How to remove load balancer IP address from Bamboo agent authentication and approval

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

目的

This article will show you how to effectively remove the load balancers IP address from Bamboo's view of the incoming connection. This could be desired in a clustered load balancer situation where the load balancer address changes frequently depending on which node proxies the connection, requiring re-approval.  

コンテキスト

Bamboo's agent authentication process involves a manual approval of a combination of:

  • IP Address
  • Agent UUID (unique identifier allocated to the agent by the Bamboo master)

The IP address that is examined is a combination of both the REMOTE_ADDR (source IP address on the connection) and X-Forwarded-For (HTTP header that is commonly set by load balancers / reverse proxy to contain the true client IP address once it forwards a connection), if present.

When your agents connect to Bamboo via a load balancer or reverse proxy, you might see the following IP Address format in the Bamboo agent approval screen 52.123.345.2, 10.1.1.15.

In this example:

  • 52.123.345.2 is the REMOTE_ADDR which would be the address of the incoming connection (the Load Balancer)
  • 10.1.1.15 is the X-Forwarded-For value which the load balancer set to the real IP of the client (Bamboo remote agent) when it proxied the connection.

ソリューション

Prerequistes

  1. Your load balancer or reverse proxy must already be correctly setting the value of the X-Forwarded-For HTTP header for proxied HTTP connection.
  2. You will need access to modify configuration files on your Bamboo server's filesystem.

We can use Tomcat's RemoteIpValve to force the value of the REMOTE_ADDR to the value of X-Forwarded-For when the connection is sourced from a trusted address.

  1. Modify your $BAMBOO_INSTALL/conf/server.xml
  2. Below the line <Engine name="Catalina" defaultHost="localhost">, add a RemoteIP Valve. Example:

        <Valve className="org.apache.catalina.valves.RemoteIpValve" 
            trustedProxies="52\.123\.345\.2|52\.123\.345\.3"  
            remoteIpHeader="x-forwarded-for" 
            proxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto" /> 
    1. Modify the value of trustedProxies to the IP address of your load balancer(s).

  3. Restart Bamboo

  • The trustedProxies attribute must be set to the IP Address of your load balancer(s). If the incoming connection comes from any other address, the value of the header will not be used.
  • In the above examples, two load balancer addresses are trusted: 52.123.345.2, 52.123.345.3
  • trustedProxies and internalProxies support Regular Expression which can be used to cover IP ranges.
  • When using trustedProxies, each trusted proxy is added to the HTTP header referenced in the attribute proxiesHeader. If you want the IP address to be swallowed and not added to the header, you may use the attribute internalProxies instead.
  • Read more about each attribute here: Apache Tomcat 8.5 Documentation - RemoteIpValve



説明 This article will show you how to effectively remove the load balancers IP address from Bamboo's view of the incoming connection. This could be desired in a clustered load balancer situation where the load balancer address changes frequently depending on which node proxies the connection, requiring re-approval.  
製品Bamboo

最終更新日 2019 年 9 月 4 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.