-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manuel,
On 2/5/20 1:29 PM, Manuel Dominguez Sarmiento wrote:
> Yes, there are two reasons:
>
> 1) The Tomcat valves operate on all webapps. We only need/require
> this for one particular webapp without affecting the others.
Not true; see Konstantin's response.
> 2) The code has been simplified for illustration purposes. Besides
> X-Forwarded-For, we detect and work around many other custom
> external mobile proxies which do not use X-Forwarded-For and
> require custom Geolocation code to detect the ISP and connection
> type (Google Compression Proxy, Nokia OVI, Novarra, Lotus Flare,
> Opera Mini, Opera Max, Samsung Max, etc.) - this kind of
> customization is not possible without custom code.
Interesting. Is this something you think would be widely useful and/or
would be willing to share with the community? If it's a fast-moving
target (e.g. new public proxies are popping-up all the time, or
existing proxies keep changing their configuration requirements) then
maybe it's not a great fit for a stable product like Tomcat.
On the other hand, if it could be configured relatively easily (like
with a "proxy definitions" file or something), then it could still be
very valuable even with a simple or default configuration which only
supports some very large proxies (e.g. Akamai, CloudFront, CloudFlare,
etc.).
> This filter is not meant for detecting internal proxies within our
> control (such as Apache front ends or load balancers), but rather
> public proxies which are "transparently" (not really) used via
> some mobile devices and services.
Does it matter whether these are "internal" versus "external" proxies?
The only real difference is the IP-range of the proxy, right? It
doesn't matter whether you control the proxy or it's an external
service: you still have to secure and validate the connection in the
same ways, and take the same action(s) on the server-end where you
trust the information being presented.
- -chris
> On 2/5/20 12:12 PM, Manuel Dominguez Sarmiento wrote:
>>>> Our filter is not doing anything fancy (and it has always
>>>> worked correctly before we ran into this bug). In
>>>> pseudo-code:
>>>>
>>>> public doFilter(request, response) {
>>>>
>>>> String ip = request.getRemoteAddr(); boolean isProxy =
>>>> isProxy(ip); if (isProxy) { String unwrappedIP =
>>>> unwrapXForwardedFor(request); chain.doFilter(new
>>>> MobileProxyHidingServletRequestWrapper(request,
>>>> unwrappedIP), response); } else { chain.doFilter(request,
>>>> response); } }
>>>>
>>>> All that MobileProxyHidingServletRequestWrapper is override
>>>> getRemoteAddr() returning unwrappedIP instead of delegating
>>>> to the actual request, while unwrapXForwardedFor() does what
>>>> the name suggests, which is processing X-Forwarded-For to
>>>> obtain the originating IP before it hit the detected proxy.
> Any reason not to use the valves Tomcat provides to do pretty much
> this exact thing?
>
> https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_V
al
>
>
ve
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl48MBsACgkQHPApP6U8
pFgaXw/+P0rEqNNqW2oM3Yajrzk3mgYt41kuq2zGrjdr/6vBGR1fUmrx92krOkM/
1bzFOkbWnRWIktFmjyARaGK12F3/zczvU7JRmRazEKXraxJ0vgPg8NPy8YN4KhBG
efptbwqbbdJ02r1i8eVdNjacYBd5/gT51qFRaaTseIz16prSUxaT4RXoui2je68v
fkA7pl5jAND8B7Nr6uczGVQwQELWTEwNKUiz6ji+GAwKF7oZMCX64p7TYEcD7o2p
BgcO5VzyjwdcXuDTOJ4RqTgaHc09aqdP+VRiWV18RGr0rYTISq6zW6lHXT9Goc0m
qH5mKp402aiX03rK8n9F+523K52X7xR7B0+48r+4UcPDrWiWDzuF/IVI93ugNLw5
ITexNxhvmhvC2PHY5CRoa69Us2YG9iZo0z579RIFuYT4/75DR3+oakqIAHz2FU5C
x+n4Qkbaj/v/O56Ja983bKbWul5XCTLnL2AmLKfcnK7er1CpWx9elN7oXvhiFYC1
8ceLtQU1A36vElFWUj1jC82M41tuQdcdL3VADcvi6bANpAYEsEG/RbNnBu/0WgfD
ByxN40M9Km+wtzDlxqW5Sg2eKm4tdNk2duqtTv9+NPH4H+5Tu9+OQ/r5gTPrsJfn
knEd9/Los4QCrAYSsHF6PXD/bbdlJbUpRdIMYUKJXA6BNMT2LNo=
=1ts9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
