fallback to the X-Forwarded-Host and X-Forwarded-Port header if they exist?

When using spring application behind a fabio proxy this problem occurs. The headers that fabio sets are: forwarded: for=100.93.64.162; proto=http; by=192.168.30.12; httpproto=http/1.1 and x-forwarded-host: 10.65.250.31:9999
So the host is not extracted in current implementation.

Edited: created own issue #23819

[juanmbellini]

@hlang You must register an instance of the ForwardedHeaderFilter. You can do this in any @Configuration class (assuming you are using spring boot):

@Bean
public FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
    final var bean = new FilterRegistrationBean<ForwardedHeaderFilter>();
    bean.setFilter(new ForwardedHeaderFilter());
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE + 10);
    return bean;
}

Note that the ForwardedHeaderFilter is part of the org.springframework.web.filter package, located in the spring-web jar, and the FilterRegistrationBean is part of the org.springframework.boot.web.servlet, in the spring-boot jar.

[hlang]

@juanmbellini I use the ForwardedHeaderFilter. This works.
The question is to the implementation of UriComponentsBuilder used by this ForwardedHeaderFilter.

[rstoyanchev]

@hlang this has nothing to do with the issue under which you're commenting. That creates noise for anyone interested in this ticket now or in the future. Please, create a separate issue.

[rstoyanchev]

This is superseded by #23582.