Jamf Nation Community

mradams · ‎02-07-2016

Anyone out there familiar with using HA Proxy for a load balancer? We recently began using a load balancer with a public IP routing to our internal JSS servers with an internal IP. The problem we have is the internal IP is now showing for just about every iOS and OS X device. we have followed just about every suggestion on the boards.

Ensured Apache Tomcat settings in the JSS was set to Enable Remote IP Valve,

Modified the Server.xml to contain <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="x.x.x.x"
trustedProxies="x.x.x.x"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>

setting the "x.x.x.x" to both the internal IP and the external IP.

We have done a hybrid of all of the above.

Any assistance would be greatly appreciated.

martin · ‎02-09-2016

Hi @mradams,

Server.xml should at least contain the following options:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

And do not forget to add the jvmRoute:

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jss1">

We have used port 8080 (directly from HAProxy) and now use 8009 (via HAProxy and Apache Proxy).

View solution in original post

localhorst · ‎02-07-2016

We found it quite helpful to include the forwardfor and httpclose options for our jss backend in our haproxy configuration:

backend jss-cluster
    balance source
    option forwardfor
    option httpclose
    option httpchk
    server jss-node-0 jss-node-0.acme.http:443 ssl ca-file /etc/ssl/certs/ACMErootCA.pem verify required check
    server jss-node-1 [...]
    [...]

Our Tomcat server.xml only requires

 <Valve 
          className="org.apache.catalina.valves.RemoteIpValve"
          internalProxies="1.2.3.4"
      />

to make the magic happen.

mradams · ‎02-08-2016

@localhorst Thanks for the insight,

Do you have Enable Proxy Port enabled? if so what port are you using? What scheme?

Thanks, load balancing is new to us and we need to get this issue resolved.

martin · ‎02-09-2016

Hi @mradams,

Server.xml should at least contain the following options:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

And do not forget to add the jvmRoute:

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jss1">

We have used port 8080 (directly from HAProxy) and now use 8009 (via HAProxy and Apache Proxy).

Jamf Nation Community

HAProxy Load Balancer help