From 3362d5a77bf76ade6f84808018e2c5d25403a0f2 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Mon, 4 Aug 2025 09:01:09 +0200
Subject: [PATCH 1/4] get forward header and apply it fro proxies

---
 .../org/apache/cloudstack/ServerDaemon.java   | 19 +++++++++++++++++++
 .../main/java/com/cloud/api/ApiServer.java    |  4 ++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/client/src/main/java/org/apache/cloudstack/ServerDaemon.java b/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
index c6fd2ff24dc8..178dd158a68a 100644
--- a/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
+++ b/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
@@ -24,12 +24,15 @@
 import java.io.InputStream;
 import java.lang.management.ManagementFactory;
 import java.net.URL;
+import java.util.Arrays;
 import java.util.Properties;
 
+import com.cloud.api.ApiServer;
 import org.apache.commons.daemon.Daemon;
 import org.apache.commons.daemon.DaemonContext;
 import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jetty.jmx.MBeanContainer;
+import org.eclipse.jetty.server.ForwardedRequestCustomizer;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.NCSARequestLog;
@@ -185,6 +188,7 @@ public void start() throws Exception {
         httpConfig.setResponseHeaderSize(8192);
         httpConfig.setSendServerVersion(false);
         httpConfig.setSendDateHeader(false);
+        addForwordingCustomiser(httpConfig);
 
         // HTTP Connector
         createHttpConnector(httpConfig);
@@ -207,6 +211,21 @@ public void start() throws Exception {
         server.join();
     }
 
+    /**
+     * Adds a ForwardedRequestCustomizer to the HTTP configuration to handle forwarded headers.
+     * The header used for forwarding is determined by the ApiServer.listOfForwardHeaders property.
+     * Only non empty headers are considdered and only the first of the comma-separated list is used.
+     * @param httpConfig the HTTP configuration to which the customizer will be added
+     */
+    private static void addForwordingCustomiser(HttpConfiguration httpConfig) {
+        ForwardedRequestCustomizer customiser = new ForwardedRequestCustomizer();
+        String header = Arrays.stream(ApiServer.listOfForwardHeaders.value().split(",")).findFirst().orElse(null);
+        if (com.cloud.utils.StringUtils.isNotEmpty(header)) {
+            customiser.setForwardedForHeader(header);
+        }
+        httpConfig.addCustomizer(customiser);
+    }
+
     @Override
     public void stop() throws Exception {
         server.stop();
diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java
index e0737a6891de..c78ac05102f8 100644
--- a/server/src/main/java/com/cloud/api/ApiServer.java
+++ b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -315,14 +315,14 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             , "enables/disables checking of ipaddresses from a proxy set header. See \"proxy.header.names\" for the headers to allow."
             , true
             , ConfigKey.Scope.Global);
-    static final ConfigKey<String> listOfForwardHeaders = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
+    public static final ConfigKey<String> listOfForwardHeaders = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
             , String.class
             , "proxy.header.names"
             , "X-Forwarded-For,HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR"
             , "a list of names to check for allowed ipaddresses from a proxy set header. See \"proxy.cidr\" for the proxies allowed to set these headers."
             , true
             , ConfigKey.Scope.Global);
-    static final ConfigKey<String> proxyForwardList = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
+    public static final ConfigKey<String> proxyForwardList = new ConfigKey<>(ConfigKey.CATEGORY_NETWORK
             , String.class
             , "proxy.cidr"
             , ""

From 6bf447340c4ec3d648f0fc6e3dd6aa14834130d5 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Mon, 4 Aug 2025 10:26:46 +0200
Subject: [PATCH 2/4] spelloos

---
 .../src/main/java/org/apache/cloudstack/ServerDaemon.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/client/src/main/java/org/apache/cloudstack/ServerDaemon.java b/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
index 178dd158a68a..4762eff38289 100644
--- a/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
+++ b/client/src/main/java/org/apache/cloudstack/ServerDaemon.java
@@ -188,7 +188,7 @@ public void start() throws Exception {
         httpConfig.setResponseHeaderSize(8192);
         httpConfig.setSendServerVersion(false);
         httpConfig.setSendDateHeader(false);
-        addForwordingCustomiser(httpConfig);
+        addForwardingCustomiser(httpConfig);
 
         // HTTP Connector
         createHttpConnector(httpConfig);
@@ -214,10 +214,10 @@ public void start() throws Exception {
     /**
      * Adds a ForwardedRequestCustomizer to the HTTP configuration to handle forwarded headers.
      * The header used for forwarding is determined by the ApiServer.listOfForwardHeaders property.
-     * Only non empty headers are considdered and only the first of the comma-separated list is used.
+     * Only non empty headers are considered and only the first of the comma-separated list is used.
      * @param httpConfig the HTTP configuration to which the customizer will be added
      */
-    private static void addForwordingCustomiser(HttpConfiguration httpConfig) {
+    private static void addForwardingCustomiser(HttpConfiguration httpConfig) {
         ForwardedRequestCustomizer customiser = new ForwardedRequestCustomizer();
         String header = Arrays.stream(ApiServer.listOfForwardHeaders.value().split(",")).findFirst().orElse(null);
         if (com.cloud.utils.StringUtils.isNotEmpty(header)) {

From a08b7254d0c457491452e4bc2bdf25147a69bc29 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Thu, 7 Aug 2025 08:58:31 +0200
Subject: [PATCH 3/4] use StringUtils.getPreferredCharset()

---
 .../src/main/java/com/cloud/utils/ConstantTimeComparator.java  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java b/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
index baf2bc2738fa..295cb507a59d 100644
--- a/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
+++ b/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
@@ -36,7 +36,6 @@ public static boolean compareBytes(byte[] b1, byte[] b2) {
     }
 
     public static boolean compareStrings(String s1, String s2) {
-        final Charset encoding = Charset.forName("UTF-8");
-        return compareBytes(s1.getBytes(encoding), s2.getBytes(encoding));
+        return compareBytes(s1.getBytes(StringUtils.getPreferredCharset()), s2.getBytes(StringUtils.getPreferredCharset()));
     }
 }

From 5e56dfdd81847e8ee5f68c9979c31a8363e37973 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Thu, 7 Aug 2025 13:30:58 +0200
Subject: [PATCH 4/4] import

---
 utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java b/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
index 295cb507a59d..48925097f703 100644
--- a/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
+++ b/utils/src/main/java/com/cloud/utils/ConstantTimeComparator.java
@@ -19,8 +19,6 @@
 
 package com.cloud.utils;
 
-import java.nio.charset.Charset;
-
 public class ConstantTimeComparator {
 
     public static boolean compareBytes(byte[] b1, byte[] b2) {