Pivotal Knowledge Base

Follow

Pivotal Cloud Foundry® does not support forcing SSL for the 172.16/12 network range

Known Issue
Pivotal Cloud Foundry® (PCF) does not support forcing the login server to use SSL for deployments that use the 172.16/12 network range.

Workaround
Set login.protocol to HTTP in your deployment manifest.  

This workaround requires that you use SSL explicitly. This workaround also has the side effect of not correctly capturing the originating IP address in the login server's access logs. As a result, all requests will be logged as originating from the router. 

Explanation
The login server uses Tomcat's RemoteIPValve to detect whether the originating request was made over SSL. When login.protocol is set to HTTPS and the originating request was in plain-text, a redirect is forced. The RemoteIpValve will only issue this redirect if the request is coming from a trusted proxy. A set of internal IP ranges is trusted by default. This includes 127/8, 10/8, 192.168/16, and 169.294/16, but does not include the private range of 172.16/12.



Comments

Powered by Zendesk