Using FlexDeploy with a load Balancer that offloads HTTPS

Owned by Karl Henselin
Feb 19, 2024
1 min read

If you are using a Load Balancer that offloads HTTPS, FlexDeploy will see the incoming connections from the load balancer as HTTP. This will cause it to generate relative paths with http:// instead of https://. Those URLS are redirected by the load balancer, starting a infinite loop. There is a great article about it here: https://community.pivotal.io/s/article/Purpose-of-the-X-Forwarded-Proto-HTTP-Header?language=en_US

To avoid that loop, have the load balancer, there are 2 options:

Option 1 - using RemoteIpValve and x-forwarded-proto

This way will allow users to access FlexDeploy with or without the loadbalancer.

1 In your server.xml in the host section where you will see other valves add an additional valve:

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.0\.10|192\.168\.0\.11" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

  • Modify the ip addresses shown here to your Load Blanacer IP addresses.

  • Keep the format of the ip addresses like this in regex format \. instead of ., and use | for OR.

2 in your load balancer configuration, set the X-Forwarded-Proto header.

See https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html for more information about how that works.

The example titled “Sample with internal proxies” is likely the one closest to the needs of most customers with load balancers.

3 Restart FlexDeploy

Option 2 - Using Connector settings

This way will redirect users to the loadbalancer.

1 In your server.xml in the http connector (that is not commented out) add this line:

proxyport="443" scheme="https" secure="true" proxyname="example.com

2 Change “example.com” to the hostname of the loadbalancer.

3 Restart Flexdeploy

 

The following macros are not currently supported in the footer:
  • style