Using FlexDeploy with a load Balancer that offloads HTTPS

Owned by Karl Henselin
Feb 19, 2024
1 min read

If you are using a Load Balancer that offloads HTTPS, FlexDeploy will see the incoming connections from the load balancer as HTTP. This will cause it to generate relative paths with http:// instead of https://. Those URLS are redirected by the load balancer, starting a infinite loop. There is a great article about it here: Broadcom Community - VMTN, Mainframe, Symantec, Carbon Black

To avoid that loop, have the load balancer, there are 2 options:

Option 1 - using RemoteIpValve and x-forwarded-proto

This way will allow users to access FlexDeploy with or without the loadbalancer.

1 In your server.xml in the host section where you will see other valves add an additional valve:

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.0\.10|192\.168\.0\.11" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

  • Modify the ip addresses shown here to your Load Blanacer IP addresses.

  • Keep the format of the ip addresses like this in regex format \. instead of ., and use | for OR.

2 in your load balancer configuration, set the X-Forwarded-Proto header.

See RemoteIpValve (Apache Tomcat 9.0.97 API Documentation) for more information about how that works.

The example titled “Sample with internal proxies” is likely the one closest to the needs of most customers with load balancers.

3 Restart FlexDeploy

Option 2 - Using Connector settings

This way will redirect users to the loadbalancer.

1 In your server.xml in the http connector (that is not commented out) add this line:

proxyport="443" scheme="https" secure="true" proxyname="example.com

2 Change “example.com” to the hostname of the loadbalancer.

3 Restart Flexdeploy

 

The following macros are not currently supported in the footer:
  • style