70.7 Use behind a front-end proxy server

Your application might need to send 302 redirects or render content with absolute links back to itself. When running behind a proxy, the caller wants a link to the proxy, and not to the physical address of the machine hosting your app. Typically such situations are handled via a contract with the proxy, which will add headers to tell the back end how to construct links to itself.

If the proxy adds conventional X-Forwarded-For and X-Forwarded-Proto headers (most do this out of the box) the absolute links should be rendered correctly as long as server.use-forward-headers is set to true in your application.properties.

[Note] Note
If your application is running in Cloud Foundry or Heroku the server.use-forward-headers property will default to true if not specified. In all other instances it defaults to false.

70.7.1 Customize Tomcat’s proxy configuration

If you are using Tomcat you can additionally configure the names of the headers used to carry “forwarded” information:

server.tomcat.remote-ip-header=x-your-remote-ip-header
server.tomcat.protocol-header=x-your-protocol-header

Tomcat is also configured with a default regular expression that matches internal proxies that are to be trusted. By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are trusted. You can customize the valve’s configuration by adding an entry to application.properties, e.g.

server.tomcat.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}
[Note] Note
The double backslashes are only required when you’re using a properties file for configuration. If you are using YAML, single backslashes are sufficient and a value that’s equivalent to the one shown above would be 192\.168\.\d{1,3}\.\d{1,3}.
[Note] Note
You can trust all proxies by setting the internal-proxies to empty (but don’t do this in production).

You can take complete control of the configuration of Tomcat’s RemoteIpValve by switching the automatic one off (i.e. set server.use-forward-headers=false) and adding a new valve instance in a TomcatEmbeddedServletContainerFactory bean.

results matching ""

    No results matching ""