users@servlet-spec.java.net

[servlet-spec users] [jsr369-experts] Re: Re: Re: RFC7239 support

From: Greg Wilkins <gregw_at_webtide.com>
Date: Wed, 21 Sep 2016 12:35:58 +1000

Stuart,

my thoughts for an API for this are along the lines of a mechanism to
specify what the standard methods should return plus extra methods to make
precise enquiries. Something like a <proxy> web.xml element which could be:

   - unset, gives the current container configuration returns from
   getRemoteXxx and getLocalXxx methods.
   - NONE, methods always return the details of the real TCP connection to
   the app server
   - LAST, the methods always returns the details of last proxy (from
   either PROXY protocol, Forwarded header or X-Forwarded header - container
   config chooses which are supported). This is least likely to be spoofed
   by a client if the last proxy always sets the header.
   - CLOSEST, the methods always return the details of the rightmost proxy
   indicator. This will often be the same as LAST, except for the Forwarded
   protocol which allows aggregation of the various parameters so LAST and
   CLOSEST can be distinguished.
   - FIRST, the methods always return the details of the first proxy
   indicator. This is very susceptable to being spoofed by a client.
   - FURTHEST, the methods always return the details of the leftmost proxy
   indicator. This will often be the same as FIRST, except for the Forwarded
   protocol which allows aggregation of the various parameters so FIRST and
   FURTHEST can be distinguished.

This element would allow an application to declare what it expects the
normal methods to return.

We could then also have additional methods like

enum ProxyType { NONE, LAST, CLOSEST, FURTHEST, FIRST };

InetSocketAddress getLocalSocketAddress(ProxyType proxy);
InetSocketAddress getRemoteSocketAddress(ProxyType proxy);
String getProtocol(ProxyType proxy);
boolean isSecure(ProxyType proxy);


I would expect a common configuration might be <proxy>FURTHEST</proxy> so
the default methods would return the adjusted values. Then any code that
wants to do things for DoS protection would use
getRemoteSocketAddress(ProxyType.NONE) if standalone or
getRemoteSocketAddress(ProxyType.LAST) if behind a known proxy.

The containers would then be free to use any of the defacto and/or standard
methods to provide the actual values transparently to the webapp, the app
is only saying which of the values it wants/expects to see.

cheers 




-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.