Re: Static IP setup for routers on AWS
On Fri, Apr 8, 2016 at 7:04 AM, Engelke, Johannes <info(a)johannes-engelke.de>
Hi Amit,Are you referring to the RemoteIpValve that is configured for UAA?
Because the RemoteIpValve doesn't restrict access to Tomcat / UAA. It's
controls how (and if) Tomcat handles the x-forwarded-* headers. In short,
it will only process those headers if it "trusts" them (by trust, it really
means if the regex matches).
My understanding is that the UAA job will take the gorouter IP's and
prepend them to the front of this regex so that it will always match at
least the IP's for the gorouter. If you're using private IP's, it's not
really necessary as the default regex used by Tomcat will match all private
If you're using public IP's for some reason, you'd need to configure this
or UAA might not detect the incoming connects as HTTPS and it would very
likely detect the wrong remote IP address (necessary for audit records in
Do you see any security improvements, if only routers are allowed toAs long as we're talking about RemoteIpValve, sorry if I'm not following
the conversation completely I jumped in a little late, and you're using
private IP addresses for your VMs then I don't see any difference in
If you have public IP's assigned to your gorouter VMs then you may see some
issues with how the x-forwarded-for and x-forwarded-proto headers are
processed, which in turn could affect the accuracy of the audit messages in
Hope that helps!
On 08 Apr 2016, at 02:19, Amit Gupta <agupta(a)pivotal.io> wrote: