SpringBoot Add a configuration property for the trusted proxies of Tomcat's Remote IP valve

Tomcat's RemoteIpValve supports both internal proxies as well as trusted proxies. Internal proxies default to the private IP spaces, but trusted proxies defaults to nothing.

Internal proxies can be customized by setting server.tomcat.remoteip.internal-proxies which is later honored by TomcatWebServerFactoryCustomizer, but trusted proxies is not honored by it.

When using third party proxies with public IPs (e.g. Cloudflare Access), it is desirable to include their IPs to be ignored by the RemoteIpValve. To do this through configuration, the only option is to replace the internal proxies pattern list since the trusted proxies list is not exposed to be configurable.

My suggestion is to also expose trusted proxies for configuration.

Comment From: wilkinsona

Until we've added a property for this, you can customize the auto-configured valve with the following customizer:

@Bean
WebServerFactoryCustomizer<TomcatServletWebServerFactory> trustedProxiesCustomizer() {
    return (factory) -> {
        for (Valve valve : factory.getEngineValves()) {
            if (valve instanceof RemoteIpValve) {
                ((RemoteIpValve) valve).setTrustedProxies("example");
            }
        }
    };
}

You could externalize its configuration with something like this:

@Bean
WebServerFactoryCustomizer<TomcatServletWebServerFactory> trustedProxiesCustomizer(
        @Value("${example.tomcat.remoteip.trusted-proxies}") String trustedProxies) {
    return (factory) -> {
        for (Valve valve : factory.getEngineValves()) {
            if (valve instanceof RemoteIpValve) {
                ((RemoteIpValve) valve).setTrustedProxies(trustedProxies);
            }
        }
    };
}

Comment From: aooohan

@wilkinsona hi, Andy. Does this issue need to be achieved? f it need to be implemented, can I be assigned? I would be happy to provide PR.

Comment From: Trinition

@wilkinsona thank you for the suggestion. I started with your suggestion, but then found tomcat-remoteip-aws-valve that goes one step further by allowing be to configure CIDRs instead of a straight regex. This actually suited my needs better.

I still think the trusted-proxies regex property should be exposed for completeness (has it been, I would not have sought the CIDR->regex solution). But I further think Tomcat itself should be updated to support CIDRs out of the box.

Comment From: wilkinsona

Thanks very much for the offer, @aooohan. I've assigned the issue to you. Please let us know if you have any questions.

Comment From: aooohan

Thanks very much for the offer, @aooohan. I've assigned the issue to you. Please let us know if you have any questions.

I have completed my PR, please review it for me, thanks.

Comment From: wilkinsona

Thanks very much, @aooohan. Closing in favor of #31576.