SpringBoot Missing default IP Range for Tomcat’s Proxy Configuration

SETUP:

We implemented a solution to allow additional origins for requests to handle CORS correctly. Because of that we override a bean in the security config:

  @Bean
        public CorsConfigurationSource corsConfigurationSource() {
            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            CorsConfiguration config = new CorsConfiguration();
            config.setAllowCredentials(true);
            config.addAllowedOrigin(origin);

            List header = List.of("*");
            config.setAllowedHeaders(header);
            config.setAllowedMethods(header);
            source.registerCorsConfiguration("/**", config)
        }

The spring boot application runs in a kubernetes cluster by different providers.

On many cluster provider we have no problems with the implemenation but on the provider Scaleway we get for Request a Http Code 403 Forbidden and the message "Invalid CORS Request" as Reponse.

PROBLEM:

The problem is spring boot. It using the configuration option server.tomcat.remoteip.internal-proxies in the application properties. The default is RFC 1918 IP Range of private networks, which used for localhost (ipv4 and ipv6). But the RFC 6598 as shared address space is not included in the list.

--> The area 100.64.0.0/10, which is defined as shared address space, is not included in the list.

However, Scaleway (and almost certainly many other providers) use this area internally in the cluster, as the area cannot be routed by definition and thus provides at least as much security as the private IP address areas.

The result is that Spring boot blocks the request by this IP.

https://www.rfc-editor.org/rfc/rfc1918 https://www.rfc-editor.org/rfc/rfc6598

SOLUTION:

We fixed the problem by changing the default behaviour of the tomcat and added the ip range

https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.webserver.use-behind-a-proxy-server.tomcat

 tomcat:
    basedir: /tmp
    max-swallow-size: -1
    remoteip:
      internal-proxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.[7-9]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.1[0-1]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|0:0:0:0:0:0:0:1|::1"

Comment From: wilkinsona

Spring Boot's default for tomcat.remoteip.internal-proxies is aligned with the default in Tomcat's Remote IP Valve. We also have a test that ensures that the two remain in alignment. If you believe that additional IPs should be included in the default, please make this suggestion to the Tomcat team.

Comment From: dark0ni

@wilkinsona thank you for the explanation, i reported the behaviour to the tomcat team https://bz.apache.org/bugzilla/show_bug.cgi?id=66470