Pivotal Knowledge Base


How to Trust Public IP Ranges as Trusted Proxies in Elastic Runtime


Pivotal Cloud Foundry Elastic Runtime 1.8.x and 1.9.x


User cannot login to apps manager via login <system-domain>


Pivotal Account Apps are not set up to trust the Public IP Ranges as trusted proxies. Currently, it only honors the Internal IP Ranges. This issue includes attempting to log into any Pivotal Account org/space.


1. Browse to <console.YOUR-SYSTEM-DOMAIN>

2. Navigate to the elastic runtime tile and click on the Credentials Tab

3. Navigate to the UAA Section and copy the password for the Admin User (Please note: Admin User, not Admin Client) 

4. Launch Apps Manager at https://apps.{system-domain}

5. Select the System ORG and pivotal-account-space

6. Navigate to pivotal-account APP

7. Click on the Env Variables Tab

8. Add the following ENV Variable - server.tomcat.internal-proxies The value is .*

9. Restart the APP


You may also use the CF CLI by issuing the below commands to set the env-var:

  • cf login
  • cf target -o system -s pivotal-account-space
  • cf set-env pivotal-account server.tomcat.internal-proxies .*

Additional Information

This issue will be fixed to work out of the box starting with the v1.10 release. As of now, there is currently no ETA.


Affected version numbers are current as at the time this KB has been written.


  • Avatar
    Scott Gai

    Good article!
    used same solution (command: cf set-env pivotal-account server.tomcat.internal-proxies .*) and solved the similar issue with healthwatch on PCF 2.0

Powered by Zendesk