How to remove load balancer IP address from Bamboo agent authentication and approval
This article will show you how to effectively remove the load balancers IP address from Bamboo's view of the incoming connection. This could be desired in a clustered load balancer situation where the load balancer address changes frequently depending on which node proxies the connection, requiring re-approval.
Bamboo's agent authentication process involves a manual approval of a combination of:
- IP Address
- Agent UUID (unique identifier allocated to the agent by the Bamboo master)
The IP address that is examined is a combination of both the REMOTE_ADDR (source IP address on the connection) and X-Forwarded-For (HTTP header that is commonly set by load balancers / reverse proxy to contain the true client IP address once it forwards a connection), if present.
When your agents connect to Bamboo via a load balancer or reverse proxy, you might see the following IP Address format in the Bamboo agent approval screen
In this example:
- 52.123.345.2 is the REMOTE_ADDR which would be the address of the incoming connection (the Load Balancer)
- 10.1.1.15 is the X-Forwarded-For value which the load balancer set to the real IP of the client (Bamboo remote agent) when it proxied the connection.
- Your load balancer or reverse proxy must already be correctly setting the value of the X-Forwarded-For HTTP header for proxied HTTP connection.
- You will need access to modify configuration files on your Bamboo server's filesystem.
We can use Tomcat's RemoteIpValve to force the value of the REMOTE_ADDR to the value of X-Forwarded-For when the connection is sourced from a trusted address.
- Modify your
Below the line
<Engine name="Catalina" defaultHost="localhost">, add a RemoteIP Valve. Example:
<Valve className="org.apache.catalina.valves.RemoteIpValve" trustedProxies="52\.123\.345\.2|52\.123\.345\.3" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
Modify the value of
trustedProxiesto the IP address of your load balancer(s).
trustedProxiesattribute must be set to the IP Address of your load balancer(s). If the incoming connection comes from any other address, the value of the header will not be used.
- In the above examples, two load balancer addresses are trusted:
internalProxiessupport Regular Expression which can be used to cover IP ranges.
When using trustedProxies, each trusted proxy is added to the HTTP header referenced in the attribute
proxiesHeader. If you want the IP address to be swallowed and not added to the header, you may use the attribute
- Read more about each attribute here: