Bamboo remote agents require re-approval when using a multiple instance load balancer
Remote agents require re-approval in Bamboo if the traffic between the remote agent and Bamboo Server could pass through any one of multiple load balancers.
Bamboo utilizes the full IP chain (Remote Address of the source connection and the values in the
X-Forwarded-For HTTP header) when authenticating agents. When traffic can pass through any one of multiple load balancers, the source IP address of the request changes depending on which instance traffic passes through. The traffic then originates from a source which is different to the previous approval entry and will then require re-approval in Bamboo. Once approving this new source, the old authentication entry is replaced and if traffic passes back through that load balancer the next time, the same problem will occur.
Authentication entry for the remote agents can be edited to use IP address wildcards:
- Bamboo Administration > Overview > Agents > on the Agent authentication tab, choose a remote agent and click on Edit IP address. For example,
The load balancer should send a HTTP header with the IP address of the original request, most load balancers use the HTTP header
X-Forwarded-For. You can configure tomcat to replace RemoteIp with
X-Forwarded-For by completing the following steps:
- Shutdown Bamboo
Valveelement to your
server.xmlthat is configured for the header that the load balancer is sending, E.g.
<Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.0\.1" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
- Restart Bamboo
internalProxies attribute needs to be set to the IP Address of your load balancers.
Read more about the RemoteIpValve here:
Read more about X-Forwarded-For on Amazon elastic load balancers here:
Read more about X-Forwarded-For with HAProxy here: