You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Niki Dokovski <ni...@gmail.com> on 2017/10/05 13:02:44 UTC

request.getServerPort with RemoteIpValve

Hi,

May I ask for your opinion on the following case:

When RemoteIpValve is enabled getServerPort returns inconsistent value depending on the presence of protocolHeader (“x-forwarded-proto” by default)

Here is a short example
1) no x-forwarded-proto
curl -H "Host: myserverhost:32279" -H "x-forwarded-for: 10.0.0.10" http://10.19.82.245:8080/remoteip.jsp
getRemoteAddr 10.0.0.10
getRemoteHost 10.0.0.10
getServerPort 32279
getScheme     http

2) with x-forwarded-proto
curl -H "Host: myserverhost:32279" -H "x-forwarded-for: 10.0.0.10" -H "x-forwarded-proto: https" http://10.19.82.245:8080/remoteip.jsp
getRemoteAddr 10.0.0.10
getRemoteHost 10.0.0.10
getServerPort 443
getScheme     https

Hence when we have the presence of x-forwarded-proto we default to 443 otherwise we respect the value in the Host header.
Looking in the source code of the RemoteIpValve when setPort is invoked if the protocolHeader is present and defaults to 443 if portHeader is not present as in the case above but should it be as in the case 1)

Best regards
Niki