-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Manuel,
On 2/5/20 1:29 PM, Manuel Dominguez Sarmiento wrote: > Yes, there are two reasons: > > 1) The Tomcat valves operate on all webapps. We only need/require > this for one particular webapp without affecting the others. Not true; see Konstantin's response. > 2) The code has been simplified for illustration purposes. Besides > X-Forwarded-For, we detect and work around many other custom > external mobile proxies which do not use X-Forwarded-For and > require custom Geolocation code to detect the ISP and connection > type (Google Compression Proxy, Nokia OVI, Novarra, Lotus Flare, > Opera Mini, Opera Max, Samsung Max, etc.) - this kind of > customization is not possible without custom code. Interesting. Is this something you think would be widely useful and/or would be willing to share with the community? If it's a fast-moving target (e.g. new public proxies are popping-up all the time, or existing proxies keep changing their configuration requirements) then maybe it's not a great fit for a stable product like Tomcat. On the other hand, if it could be configured relatively easily (like with a "proxy definitions" file or something), then it could still be very valuable even with a simple or default configuration which only supports some very large proxies (e.g. Akamai, CloudFront, CloudFlare, etc.). > This filter is not meant for detecting internal proxies within our > control (such as Apache front ends or load balancers), but rather > public proxies which are "transparently" (not really) used via > some mobile devices and services. Does it matter whether these are "internal" versus "external" proxies? The only real difference is the IP-range of the proxy, right? It doesn't matter whether you control the proxy or it's an external service: you still have to secure and validate the connection in the same ways, and take the same action(s) on the server-end where you trust the information being presented. - -chris > On 2/5/20 12:12 PM, Manuel Dominguez Sarmiento wrote: >>>> Our filter is not doing anything fancy (and it has always >>>> worked correctly before we ran into this bug). In >>>> pseudo-code: >>>> >>>> public doFilter(request, response) { >>>> >>>> String ip = request.getRemoteAddr(); boolean isProxy = >>>> isProxy(ip); if (isProxy) { String unwrappedIP = >>>> unwrapXForwardedFor(request); chain.doFilter(new >>>> MobileProxyHidingServletRequestWrapper(request, >>>> unwrappedIP), response); } else { chain.doFilter(request, >>>> response); } } >>>> >>>> All that MobileProxyHidingServletRequestWrapper is override >>>> getRemoteAddr() returning unwrappedIP instead of delegating >>>> to the actual request, while unwrapXForwardedFor() does what >>>> the name suggests, which is processing X-Forwarded-For to >>>> obtain the originating IP before it hit the detected proxy. > Any reason not to use the valves Tomcat provides to do pretty much > this exact thing? > > https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_V al > > ve > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl48MBsACgkQHPApP6U8 pFgaXw/+P0rEqNNqW2oM3Yajrzk3mgYt41kuq2zGrjdr/6vBGR1fUmrx92krOkM/ 1bzFOkbWnRWIktFmjyARaGK12F3/zczvU7JRmRazEKXraxJ0vgPg8NPy8YN4KhBG efptbwqbbdJ02r1i8eVdNjacYBd5/gT51qFRaaTseIz16prSUxaT4RXoui2je68v fkA7pl5jAND8B7Nr6uczGVQwQELWTEwNKUiz6ji+GAwKF7oZMCX64p7TYEcD7o2p BgcO5VzyjwdcXuDTOJ4RqTgaHc09aqdP+VRiWV18RGr0rYTISq6zW6lHXT9Goc0m qH5mKp402aiX03rK8n9F+523K52X7xR7B0+48r+4UcPDrWiWDzuF/IVI93ugNLw5 ITexNxhvmhvC2PHY5CRoa69Us2YG9iZo0z579RIFuYT4/75DR3+oakqIAHz2FU5C x+n4Qkbaj/v/O56Ja983bKbWul5XCTLnL2AmLKfcnK7er1CpWx9elN7oXvhiFYC1 8ceLtQU1A36vElFWUj1jC82M41tuQdcdL3VADcvi6bANpAYEsEG/RbNnBu/0WgfD ByxN40M9Km+wtzDlxqW5Sg2eKm4tdNk2duqtTv9+NPH4H+5Tu9+OQ/r5gTPrsJfn knEd9/Los4QCrAYSsHF6PXD/bbdlJbUpRdIMYUKJXA6BNMT2LNo= =1ts9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org