How to remove the Load Balancer IP address from the Bamboo Agent authentication and approval
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article will show you how to effectively remove the load balancers' IP addresses from Bamboo's view of the incoming connection. This could be desired in a clustered load balancer situation where the load balancer address changes frequently depending on which node proxies the connection, requiring re-approval.
Context
Bamboo's agent authentication process involves a manual approval of a combination of:
- IP Address
- Agent UUID (unique identifier allocated to the agent by the Bamboo master)
The IP address that is examined is a combination of both the REMOTE_ADDR (source IP address on the connection) and X-Forwarded-For (HTTP header that is commonly set by load balancers / reverse proxy to contain the true client IP address once it forwards a connection), if present.
Example
When your agents connect to Bamboo via a load balancer or reverse proxy, you might see the following IP Address format in the Bamboo agent approval screen 52.123.345.2, 10.1.1.15.
In this example:
- 52.123.345.2 is the REMOTE_ADDR which would be the address of the incoming connection (the Load Balancer)
- 10.1.1.15 is the X-Forwarded-For value which the load balancer set to the real IP of the client (Bamboo remote agent) when it proxied the connection.
Environment
- All Bamboo releases
- A Load Balancer
Solution
Prerequistes
- Your load balancer or reverse proxy must already be correctly setting the value of the X-Forwarded-For HTTP header for proxied HTTP connection.
- You will need access to modify configuration files on your Bamboo server's filesystem.
We can use Tomcat's RemoteIpValve to force the value of the REMOTE_ADDR to the value of X-Forwarded-For when the connection is sourced from a trusted address.
- Modify your
<bamboo-install>/conf/server.xml Within the
<Engine name="Catalina" defaultHost="localhost">configuration, add aRemoteIpValvevalve and modify the value of thetrustedProxiesproperty to match the IP addresses of your Load Balancer(s). For example:<Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.RemoteIpValve" trustedProxies="52\.123\.345\.2|52\.123\.345\.3" <!-- internalProxies="52\.123\.345\.2|52\.123\.345\.3" >> Use this instead if you'd like to hide the Load Balancer IP --> remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto"/> ...If you would like the Tomcat Access logs to show the IP address of the remote host instead of the Load Balancer's, add the
requestAttributesEnabled="true" property to theorg.apache.catalina.valves.AccessLogValveValve:<Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.AccessLogValve" requestAttributesEnabled="true" ...Restart Bamboo
- The
trustedProxiesattribute must be set to the IP Address of your load balancer(s). If the incoming connection comes from any other address, the value of the header will not be used. - In the above examples, two load balancer addresses are trusted:
52.123.345.2, 52.123.345.3 trustedProxiesandinternalProxiessupport Regular Expression which can be used to cover IP ranges.- When using
trustedProxies, each trusted proxy is added to the HTTP header referenced in the attributeproxiesHeader. If you want the IP address to be swallowed and not added to the header, you may use the attributeinternalProxiesinstead. - Read more about each attribute here: