get forward header for proxies and apply it in Jetty (#11386)

* get forward header and apply it fro proxies

Co-authored-by: Daan Hoogland <dahn@apache.org>

client/src/main/java/org/apache/cloudstack/ServerDaemon.java

@@ -24,12 +24,15 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.lang.management.ManagementFactory;
 import java.net.URL;
+import java.util.Arrays;
 import java.util.Properties;
 
+import com.cloud.api.ApiServer;
 import org.apache.commons.daemon.Daemon;
 import org.apache.commons.daemon.DaemonContext;
 import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jetty.jmx.MBeanContainer;
+import org.eclipse.jetty.server.ForwardedRequestCustomizer;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.RequestLog;
@@ -184,6 +187,7 @@ public class ServerDaemon implements Daemon {
         httpConfig.setResponseHeaderSize(8192);
         httpConfig.setSendServerVersion(false);
         httpConfig.setSendDateHeader(false);
+        addForwardingCustomiser(httpConfig);
 
         // HTTP Connector
         createHttpConnector(httpConfig);
@@ -206,6 +210,21 @@ public class ServerDaemon implements Daemon {
         server.join();
     }
 
+    /**
+     * Adds a ForwardedRequestCustomizer to the HTTP configuration to handle forwarded headers.
+     * The header used for forwarding is determined by the ApiServer.listOfForwardHeaders property.
+     * Only non empty headers are considered and only the first of the comma-separated list is used.
+     * @param httpConfig the HTTP configuration to which the customizer will be added
+     */
+    private static void addForwardingCustomiser(HttpConfiguration httpConfig) {
+        ForwardedRequestCustomizer customiser = new ForwardedRequestCustomizer();
+        String header = Arrays.stream(ApiServer.listOfForwardHeaders.value().split(",")).findFirst().orElse(null);
+        if (com.cloud.utils.StringUtils.isNotEmpty(header)) {
+            customiser.setForwardedForHeader(header);
+        }
+        httpConfig.addCustomizer(customiser);
+    }
+
     @Override
     public void stop() throws Exception {
         server.stop();

server/src/main/java/com/cloud/api/ApiServer.java

@@ -315,14 +315,14 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             , "enables/disables checking of ipaddresses from a proxy set header. See \"proxy.header.names\" for the headers to allow."
             , true
             , ConfigKey.Scope.Global);
-    static final ConfigKey<String> listOfForwardHeaders = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
+    public static final ConfigKey<String> listOfForwardHeaders = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
             , String.class
             , "proxy.header.names"
             , "X-Forwarded-For,HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR"
             , "a list of names to check for allowed ipaddresses from a proxy set header. See \"proxy.cidr\" for the proxies allowed to set these headers."
             , true
             , ConfigKey.Scope.Global);
-    static final ConfigKey<String> proxyForwardList = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
+    public static final ConfigKey<String> proxyForwardList = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
             , String.class
             , "proxy.cidr"
             , ""

utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java

@@ -19,8 +19,6 @@
 
 package com.cloud.utils;
 
-import java.nio.charset.Charset;
-
 public class ConstantTimeComparator {
 
     public static boolean compareBytes(byte[] b1, byte[] b2) {
@@ -36,7 +34,6 @@ public class ConstantTimeComparator {
     }
 
     public static boolean compareStrings(String s1, String s2) {
-        final Charset encoding = Charset.forName("UTF-8");
+        return compareBytes(s1.getBytes(StringUtils.getPreferredCharset()), s2.getBytes(StringUtils.getPreferredCharset()));
-        return compareBytes(s1.getBytes(encoding), s2.getBytes(encoding));
     }
 }