70.7 Use behind a front-end proxy server
Your application might need to send 302
redirects or render content with absolute links back to itself. When running behind a proxy, the caller wants a link to the proxy, and not to the physical address of the machine hosting your app. Typically such situations are handled via a contract with the proxy, which will add headers to tell the back end how to construct links to itself.
If the proxy adds conventional X-Forwarded-For
and X-Forwarded-Proto
headers (most do this out of the box) the absolute links should be rendered correctly as long as server.use-forward-headers
is set to true
in your application.properties
.
Note | |
---|---|
If your application is running in Cloud Foundry or Heroku the server.use-forward-headers property will default to true if not specified. In all other instances it defaults to false . |
70.7.1 Customize Tomcat’s proxy configuration
If you are using Tomcat you can additionally configure the names of the headers used to carry “forwarded” information:
server.tomcat.remote-ip-header=x-your-remote-ip-header server.tomcat.protocol-header=x-your-protocol-header
Tomcat is also configured with a default regular expression that matches internal proxies that are to be trusted. By default, IP addresses in 10/8
, 192.168/16
, 169.254/16
and 127/8
are trusted. You can customize the valve’s configuration by adding an entry to application.properties
, e.g.
server.tomcat.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}
Note | |
---|---|
The double backslashes are only required when you’re using a properties file for configuration. If you are using YAML, single backslashes are sufficient and a value that’s equivalent to the one shown above would be 192\.168\.\d{1,3}\.\d{1,3} . |
Note | |
---|---|
You can trust all proxies by setting the internal-proxies to empty (but don’t do this in production). |
You can take complete control of the configuration of Tomcat’s RemoteIpValve
by switching the automatic one off (i.e. set server.use-forward-headers=false
) and adding a new valve instance in a TomcatEmbeddedServletContainerFactory
bean.