In case a load balancer or proxy sits between the clients and the application Tomcat additional configuration is needed for Toolbox version >= 7.0.5.
Especially when the front end uses HTTPS and the back end plain HTTP. Otherwise the CSRF security filter will not work.
Configuration
Both the load balancer or proxy and Tomcat for the application need configuration.
Load balancer
The following headers need to be set:
header | value |
---|---|
X-Forwarded-By | address of lb/proxy with port |
X-Forwarded-For | address of client |
X-Forwarded-Proto | scheme of incoming request |
Example for Nginx:
### proxy headers
|
Tomcat
Add a RemoteIPValve block in server.xml in Server -> Service -> Engine -> Host.
This is supported by Tomcat 6 and onwards.
Specify the possible IP addresses of the load balancer(s) in the internetProxies field if they reside in private IP space. Use trustedProxies instead if they are routed from public IP space, but use that with caution.
|
To find out which IP is used to access Tomcat from the load balancer take a look at the Tomcat logging. Without the valve in place all authentication attempts will come from a single IP address, the one you need to know.