Pivotal Knowledge Base


Troubleshooting SSL/TLS Load Balancer Issues in Cloud Foundry


Pivotal Cloud Foundry® (PCF) all versions


The purpose of this article is to help the reader troubleshoot load balancer issues when configuring SSL/TLS on Firewalls for PCF.


If you are using an External load balancer you will need to ensure that that you are passing the following header information to PCF.

You will need to enable forwarding of the following headers.



The lack of x-forwarded-* headers can manifest in a couple different ways. It can break redirects, cause the application to get an incorrect remote IP address, cause the app to think that incoming traffic is not coming from a secure channel (i.e. not over HTTPS).

You can check x-forwarded-* is working by viewing your logs. What you are looking for is something like the following. Where you see the x_forwarded_for and x_forwarded_proto being passed by your Router. 


cf logs your-app-name

2016-11-07T09:43:53.42+0000 [RTR/0]

OUT test.pivotal.io - [07/11/2016:09:43:53.059 +0000] "GET /webjars/bootstrap/3.1.1/fonts/glyphicons-halflings-regular.woff HTTP/1.1" 200 0 23320 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36" x_forwarded_for:"," x_forwarded_proto:"http" vcap_request_id:afffe1d2-c5c5-4f9d-432f-b06031cf45b1 response_time:0.015773898 app_id:7e975e8f-dd96-4d29-9350-6cad342cf833 

Amazon Web Services (AWS)

If you are using an AWS Elastic Load Balancer these headers are enabled by default for HTTP/S

For more information please click here [1].

Additional Information



Powered by Zendesk