Support X-Forwarded-Host header when auto-configuring RemoteIpValve

Closes gh-18233

Support X-Forwarded-Host header when auto-configuring RemoteIpValve
Closes gh-18233
30c05b2b · Andy Wilkinson · 303974fd · 30c05b2b · 30c05b2b · 30c05b2b
Commit 30c05b2b authored Sep 22, 2019 by Andy Wilkinson
3 changed files
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
@@ -321,6 +321,11 @@ public class ServerProperties {
 		 */
 		private String remoteIpHeader;

+		/**
+		 * Name of the HTTP header from which the remote host is extracted.
+		 */
+		private String hostHeader = "X-Forwarded-Host";
+
 		/**
 		 * Tomcat base directory. If not specified, a temporary directory is used.
 		 */
@@ -519,6 +524,14 @@ public class ServerProperties {
 			this.remoteIpHeader = remoteIpHeader;
 		}

+		public String getHostHeader() {
+			return this.hostHeader;
+		}
+
+		public void setHostHeader(String hostHeader) {
+			this.hostHeader = hostHeader;
+		}
+
 		public Charset getUriEncoding() {
 			return this.uriEncoding;
 		}

--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java
@@ -183,6 +183,7 @@ public class TomcatWebServerFactoryCustomizer
 			// The internal proxies default to a white list of "safe" internal IP
 			// addresses
 			valve.setInternalProxies(tomcatProperties.getInternalProxies());
+			valve.setHostHeader(tomcatProperties.getHostHeader());
 			valve.setPortHeader(tomcatProperties.getPortHeader());
 			valve.setProtocolHeaderHttpsValue(tomcatProperties.getProtocolHeaderHttpsValue());
 			// ... so it's safe to add this valve by default.

--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java
@@ -243,6 +243,8 @@ class TomcatWebServerFactoryCustomizerTests {
 		assertThat(remoteIpValve.getProtocolHeader()).isEqualTo("X-Forwarded-Proto");
 		assertThat(remoteIpValve.getProtocolHeaderHttpsValue()).isEqualTo("https");
 		assertThat(remoteIpValve.getRemoteIpHeader()).isEqualTo("X-Forwarded-For");
+		assertThat(remoteIpValve.getHostHeader()).isEqualTo("X-Forwarded-Host");
+		assertThat(remoteIpValve.getPortHeader()).isEqualTo("X-Forwarded-Port");
 		String expectedInternalProxies = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 10/8
 				+ "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16
 				+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16