Drop protocolHeader and remoteIpHeader defaults

The `protocolHeader` and `remoteIpHeader` no longer have default values
and must be opt-in.

Fixes gh-1624

Author: philwebb

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java

@@ -207,9 +207,9 @@ public static class Tomcat {
 				+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
 				+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"; // 127/8
 
-		private String protocolHeader = "x-forwarded-proto";
+		private String protocolHeader;
 
-		private String remoteIpHeader = "x-forwarded-for";
+		private String remoteIpHeader;
 
 		private File basedir;
 

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java

@@ -147,6 +147,12 @@ public void disableTomcatRemoteIpValve() throws Exception {
 
 	@Test
 	public void defaultTomcatRemoteIpValve() throws Exception {
+		Map<String, String> map = new HashMap<String, String>();
+		// Since 1.1.7 you need to specify at least the protocol and ip properties
+		map.put("server.tomcat.protocol_header", "x-forwarded-proto");
+		map.put("server.tomcat.remote_ip_header", "x-forwarded-for");
+		bindProperties(map);
+
 		TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory();
 		this.properties.customize(container);