Bamboo remote agents require re-approval when using a multiple instance load balancer
Problem
Remote agents require re-approval in Bamboo if the traffic between the remote agent and Bamboo Server could pass through any one of multiple load balancers.
Cause
Bamboo utilizes the full IP chain (Remote Address of the source connection and the values in the X-Forwarded-For
HTTP header) when authenticating agents. When traffic can pass through any one of multiple load balancers, the source IP address of the request changes depending on which instance traffic passes through. The traffic then originates from a source which is different to the previous approval entry and will then require re-approval in Bamboo. Once approving this new source, the old authentication entry is replaced and if traffic passes back through that load balancer the next time, the same problem will occur.
Workaround
Authentication entry for the remote agents can be edited to use IP address wildcards:
- Bamboo Administration > Overview > Agents > on the Agent authentication tab, choose a remote agent and click on Edit IP address. For example,
192.168.5.*
Resolution
The load balancer should send a HTTP header with the IP address of the original request, most load balancers use the HTTP header X-Forwarded-For.
You can configure tomcat to replace RemoteIp with X-Forwarded-For
by completing the following steps:
- Shutdown Bamboo
- Edit
<bamboo-install>/conf/server.xml
Add a
Valve
element to yourserver.xml
that is configured for the header that the load balancer is sending, E.g.<Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.0\.1" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
- Restart Bamboo
The internalProxies
attribute needs to be set to the IP Address of your load balancers.
Read more about the RemoteIpValve here:
Read more about X-Forwarded-For on Amazon elastic load balancers here:
Read more about X-Forwarded-For with HAProxy here: