Java Buildpack Caveats
Page last updated:
Page last updated:
Limitation with X-Forwarded-* headers
As a CF provider, our Gorouter IPs run in the 100.64 and our Envoys run in 11.x.x.x range. Tomcat’s RemoteIPValve
by default only trusts private IP ranges for headers like X-Forwarded-For
and X-Forwarded-Proto
.
To trust these IPs as well, we configure the Tomcat internalProxies
list with the corresponding RemoteIPValve
as standard for all applications that use the latest system buildpack. If you use your own online buildpack, please make sure you add our configuration accordingly. This can be done via setting the JBP_CONFIG_TOMCAT
environment variable accordingly:
Tomcat 7
JBP_CONFIG_TOMCAT: '{ tomcat: { external_configuration_enabled: true, version: 7.0.+ }, external_configuration: { repository_root: "https://tomcat-external-configuration.lyra-836.appcloud.swisscom.com/tomcat7" }}'
Tomcat 8 and newer
JBP_CONFIG_TOMCAT: '{ tomcat: { external_configuration_enabled: true }, external_configuration: { repository_root: "https://tomcat-external-configuration.lyra-836.appcloud.swisscom.com/tomcat8" }}'
If you overwrite this environment variable with your own special configuraiton, please make sure that you also include our settings to avoid problems with the mentioned headers.
For full understanding - our external configuration adds the following line to your server.xml configuration:
<Valve className='org.apache.catalina.valves.RemoteIpValve' protocolHeader='x-forwarded-proto' internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|11\.\d{1,3}\.\d{1,3}\.\d{1,3}"/>
Spring Boot with embedded Tomcat
Unfortunately, if you’re using Spring Boot with an embedded Tomcat, our buildpack cannot do this configuration for you. You have to configure the internal proxies whitelist in your app config:
If you’re using application.properties:
server.tomcat.remoteip.internal-proxies=10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.[7-9]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.1[0-1]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|11\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}
If you’re using application.yml:
server.tomcat.remoteip.internal-proxies: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|11\.\d{1,3}\.\d{1,3}\.\d{1,3}
As described in the Spring Boot documentation.
View the source for this page in GitHub