With trusted proxy enabled in Crowd , If the X-Forwarded-For header contains x.x.x.x:port log in through Crowd Authenticator fails

Issue Descriptions

Intermittently login fails when using Crowd Authenticator

The issue might be intermittent if the X-forwarded headers have all random IP addresses between the Crowd app(AWS EC2) and ELB. 

As per Crowd Documentation configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.

If the IP address contains x.x.x.x:port, Crowd authentication fails with below error

2024-01-24 23:21:38,064 http-nio-8095-exec-4 ERROR [console.action.principal.AddPrincipal] java.net.UnknownHostException:  X.X.X.X:<port>: invalid IPv6 address literal
java.lang.RuntimeException: java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal
    at com.atlassian.crowd.manager.validation.XForwardedForUtil.getTrustedAddress(XForwardedForUtil.java:42)

Workaround

• If the customer is using AWS , reconfigure the AWS load balancer to exclude the port number from the header x-forwarded-for.
• This can be done by setting parameter routing.http.xff_client_port.enabled as false  as described in the below documentation;

LoadBalancerAttribute

routing.http.xff_client_port.enable - Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is false.