Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Question regarding http-forwarded module

First, know that the `X-Forwarded-*` headers are not a standard, published or otherwise.
They are a complete wild-west mess of conflicting behaviors, so it's no wonder it's confusing you.
That's why https://datatracker.ietf.org/doc/html/rfc7239 and the standard for the `Forwarded` header exists.
Use it.  You wont regret it!
Every load balancer (hardware, and software, and even all cloud provider load balancers) released since 2014 supports it!

The recommendations ...

The `http-forwarded` Jetty module will essentially add the https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/server/ForwardedRequestCustomizer.html to the Connectors using that configuration (which by default is all connectors).

The default behavior of ForwardedRequestCustomizer is to use RFC7239 and the Spec defined Forwarded header.
Don't turn it off.  Use it.  Don't use and/or learn the broken non standard X-Forwarded-* header nonsense, it will only lead to ruin and wasted man hours.

Then use `Forwarded: for="" request header and the HttpServletRequest.getRemoteAddr() to find the remote client address updated.
Note that multiple `Forwarded: for="" can exist per spec.
Each additional hop adds its own entry to the list, resulting in `Forwarded: for="" for="" for="" header.
The left-most `for="" is used by Jetty's ForwardedRequestCustomizer to set the HttpServletRequest.getRemoteAddr() as defined by the RFC7239 spec.

See the test cases for other examples.
https://github.com/jetty/jetty.project/blob/jetty-12.0.x/jetty-core/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java

- Joakim

On Mon, Jul 29, 2024 at 6:56 AM E. Recio via jetty-users <jetty-users@xxxxxxxxxxx> wrote:
I am not sure if I am using this module correctly. It's my understanding that enabling this module allows the EE programs / api to reference the source host/ip in normal ways, while Jetty is translating the X-Forward-For: header to api's source IP/addr?

So, when I attempt to access the HttpServletRequest's request.getRemoteHost(), it still returns the address of the LB and not the address in the header. 

I wrote a simple helloworld program to show the headers being sent by the LB as per Jetty. In this case it's "X-Forwarded-For-YOUR-HOST: 1.2.3.4" (with the client's IP address 1.2.3.4). I have edited the start.d/http-forwarded.ini to set:

--modules=http-forwarded
jetty.httpConfig.forwardedOnly=false
jetty.httpConfig.forwardedForHeader=X-Forwarded-For-YOUR-HOST

Restarted and in the same helloworld program, request.getRemoteHost/getRemoteIP still returns the IP of the LB while the header spit out shows the client ip.

So I think I am misunderstanding something, or perhaps it is configured incorrectly, thanks for any help.

-e
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top