mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-01-07 05:56:49 +00:00
Code Issues Releases Wiki Activity

Add a dedicated IP header to accommodate Java 17 on GAE (#2224)

Browse Source 
For reasons unclear at this point, Java 17's servlet implementation on
GAE injects IP addresses (including unroutable private IPs) into the
standard X-Forwarded-For header, which we currently use to embed
registrar IP addresses to check against the allow list. This results in
the server not properly parsing the header and rejecting legitimate
connections.

This PR sets a custom header that should not be interfered with by any
JVM implementation to store the IP address, while maintaining the old
header as a fallback. The proxy will set both headers to allow the
server to gracefully migrate from Java 8 and Java 17 (and potentially
rollback).

Also removed some headers and logic that are not used.
This commit is contained in:
Lai Jiang
2023-11-28 13:20:01 -05:00
committed by GitHub
parent 4195871541
commit 9b79f5af2c
11 changed files with 102 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
util/src/main/java/google/registry/util/ProxyHttpHeaders.java
View File

@@ -19,30 +19,25 @@ import com.google.common.net.HttpHeaders;
/** Utility class of HTTP header names used for HTTP calls between Nomulus and the proxy. */
public final class ProxyHttpHeaders {
/**
* HTTP header name used to pass a full SSL certificate from the proxy to Nomulus.
*
* <p>This header contains the SSL certificate encoded to a string. It is used to pass the client
* certificate used for login to Nomulus for validation.
*/
public static final String FULL_CERTIFICATE = "X-SSL-Full-Certificate";
/** HTTP header name used to pass the certificate hash from the proxy to Nomulus. */
public static final String CERTIFICATE_HASH = "X-SSL-Certificate";
/**
* HTTP header name passed from Nomulus to proxy to indicate that a client has successfully logged
* in.
*/
public static final String LOGGED_IN = "Logged-In";
/**
* HTTP header name passed from Nomulus to proxy to indicate that an EPP session should be closed.
*/
public static final String EPP_SESSION = "Epp-Session";
/** HTTP header name used to pass the client IP address from the proxy to Nomulus. */
public static final String IP_ADDRESS = HttpHeaders.X_FORWARDED_FOR;
public static final String IP_ADDRESS = "Nomulus-Client-Address";
/**
* Fallback HTTP header name used to pass the client IP address from the proxy to Nomulus.
*
* <p>Note that Java 17's servlet implementation (at least on App Engine) injects some seemingly
* unrelated addresses into this header. We only use this as a fallback so the proxy can
* transition to use the above header that should not be interfered with.
*/
public static final String FALLBACK_IP_ADDRESS = HttpHeaders.X_FORWARDED_FOR;
private ProxyHttpHeaders() {}
}