Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22460

[GSS](7.4.z) UNDERTOW-1964 - IPAddressAccessControlHandler (ip-access-control) stops working when ProxyPeerAddressHandler (proxy-address-forwarding="true") is enabled on listener and the X-Forwarded-For request header contains multiple IP addresses

    XMLWordPrintable

Details

    • False
    • False
    • +
    • Hide

      You can use AccessControlListHandler (access-control) with the "%h" (%{REMOTE_HOST}) attribute instead of using IPAddressAccessControlHandler (ip-access-control). For example:

      <expression-filter name="acl-filter" expression="path-prefix('/') -> access-control(default-allow=false, attribute=%h, acl={'127\.0\.0\.\d{1,3}) allow'})"/>

      Note that you can not specify IP address range like 127.0.0.0/8 for "acl" of access-control, but you can specify the regex.
      Also, note that you should not specify resolve-peer-address="true" on your listener when you want to apply the above access-control filter to "%h" (%{REMOTE_HOST}) attribute with the regex matcher for IP address. Because when resolve-peer-address="true" is specified, %h will be resolved from IP to DNS hostname, so the above access-control filter would not work.

      Show
      You can use AccessControlListHandler (access-control) with the "%h" (%{REMOTE_HOST}) attribute instead of using IPAddressAccessControlHandler (ip-access-control). For example: <expression-filter name= "acl-filter" expression= "path-prefix( '/' ) -> access-control( default -allow= false , attribute=%h, acl={ '127\.0\.0\.\d{1,3}) allow' })" /> Note that you can not specify IP address range like 127.0.0.0/8 for "acl" of access-control, but you can specify the regex. Also, note that you should not specify resolve-peer-address="true" on your listener when you want to apply the above access-control filter to "%h" (%{REMOTE_HOST}) attribute with the regex matcher for IP address. Because when resolve-peer-address="true" is specified, %h will be resolved from IP to DNS hostname, so the above access-control filter would not work.
    • Hide

      Configure the following

              <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            ...(snip)..
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true" /> <!-- add proxy-address-forwarding="true" --> 
                ...(sinp)..
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="ip-access-filter" /> <!-- add this -->
                </host>
            </server>
            ...(snip)...
            <filters>
              <expression-filter name="ip-access-filter" expression="path-prefix('/') -> ip-access-control(default-allow=false, acl={'127.0.0.0/8 allow'})"/> <!-- add this -->
            </filters>
        </subsystem>

      Then, send the following requests with the curl commands:

      curl -v http://127.0.0.1:8080/

      curl -v http://127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2"

      curl -v http://127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2, 192.168.0.1"

      The first two requests succeed, but the last one will fail with "403 Forbidden". However, the last one should succeed as the first entry of the X-Forwarded-For request header has allowed IP address range.

      Show
      Configure the following <subsystem xmlns= "urn:jboss:domain:undertow:10.0" default -server= " default -server" default -virtual-host= " default -host" default -servlet-container= " default " default -security-domain= "other" statistics-enabled= "${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled: false }}" > ...(snip).. <server name= " default -server" > <http-listener name= " default " socket-binding= "http" redirect-socket= "https" enable-http2= " true " proxy-address-forwarding= " true " /> <!-- add proxy-address-forwarding= " true " --> ...(sinp).. <host name= " default -host" alias= "localhost" > <location name= "/" handler= "welcome-content" /> <http-invoker security-realm= "ApplicationRealm" /> <filter-ref name= "ip-access-filter" /> <!-- add this --> </host> </server> ...(snip)... <filters> <expression-filter name= "ip-access-filter" expression= "path-prefix( '/' ) -> ip-access-control( default -allow= false , acl={ '127.0.0.0/8 allow' })" /> <!-- add this --> </filters> </subsystem> Then, send the following requests with the curl commands: curl -v http: //127.0.0.1:8080/ curl -v http: //127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2" curl -v http: //127.0.0.1:8080/ -H "X-Forwarded-For: 127.0.0.2, 192.168.0.1" The first two requests succeed, but the last one will fail with "403 Forbidden". However, the last one should succeed as the first entry of the X-Forwarded-For request header has allowed IP address range.

    Description

      See also UNDERTOW-1964 for the details

      Attachments

        Issue Links

          incorporates

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1964 IPAddressAccessControlHandler stops working when ProxyPeerAddressHandler is enabled and X-Forwarded-For request header contains multiple IP addresses

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22459 [GSS](7.3.z) UNDERTOW-1964 - IPAddressAccessControlHandler (ip-access-control) stops working when ProxyPeerAddressHandler (proxy-address-forwarding="true") is enabled on listener and the X-Forwarded-For request header contains multiple IP addresses

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-engineering-lgao Lin Gao
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: