Java Buildpack Caveats

Page last updated:

Limitation with X-Forwarded-* headers

As a CF provider, our Gorouter IPs run in the 100.64 and our Envoys run in 11.x.x.x range. Tomcat’s RemoteIPValve by default only trusts private IP ranges for headers like X-Forwarded-For and X-Forwarded-Proto.

To trust these IPs as well, we configure the Tomcat internalProxies list with the corresponding RemoteIPValve as standard for all applications that use the latest system buildpack. If you use your own online buildpack, please make sure you add our configuration accordingly. This can be done via setting the JBP_CONFIG_TOMCAT environment variable accordingly:

Tomcat 7

JBP_CONFIG_TOMCAT: '{ tomcat: { external_configuration_enabled: true, version: 7.0.+ }, external_configuration: { repository_root: "https://tomcat-external-configuration.lyra-836.appcloud.swisscom.com/tomcat7" }}'

Tomcat 8 and newer

JBP_CONFIG_TOMCAT: '{ tomcat: { external_configuration_enabled: true }, external_configuration: { repository_root: "https://tomcat-external-configuration.lyra-836.appcloud.swisscom.com/tomcat8" }}'

If you overwrite this environment variable with your own special configuraiton, please make sure that you also include our settings to avoid problems with the mentioned headers.

For full understanding - our external configuration adds the following line to your server.xml configuration:

<Valve className='org.apache.catalina.valves.RemoteIpValve' protocolHeader='x-forwarded-proto' internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|11\.\d{1,3}\.\d{1,3}\.\d{1,3}"/>

Spring Boot with embedded Tomcat

Unfortunately, if you’re using Spring Boot with an embedded Tomcat, our buildpack cannot do this configuration for you. You have to configure the internal proxies whitelist in your app config:

If you’re using application.properties:

server.tomcat.internal-proxies=10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.[7-9]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.1[0-1]{1}[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|11\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}

If you’re using application.yml:

server.tomcat.internal-proxies: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}[0-9]{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|11\.\d{1,3}\.\d{1,3}\.\d{1,3}

As described in the Spring Boot documentation.

View the source for this page in GitHub