dev@grizzly.java.net

Re: Is proxy info available (and reliable) for requests through a proxy?

From: Oleksiy Stashok <oleksiy.stashok_at_oracle.com>
Date: Tue, 20 Dec 2011 16:07:41 +0100

Hi Tim,

AFAIK there is no standard way in HTTP protocol to specify remote
host:port the request was originated at.
In Grizzly we take these values from underlying Socket (like
java.net.Socket.getRemoteSocketAddress()), so if request comes from
proxy - we'll get proxy's host:port.

WBR,
Alexey.

On 12/20/2011 01:36 AM, Tim Quinn wrote:
> Hi, folks.
>
> We have a scenario in which a user trying to launch the GlassFish
> admin console - on the same host where GF is running - specifies the
> full host name (rather than localhost) in the address. Further, the
> browser is set up to use a proxy (apparently without excluding
> localhost).
>
> It seems that in this case request.getRemoteHost returns a value that
> is not detected as the local system, so GlassFish treats this as a
> remote request (and therefore imposes more stringent security
> requirements).
>
> Is there a reliable and trustworthy way for an HTTP server to detect
> the true origin of the request, even if has passed through a proxy
> which makes the request appear remote, and so to find out if the
> request actually came from the same host where the HTTP server is
> running?
>
> If the server tried to do this, is that opening up a potential
> security risk whereby a client could find out where the server really
> is running and then falsify HTTP headers to make a remote request look
> like it came from the same system where the server is running?
>
> Thanks.
>
> - Tim