Re: Tomcat Internal Proxies with Load Balancer #cf


Daniel Mikusa
 

On Thu, Feb 15, 2018 at 11:58 AM, Matthias Winzeler <matthias.winzeler@...> wrote:
Hi Jon

We're facing a similar issue for which we have a PR created: https://github.com/cloudfoundry/java-buildpack/pull/546 

From some informal discussions with the the buildpack maintainers, it seems like this is not gonna be merged, because they don't want to support some specific tomcat conf parameters.
We were pointed to providing a custom Tomcat external configuration (as per https://github.com/cloudfoundry/java-buildpack/blob/master/docs/container-tomcat.md#external-tomcat-configuration) that could also be set as standard env group (and thus be operator-friendly), but it looks like we can not ship one external config that works for both Tomcat 7 and Tomcat 8.

Be aware that this would only solve the issue for standalone Tomcat. If your apps use it in the embedded form, they still have to write custom Spring config for it. 

You can configure that in all the ways supported by Spring Boot (i.e. env variable, system propertie, application.properties, etc...).  Env variables work nice if you have lots of Spring Boot apps, as you can set it in a running environment variable group so it'll go across all your apps.

Hope that helps!

Dan

 
This is probably also true for other app runtimes; I know at least of .NET core which also defines 'KnownProxies.

-Matthias

2018-02-15 17:15 GMT+01:00 Jon Martin <martindesignonline@...>:
We are in the process of standing up several PCF foundations in multiple locations.  Each foundation is fronted by a dedicated load balancer.  For Java application's we were noticing that httpRequest.getScheme() and httpRequest.getServerPort() where returning "http" and "80" respectively even though the load balancer forces the use of "https" and "443".

This led us to Tomcat's remoteIpValve documentation:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html

In the Java Buildpack, adding an internalProxies attribute to Tomcat's RemoteIpValve with a regex that matched the ERT subnet of the foundation solved the problem.  A similar approach can be used for embedded Tomcat:
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-customize-tomcat-behind-a-proxy-server 

The problems we're trying to solve are:

  1. The ERT subnet regex will be different for each foundation
  2. We don't want to maintain multiple Java buildpacks for each foundation to support a single property value in Tomcat's server.xml
  3. The solution needs to solve for both standalone and embedded Tomcat's
We're trying to implement a solution with minimal maintenance and complexity for operators and developers.  That said, we're thinking we could configure an environment variable group with the ERT subnet regex for each foundation. 

  • For embedded Tomcat the environment variable group would be referenced in the application.  For example: server.tomcat.internal-proxies=${ERT_SUBNET}
  • For standalone Tomcat the environment variable group would be referenced in server.xml. e.g. internalProxies="${ERT_SUBNET}
The two questions I have are:
  1. Would we need to set an environment variable group or is the ERT subnet available in some form already at runtime.
  2. Would the Java Buildpack need to be updated to support standalone Tomcat.
  3. I'm assuming other companies have run into this, is there a standard supported means to solve this already?




--


Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.