Class XForwardedRemoteAddressResolver

java.lang.Object

org.springframework.cloud.gateway.support.ipresolver.XForwardedRemoteAddressResolver

All Implemented Interfaces:

RemoteAddressResolver

public class XForwardedRemoteAddressResolver
extends Object
implements RemoteAddressResolver

Parses the client address from the X-Forwarded-For header. If header is not present, falls back to RemoteAddressResolver and ServerHttpRequest.getRemoteAddress(). Use the static constructor methods which meets your security requirements.

Author:

Andrew Fitzgerald

See Also:

• X-Forwarded-For reference

Field Summary

Fields

Modifier and Type	Field	Description
static final String	X_FORWARDED_FOR	Forwarded-For header name.

Method Summary

Modifier and Type	Method	Description
static XForwardedRemoteAddressResolver	maxTrustedIndex(int maxTrustedIndex)	trusted IP address found in the X-Forwarded-For header (when present).
InetSocketAddress	resolve(org.springframework.web.server.ServerWebExchange exchange)	The X-Forwarded-For header contains a comma separated list of IP addresses.
static XForwardedRemoteAddressResolver	trustAll()

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

X_FORWARDED_FOR

public static final String X_FORWARDED_FOR

Forwarded-For header name.

See Also:

• Constant Field Values

Method Details

trustAll

public static XForwardedRemoteAddressResolver trustAll()

Returns:

a XForwardedRemoteAddressResolver which always extracts the first IP address found in the X-Forwarded-For header (when present). Equivalent to calling maxTrustedIndex(int) with a maxTrustedIndex of Integer.MAX_VALUE. This configuration is vulnerable to spoofing via manually setting the X-Forwarded-For header. If the resulting IP address is used for security purposes, use maxTrustedIndex(int) instead.

maxTrustedIndex

public static XForwardedRemoteAddressResolver maxTrustedIndex(int maxTrustedIndex)

trusted IP address found in the X-Forwarded-For header (when present). This configuration exists to prevent a malicious actor from spoofing the value of the X-Forwarded-For header. If you know that your gateway application is only accessible from a a trusted load balancer, then you can trust that the load balancer will append a valid client IP address to the X-Forwarded-For header, and should use a value of `1` for the `maxTrustedIndex`. Given the X-Forwarded-For value of [0.0.0.1, 0.0.0.2, 0.0.0.3]:

maxTrustedIndex -> result

[MIN_VALUE,0] -> IllegalArgumentException
1 -> 0.0.0.3
2 -> 0.0.0.2
3 -> 0.0.0.1
[4, MAX_VALUE] -> 0.0.0.1

Parameters:

maxTrustedIndex - correlates to the number of trusted proxies expected in front of Spring Cloud Gateway (index starts at 1).

Returns:

a XForwardedRemoteAddressResolver which extracts the last

resolve

public InetSocketAddress resolve(org.springframework.web.server.ServerWebExchange exchange)

The X-Forwarded-For header contains a comma separated list of IP addresses. This method parses those IP addresses into a list. If no X-Forwarded-For header is found, an empty list is returned. If multiple X-Forwarded-For headers are found, an empty list is returned out of caution.

Specified by:

resolve in interface RemoteAddressResolver

Returns:

The parsed values of the X-Forwarded-Header.