Question

There may be a significant IBM Bluemix infrastructure configuration issue on the load balancing side for Cloud Foundry Java Community Buildpacks. IBM Bluemix support team, I would greatly appreciate some feedback.

I am using IBM Bluemix with the Java Community Buildpack (not Liberty), which by default uses Tomcat. I am trying to enable all redirects from http to https, but keep getting a "Too Many Redirects" error message when visiting the webapp in a browser.

Here is the relevant web.xml portion

 <security-constraint>
     <web-resource-collection>
         <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
         <url-pattern>/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
     </web-resource-collection>

     <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
 </security-constraint>

The Java Community Buildpack server.xml, https://github.com/cloudfoundry/java-buildpack/blob/master/resources/tomcat/conf/server.xml, already references:

 <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-proto"/>

The best IBM BLuemix link I could find on this is: https://developer.ibm.com/answers/questions/16016/how-do-i-enforce-ssl-for-my-bluemix-application.html, but this does not address Java Community Buildpacks. Furthermore, you'll see that this post mentioned that the proper header is indeed set, "X-Forwarded-Proto"

Any help would be appreciated. Very time sensitive requirement.

Here is a github with the sample app being tested, https://github.com/codeconjecture/bluemix-tomcat-ssl-redirect-fail

Here is the same app failing on Bluemix: http://tomcatredirect.mybluemix.net/hello.jsp (too many redirects error) https://tomcatredirect.mybluemix.net/hello.jsp (too many redirects error)

Here is the same app working on Pivotal CF: http://tomcatredirect.cfapps.io/hello.jsp (redirect to https) https://tomcatredirect.cfapps.io/hello.jsp (works on https)

After checking out, you can push the code with cf push <testappname> -p test.war -b https://github.com/cloudfoundry/java-buildpack

Answer 1

Answer by jmarrero (16) | Oct 18, 2016 at 02:59 PM

The issue is that the proxy addresses that Bluemix uses are not trusted by tomcat. To accomplish this, just add the internalProxies='.*' configuration option to the RemoteIpValve.

This should look like this in the server.xml:

         <Valve className='org.apache.catalina.valves.RemoteIpValve' protocolHeader='x-forwarded-proto' internalProxies='.*' />

The current default one in the buildpack does not have the internalProxies setting but includes the protocolHeader='x-forwarded-proto'.

         <Valve className='org.apache.catalina.valves.RemoteIpValve' protocolHeader='x-forwarded-proto' />

Documentation about the Valve can be found here: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

This details the usage of the RemoteIpValve and gives the option of trusting proxies.

1 Share

Criteria	Usage
Questions with keyword1 or keyword2	keyword1 keyword2
Questions with a mandatory word, e.g. keyword2	keyword1 +keyword2
Questions excluding a word, e.g. keyword2	keyword1 -keyword2
Questions with keyword(s) and a specific tag	keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags	keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].

Simple Java HelloWorld webapp redirect http/https fails on IBM Bluemix but works on Pivotal CF

1 reply

Follow this question

Simple Java HelloWorld webapp redirect http/https fails on IBM Bluemix but works on Pivotal CF

1 reply

Follow this question

Related questions