Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22460

[GSS](7.4.z) UNDERTOW-1964 - IPAddressAccessControlHandler (ip-access-control) stops working when ProxyPeerAddressHandler (proxy-address-forwarding="true") is enabled on listener and the X-Forwarded-For request header contains multiple IP addresses

XMLWordPrintable

    • False
    • False
    • +
    • Hide

      You can use AccessControlListHandler (access-control) with the "%h" (%{REMOTE_HOST}) attribute instead of using IPAddressAccessControlHandler (ip-access-control). For example:

      <expression-filter name="acl-filter" expression="path-prefix('/') -> access-control(default-allow=false, attribute=%h, acl={'127\.0\.0\.\d{1,3}) allow'})"/>

      Note that you can not specify IP address range like 127.0.0.0/8 for "acl" of access-control, but you can specify the regex.
      Also, note that you should not specify resolve-peer-address="true" on your listener when you want to apply the above access-control filter to "%h" (%{REMOTE_HOST}) attribute with the regex matcher for IP address. Because when resolve-peer-address="true" is specified, %h will be resolved from IP to DNS hostname, so the above access-control filter would not work.

      Show
      You can use AccessControlListHandler (access-control) with the "%h" (%{REMOTE_HOST}) attribute instead of using IPAddressAccessControlHandler (ip-access-control). For example: <expression-filter name= "acl-filter" expression= "path-prefix( '/' ) -> access-control( default -allow= false , attribute=%h, acl={ '127\.0\.0\.\d{1,3}) allow' })" /> Note that you can not specify IP address range like 127.0.0.0/8 for "acl" of access-control, but you can specify the regex. Also, note that you should not specify resolve-peer-address="true" on your listener when you want to apply the above access-control filter to "%h" (%{REMOTE_HOST}) attribute with the regex matcher for IP address. Because when resolve-peer-address="true" is specified, %h will be resolved from IP to DNS hostname, so the above access-control filter would not work.
    • Hide

      Configure the following

              <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            ...(snip)..
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true" /> <!-- add proxy-address-forwarding="true" --> 
                ...(sinp)..
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="ip-access-filter" /> <!-- add this -->
                </host>
            </server>
            ...(snip)...
            <filters>
              <expression-filter name="ip-access-filter" expression="path-prefix('/') -> ip-access-control(default-allow=false, acl={'127.0.0.0/8 allow'})"/> <!-- add this -->
            </filters>
        </subsystem>

      Then, send the following requests with the curl commands:

      curl -v http://127.0.0.1:8080/

      curl -v http://127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2"

      curl -v http://127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2, 192.168.0.1"

      The first two requests succeed, but the last one will fail with "403 Forbidden". However, the last one should succeed as the first entry of the X-Forwarded-For request header has allowed IP address range.

      Show
      Configure the following <subsystem xmlns= "urn:jboss:domain:undertow:10.0" default -server= " default -server" default -virtual-host= " default -host" default -servlet-container= " default " default -security-domain= "other" statistics-enabled= "${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled: false }}" > ...(snip).. <server name= " default -server" > <http-listener name= " default " socket-binding= "http" redirect-socket= "https" enable-http2= " true " proxy-address-forwarding= " true " /> <!-- add proxy-address-forwarding= " true " --> ...(sinp).. <host name= " default -host" alias= "localhost" > <location name= "/" handler= "welcome-content" /> <http-invoker security-realm= "ApplicationRealm" /> <filter-ref name= "ip-access-filter" /> <!-- add this --> </host> </server> ...(snip)... <filters> <expression-filter name= "ip-access-filter" expression= "path-prefix( '/' ) -> ip-access-control( default -allow= false , acl={ '127.0.0.0/8 allow' })" /> <!-- add this --> </filters> </subsystem> Then, send the following requests with the curl commands: curl -v http: //127.0.0.1:8080/ curl -v http: //127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2" curl -v http: //127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2, 192.168.0.1" The first two requests succeed, but the last one will fail with "403 Forbidden". However, the last one should succeed as the first entry of the X-Forwarded-For request header has allowed IP address range.

      See also UNDERTOW-1964 for the details

              rhn-engineering-lgao Lin Gao
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: