Merge pull request #231 from xenit-eu/DOCKER-471

DOCKER-471 Added remote IP valve to Tomcat

Author: kpiot123

Changelog.md

@@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 * [PR #78](https://github.com/xenit-eu/docker-alfresco/pull/78) DOCKER-408 Add timeout to health check commands
 
 ### Added
+* [PR #231](https://github.com/xenit-eu/docker-alfresco/pull/231) DOCKER-471 Added remote ip valve to Tomcat 10 
 * [PR #223](https://github.com/xenit-eu/docker-alfresco/pull/223) DOCKER-466 Added Support for v25.1 
 * [PR #222](https://github.com/xenit-eu/docker-alfresco/pull/222) DOCKER-464 Added json logging test
 * [PR #219](https://github.com/xenit-eu/docker-alfresco/pull/219) ALFREDAPI-569 Added Alfresco V23.3 & V23.4 support

README.md

@@ -75,6 +75,7 @@ in the following tables, are the values that are used when the environment varia
 | TOMCAT_ALLOW_CASUAL_MULTIPART_PARSING               | false                            | Set to true if Tomcat should automatically parse multipart/form-data request bodies when HttpServletRequest.getPart* or HttpServletRequest.getParameter* is called. The default is false.                                                                                                                |
 | TOMCAT_ALLOW_MULTIPLE_LEADING_FORWARD_SLASH_IN_PATH | false                            | Tomcat will collapse multiple leading / characters at the start of the return value for HttpServletRequest#getContextPath() to a single /. The default is false.                                                                                                                                         |
 | TOMCAT_CROSS_CONTEXT                                | false                            | Set to true if you want calls within this application to ServletContext.getContext() to successfully return a request dispatcher for other web applications running on this virtual host. Set to false (the default) in security conscious environments, to make getContext() always return null.        |
+| TOMCAT_REMOTE_IP_VALVE_ENABLED                      | true                             | If this is set to true, it will allow Tomcat to pick up remote ip headers like "X-Forwarded-For“, “X-Forwarded-Proto“ and “X-Forwarded-Port“. If Alfresco/Share are behind a proxy, they will be aware of that.                                                                                          |
 | JAVA_XMS                                            |                                  | -Xmx                                                                                                                                                                                                                                                                                                     |
 | JAVA_XMX                                            |                                  | -Xms                                                                                                                                                                                                                                                                                                     |
 | DEBUG                                               | false                            | -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n                                                                                                                                                                                                                                    |

tomcat-base/build.gradle

@@ -50,6 +50,9 @@ subprojects {
         implementation "eu.xenit.logging:json-logging:${jsonLoggingVersion}"
         testImplementation "org.junit.jupiter:junit-jupiter-api:5.10.0"
         testImplementation("org.junit-pioneer:junit-pioneer:2.1.0")
+        testImplementation group: 'io.rest-assured', name: 'rest-assured', version: '5.3.2'
+        testImplementation group: 'io.rest-assured', name: 'json-path', version: '5.3.2'
+        testImplementation group: 'io.rest-assured', name: 'rest-assured-common', version: '5.3.2'
         testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:5.10.0"
         sharedLibs("eu.xenit.logging:json-logging:${jsonLoggingVersion}") {
             transitive = false
@@ -82,7 +85,9 @@ subprojects {
         test {
             java {
                 srcDir file("$project.parent.projectDir/src/shared/test/java")
-
+                if (tomcatVersion.contains("10")) {
+                    srcDir file("$project.projectDir/src/test/java")
+                }
             }
             resources {
                 srcDir file("$project.parent.projectDir/src/shared/test/resources")

tomcat-base/src/shared/main/java/eu/xenit/alfresco/tomcat/embedded/alfresco/tomcat/AlfrescoTomcatFactoryHelper.java

@@ -63,7 +63,8 @@ public static void createSSLConnector(Tomcat tomcat, AlfrescoConfiguration alfre
                 tomcatConfiguration.getTomcatMaxThreads(),
                 tomcatConfiguration.getTomcatMaxHttpHeaderSize(),
                 tomcatConfiguration.getTomcatRelaxedPathChars(),
-                tomcatConfiguration.getTomcatRelaxedQueryChars()
+                tomcatConfiguration.getTomcatRelaxedQueryChars(),
+                tomcatConfiguration.isRemoteIpValveEnabled()
         );
 
         SSLHostConfig sslHostConfig = new SSLHostConfig();

tomcat-base/src/shared/main/java/eu/xenit/alfresco/tomcat/embedded/config/DefaultConfigurationProvider.java

@@ -22,6 +22,7 @@ public TomcatConfiguration getConfiguration(TomcatConfiguration baseConfiguratio
         baseConfiguration.setAllowCasualMultipartParsing(false);
         baseConfiguration.setAllowMultipleLeadingForwardSlashInPath(false);
         baseConfiguration.setCrossContext(false);
+        baseConfiguration.setRemoteIpValveEnabled(true);
         return baseConfiguration;
     }
 }

tomcat-base/src/shared/main/java/eu/xenit/alfresco/tomcat/embedded/config/EnvironmentVariableConfigurationProvider.java

@@ -14,6 +14,7 @@
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_BASE_DIR;
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_CACHE_MAX_SIZE;
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_CROSS_CONTEXT;
+import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_REMOTE_IP_VALVE_ENABLED;
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_MAX_HTTP_HEADER_SIZE;
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_MAX_THREADS;
 import static eu.xenit.alfresco.tomcat.embedded.config.EnvironmentVariables.TOMCAT_PORT;
@@ -50,6 +51,7 @@ public TomcatConfiguration getConfiguration(TomcatConfiguration baseConfiguratio
         setPropertyFromEnv(TOMCAT_ALLOW_CASUAL_MULTIPART_PARSING, value -> baseConfiguration.setAllowCasualMultipartParsing(Boolean.parseBoolean(value)));
         setPropertyFromEnv(TOMCAT_ALLOW_MULTIPLE_LEADING_FORWARD_SLASH_IN_PATH, value -> baseConfiguration.setAllowMultipleLeadingForwardSlashInPath(Boolean.parseBoolean(value)));
         setPropertyFromEnv(TOMCAT_CROSS_CONTEXT, value -> baseConfiguration.setCrossContext(Boolean.parseBoolean(value)));
+        setPropertyFromEnv(TOMCAT_REMOTE_IP_VALVE_ENABLED, value -> baseConfiguration.setRemoteIpValveEnabled(Boolean.parseBoolean(value)));
         return baseConfiguration;
     }
 }

tomcat-base/src/shared/main/java/eu/xenit/alfresco/tomcat/embedded/config/EnvironmentVariables.java

@@ -22,6 +22,7 @@ public class EnvironmentVariables {
     public static final String TOMCAT_ALLOW_CASUAL_MULTIPART_PARSING = "TOMCAT_ALLOW_CASUAL_MULTIPART_PARSING";
     public static final String TOMCAT_ALLOW_MULTIPLE_LEADING_FORWARD_SLASH_IN_PATH = "TOMCAT_ALLOW_MULTIPLE_LEADING_FORWARD_SLASH_IN_PATH";
     public static final String TOMCAT_CROSS_CONTEXT = "TOMCAT_CROSS_CONTEXT";
+    public static final String TOMCAT_REMOTE_IP_VALVE_ENABLED = "TOMCAT_REMOTE_IP_VALVE_ENABLED";
     private EnvironmentVariables() {
     }
 

tomcat-base/src/shared/main/java/eu/xenit/alfresco/tomcat/embedded/config/TomcatConfiguration.java

@@ -31,4 +31,5 @@ public class TomcatConfiguration {
     protected boolean allowCasualMultipartParsing;
     protected boolean allowMultipleLeadingForwardSlashInPath;
     protected boolean crossContext;
+    protected boolean remoteIpValveEnabled;
 }

tomcat-base/src/shared/test/java/eu/xenit/alfresco/tomcat/embedded/config/DefaultConfigurationProviderTest.java

@@ -28,6 +28,7 @@ void testGetConfiguration() {
         expected.setAllowCasualMultipartParsing(false);
         expected.setAllowMultipleLeadingForwardSlashInPath(false);
         expected.setCrossContext(false);
+        expected.setRemoteIpValveEnabled(true);
         assertEquals(configuration, expected);
     }
 

tomcat-base/tomcat-embedded-10/src/main/java/eu/xenit/alfresco/tomcat/embedded/tomcat/TomcatFactory.java

@@ -17,6 +17,7 @@
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.valves.RemoteIpValve;
 import org.apache.catalina.webresources.DirResourceSet;
 import org.apache.catalina.webresources.StandardRoot;
 
@@ -37,7 +38,8 @@ public static Connector getConnector(
             int maxThreads,
             int maxHttpHeaderSize,
             String relaxedPathChars,
-            String relaxedQueryChars) {
+            String relaxedQueryChars,
+            boolean isRemoteIpValveEnabled) {
         Connector connector = new Connector(protocol);
         connector.setPort(port);
         connector.setProperty("connectionTimeout", "240000");
@@ -49,11 +51,25 @@ public static Connector getConnector(
         connector.setProperty("relaxedQueryChars", relaxedQueryChars);
         connector.setScheme(scheme);
         Service service = tomcat.getService();
+        if (isRemoteIpValveEnabled) {
+            RemoteIpValve remoteIpValve = createRemoteIpValve();
+            tomcat.getEngine().getPipeline().addValve(remoteIpValve);
+        }
         service.setContainer(tomcat.getEngine());
         connector.setService(service);
         return connector;
     }
 
+    private static RemoteIpValve createRemoteIpValve() {
+        RemoteIpValve remoteIpValve = new RemoteIpValve();
+        remoteIpValve.setRemoteIpHeader("X-Forwarded-For");
+        remoteIpValve.setProtocolHeader("X-Forwarded-Proto");
+        remoteIpValve.setHostHeader("Host");
+        remoteIpValve.setPortHeader("X-Forwarded-Port");
+
+        return remoteIpValve;
+    }
+
     private TomcatConfiguration getConfiguration() {
         return configuration;
     }
@@ -147,7 +163,8 @@ private void createDefaultConnector(Tomcat tomcat) {
                 getConfiguration().getTomcatMaxThreads(),
                 getConfiguration().getTomcatMaxHttpHeaderSize(),
                 getConfiguration().getTomcatRelaxedPathChars(),
-                getConfiguration().getTomcatRelaxedQueryChars()
+                getConfiguration().getTomcatRelaxedQueryChars(),
+                getConfiguration().isRemoteIpValveEnabled()
         );
         connector.setRedirectPort(getConfiguration().getTomcatSslPort());
         tomcat.setConnector(connector);