In case a load balancer or proxy sits between the clients and the application Tomcat additional configuration is needed for Toolbox version >= 7.0.5.

Especially when the front end uses HTTPS and the back end plain HTTP. Otherwise the CSRF security filter will not work.

Configuration

Both the load balancer or proxy and Tomcat for the application need configuration.

Load balancer

The following headers need to be set:

header	value
X-Forwarded-By	address of lb/proxy with port
X-Forwarded-For	address of client
X-Forwarded-Proto	scheme of incoming request

Example for Nginx:

### proxy headers proxy_set_header        X-Forwarded-By          $server_addr:$server_port; proxy_set_header        X-Forwarded-For         $remote_addr; proxy_set_header        X-Forwarded-Proto       $scheme;

Tomcat

Add a RemoteIPValve block in server.xml in Server -> Service -> Engine -> Host.
This is supported by Tomcat 6 and onwards. 

Specify the possible IP addresses of the load balancer(s) in the internetProxies field if they reside in private IP space. Use trustedProxies instead if they are routed from public IP space, but use that with caution.

<Valve     className="org.apache.catalina.valves.RemoteIpValve"     internalProxies="10\.0\.0\.70|10\.0\.0\.71|10\.0\.0\.72"     remoteIpHeader="x-forwarded-for"     proxiesHeader="x-forwarded-by"     protocolHeader="x-forwarded-proto"    />

To find out which IP is used to access Tomcat from the load balancer take a look at the Tomcat logging. Without the valve in place all authentication attempts will come from a single IP address, the one you need to know.