Bamboo remote agents require re-approval when using a multiple instance load balancer

Problem

Remote agents require re-approval in Bamboo if the traffic between the remote agent and Bamboo Server could pass through any one of multiple load balancers.

Cause

Bamboo utilizes the full IP chain (Remote Address of the source connection and the values in the X-Forwarded-For HTTP header) when authenticating agents. When traffic can pass through any one of multiple load balancers, the source IP address of the request changes depending on which instance traffic passes through. The traffic then originates from a source which is different to the previous approval entry and will then require re-approval in Bamboo. Once approving this new source, the old authentication entry is replaced and if traffic passes back through that load balancer the next time, the same problem will occur.

Workaround

Authentication entry for the remote agents can be edited to use IP address wildcards:

• Bamboo Administration > Overview > Agents > on the Agent authentication tab, choose a remote agent and click on Edit IP address. For example, 192.168.5.*

Resolution

The load balancer should send a HTTP header with the IP address of the original request, most load balancers use the HTTP header X-Forwarded-For. You can configure tomcat to replace RemoteIp with X-Forwarded-For by completing the following steps:

1. Shutdown Bamboo

2. Edit <bamboo-install>/conf/server.xml

3. Add a Valve element to your server.xml that is configured for the header that the load balancer is sending, E.g.

   <Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.0\.1" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

4. Restart Bamboo