The purpose of this article is to help the reader troubleshoot load balancer issues when configuring SSL/TLS on Firewalls for Pivotal Cloud Foundry (PCF).

You are using an External load balancer you need to ensure that that you are passing the following header information to PCF.

You need to enable forwarding of the following headers.

X-Forwarded-For

X-Forwarded-Proto

The lack of x-forwarded-* headers can manifest in a couple different ways. It can break redirects, cause the application to get an incorrect remote IP address, cause the app to think that incoming traffic is not coming from a secure channel (i.e. not over HTTPS).

You can check x-forwarded-* is working by viewing your logs. What you are looking for is something like the following. Where you see the x_forwarded_for and x_forwarded_proto being passed by your Router. 

e.g.

cf logs your-app-name

2016-11-07T09:43:53.42+0000 [RTR/0]

OUT test.pivotal.io - [07/11/2016:09:43:53.059 +0000] "GET /webjars/bootstrap/3.1.1/fonts/glyphicons-halflings-regular.woff HTTP/1.1" 200 0 23320 
"http://test.pivotal.io/webjars/bootstrap/3.1.1/css/bootstrap.css" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/20.0.0.71 Safari/537.36" 
10.1.0.32:46019 x_forwarded_for:"10.10.18.114, 10.10.16.32" x_forwarded_proto:"http" vcap_request_id:afffe1d2-c5c5-4f9d-432f-b06031cf45b1 response_time:0.015773898 app_id:7e975e8f-dd96-4d29-9350-6cad342cf833 

Amazon Web Services (AWS)

If you are using an AWS Elastic Load Balancer these headers are enabled by default for HTTP/S

For more information please click here [1].