OF-3260: Support RFC 7239 Forwarded header for proxied client IP resolution
Add support for the standardized HTTP `Forwarded` header (RFC 7239) alongside existing `X-Forwarded-*` handling in proxied deployments.
Extended proxy connector configuration in both BOSH and Admin Console to include a configurable `Forwarded` header name.
Updated admin pages to expose and persist the RFC-compliant header setting (`FHeader`) in addition to legacy header settings.
(code review) Improve audit logged messages
Log the value obtained from the property, rather than whatever was provided by the end-user. In 99% of the times, this should be equal, but the property itself should always be right.
OF-3261: Allow reverse proxies to be verified
Before trusting remote-peer provided HTTP headers like `Forwarded` and `X-Forwarded-For`, the source of these headers should be validated. This prevents malicious clients from setting this header themselves.
This commit introduces a wrapper for Jetty's ForwarededRequestCustomizer (which replaces the reported IP address of the remote peer with a value from the HTTP headers). When Openfire is now configured with a non-empty set of trusted proxies, such replacement only occurs when the remote peer is one of the trusted proxies.
This functionality has been added to the Admin Console and webbinding implementations, using two distinct properties:
- `adminConsole.forwarded.trusted.proxies`
- `httpbind.forwarded.trusted.proxies`
Valid values are IP addresses (IPv4 and IPv6) and ranges.
The admin console has been modified to allow for configuration of these values through the pages where related functionality was already provided.
A small CSS tweak was introduced: Openfire's setup had an implementation where a question-mark icon can be used to provide a tooltip help text. That has now been moved from 'setup' to 'global', so that it can be used both during setup, but also in the admin console itself (after setup has finished).
