Pivotal Knowledge Base

Follow

Troubleshooting SSL/TLS Load Balancer Issues in Cloud Foundry

Environment

Product Version

Pivotal Cloud Foundry® (PCF)

All versions

Purpose

The purpose of this KB is to help the reader troubleshoot load balancer issues when configuring SSL/TLS on Firewalls for PCF.

Procedure 

If you are using an External load balancer you will need to ensure that that you are passing the following header information to PCF.

You will need to enable forwarding of the following headers.

X-Forwarded-For

X-Forwarded-Proto

The lack of x-forwarded-* headers can manifest in a couple different ways. It can break redirects, cause the application to get an incorrect remote IP address, cause app to think that incoming traffic is not coming over a secure channel (i.e. not over HTTPS).

You can check x-forwarded-* is working by viewing your logs. What you are looking for is something like the following. Where you see the x_forwarded_for and x_forwarded_proto being passed by your Router. 

e.g.

cf logs your-app-name

2016-11-07T09:43:53.42+0000 [RTR/0]


OUT test.pivotal.io - [07/11/2016:09:43:53.059 +0000] "GET /webjars/bootstrap/3.1.1/fonts/glyphicons-halflings-regular.woff HTTP/1.1" 200 0 23320 
"http://test.pivotal.io/webjars/bootstrap/3.1.1/css/bootstrap.css" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/20.0.0.71 Safari/537.36" 
10.1.0.32:46019 x_forwarded_for:"10.10.18.114, 10.10.16.32" x_forwarded_proto:"http" vcap_request_id:afffe1d2-c5c5-4f9d-432f-b06031cf45b1 response_time:0.015773898 app_id:7e975e8f-dd96-4d29-9350-6cad342cf833 


AWS

If you are using an AWS Elastic Load Balancer these headers are enabled by default for HTTP/S

For more information please click here [1].

Additional Information

 1. http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

Comments

Powered by Zendesk