From c818650ae0f59200fc3231333e7bb7857d310711 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Tue, 20 Feb 2024 23:55:06 -0800 Subject: [PATCH] GUACAMOLE-374: Switch to "REMOTE_IP_VALVE_*" environment variables for configuring RemoteIpValve. --- .../000-migrate-legacy-variables.sh | 8 ++ .../environment/REMOTE_IP_VALVE_/configure.sh | 75 ++++++++----------- 2 files changed, 40 insertions(+), 43 deletions(-) diff --git a/guacamole-docker/entrypoint.d/000-migrate-legacy-variables.sh b/guacamole-docker/entrypoint.d/000-migrate-legacy-variables.sh index 077fb13ad..490827fee 100644 --- a/guacamole-docker/entrypoint.d/000-migrate-legacy-variables.sh +++ b/guacamole-docker/entrypoint.d/000-migrate-legacy-variables.sh @@ -103,3 +103,11 @@ deprecate_variable "SQLSERVER_USER" "SQLSERVER_USERNAME" # guacamole.properties. deprecate_variable_prefix "POSTGRES_" "POSTGRESQL_" +# The old "PROXY_*" names for attributes supported by RemoteIpValve are being +# replaced with "REMOTE_IP_VALVE_*" attributes that more closely and +# predictably match their attribute names +deprecate_variable "PROXY_ALLOWED_IPS_REGEX" "REMOTE_IP_VALVE_INTERNAL_PROXIES" +deprecate_variable "PROXY_IP_HEADER" "REMOTE_IP_VALVE_REMOTE_IP_HEADER" +deprecate_variable "PROXY_PROTOCOL_HEADER" "REMOTE_IP_VALVE_PROTOCOL_HEADER" +# NOTE: PROXY_BY_HEADER never worked as there is no "remoteIpProxiesHeader" attribute for RemoteIpValve + diff --git a/guacamole-docker/environment/REMOTE_IP_VALVE_/configure.sh b/guacamole-docker/environment/REMOTE_IP_VALVE_/configure.sh index 55596ad28..ad6e5ffb5 100644 --- a/guacamole-docker/environment/REMOTE_IP_VALVE_/configure.sh +++ b/guacamole-docker/environment/REMOTE_IP_VALVE_/configure.sh @@ -24,49 +24,38 @@ ## the REMOTE_IP_VALVE_ENABLED environment variable is set to "true". ## -# Add element +## +## Array of all xmlstarlet command-line options necessary to add the +## RemoteIpValve attributes that correspond to various "REMOTE_IP_VALVE_*" +## environment variables. +## +declare -a VALVE_ATTRIBUTES=( --type attr -n className -v org.apache.catalina.valves.RemoteIpValve ) + +# Translate all properties supported by RemoteIpValve into corresponding +# environment variables +for ATTRIBUTE in \ + remoteIpHeader \ + internalProxies \ + proxiesHeader \ + trustedProxies \ + protocolHeader \ + protocolHeaderHttpsValue \ + httpServerPort \ + httpsServerPort; do + + VAR_NAME="REMOTE_IP_VALVE_$(echo "$ATTRIBUTE" | sed 's/\([a-z]\)\([A-Z]\)/\1_\2/g' | tr 'a-z' 'A-Z')" + if [ -n "${!VAR_NAME}" ]; then + VALVE_ATTRIBUTES+=( --type attr -n "$ATTRIBUTE" -v "${!VAR_NAME}" ) + else + echo "Using default RemoteIpValve value for \"$ATTRIBUTE\" attribute." + fi + +done + +# Programmatically add requested RemoteIpValve entry xmlstarlet edit --inplace \ --insert '/Server/Service/Engine/Host/*' --type elem -n Valve \ - --insert '/Server/Service/Engine/Host/Valve[not(@className)]' --type attr -n className -v org.apache.catalina.valves.RemoteIpValve \ - $CATALINA_BASE/conf/server.xml - -# Allowed IPs -if [ -z "$PROXY_ALLOWED_IPS_REGEX" ]; then - echo "Using default Tomcat allowed IPs regex" -else - xmlstarlet edit --inplace \ - --insert '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.RemoteIpValve"]' \ - --type attr -n internalProxies -v "$PROXY_ALLOWED_IPS_REGEX" \ - $CATALINA_BASE/conf/server.xml -fi - -# X-Forwarded-For -if [ -z "$PROXY_IP_HEADER" ]; then - echo "Using default Tomcat proxy IP header" -else - xmlstarlet edit --inplace \ - --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ - --type attr -n remoteIpHeader -v "$PROXY_IP_HEADER" \ - $CATALINA_BASE/conf/server.xml -fi - -# X-Forwarded-Proto -if [ -z "$PROXY_PROTOCOL_HEADER" ]; then - echo "Using default Tomcat proxy protocol header" -else - xmlstarlet edit --inplace \ - --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ - --type attr -n protocolHeader -v "$PROXY_PROTOCOL_HEADER" \ - $CATALINA_BASE/conf/server.xml -fi - -# X-Forwarded-By -if [ -z "$PROXY_BY_HEADER" ]; then - echo "Using default Tomcat proxy forwarded by header" -else - xmlstarlet edit --inplace \ - --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ - --type attr -n remoteIpProxiesHeader -v "$PROXY_BY_HEADER" \ - $CATALINA_BASE/conf/server.xml -fi + --insert '/Server/Service/Engine/Host/Valve[not(@className)]' \ + "${VALVE_ATTRIBUTES[@]}" \ + "$CATALINA_BASE/conf/server.xml"