Symptom

Scenario 1: When a PCF environment has components with Public IP addresses and a Spring Boot app is deployed. The response to a login POST for a Spring Boot app returns a response header that is HTTP rather than HTTPS.

Scenario 2: SCS Installation is giving the following error:

Issue: Spring cloud broker app is failing to start.
Error: services 1.0.0. Server error, status code: 502, error code: 10001 The service broker returned an invalid response

This happens because Tomcat cannot see that the request was made over HTTPS and so is redirecting to HTTP. The underlying cause is one or more Gorouters are on a public IP address. Gorouters SHOULD NOT be on a public IP. This can compromise the security of the platform. Tomcat is set up to trust the X-Forwarded-Proto header (which indicates the HTTPS of the original request) only if the request is received from a private IP address. 

For Scenario 1:

To work around this issue, determine what the Gorouter address range is and make all Spring Boot apps recognize these as trusted proxies. First determine whether there is already a running environment variable group:

$ cf revg

If there are, you’ll need merge those existing values to the $ cf revg you provide in the $ cf revgcommand. The rest of the examples assume that there are no existing running environment variables defined.

More about that here: https://docs.run.pivotal.io/devguide/deploy-apps/environment-variable.html#evgroups

The following will trust ALL IP addresses and is for illustrative / debugging purposes only. Don’t use this in production! The regex means “match a string with 1-3 digits, then a dot, then 1-3 digits, then a dot, then 1-3 digits, then a dot, then 1-3 digits.”

$ cf srevg '{"SERVER_TOMCAT_INTERNAL_PROXIES":"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"}'

Example: The following will trust 1.2.3.4 and 5.6.7.8 as trusted proxies. The regex means “match ‘1.2.3.4’ or ‘5.6.7.8’.”

$ cf srevg '{"SERVER_TOMCAT_INTERNAL_PROXIES":"1\\.2\\.3\\.4|5\\.6\\.7\\.8"}'

Any regex you set should be verified with cf revg:

$ cf revg
Retrieving the contents of the running environment variable group as admin...
OK
Variable Name                    Assigned Value   
SERVER_TOMCAT_INTERNAL_PROXIES   1\.2\.3\.4|5\.6\.7\.8

The value should be a valid regex, which you can copy and paste into your favorite regex tester (e.g. http://regexr.com/).

For Scenario 2:

Run the following commands for SCS:

$ cf set-env spring-cloud-broker JAVA_OPTS -Dlogging.level.org.springframework.web=DEBUG -Dlogging.level.org.apache.catalina=DEBUG -Dserver.tomcat.remote_ip_header=x-forwarded-for -Dserver.tomcat.protocol_header=x-forwarded-proto -Dserver.tomcat.internal_proxies='10.134.175.[1-9]{1,3}'
$ cf restage spring-cloud-broker

Impact/Risk

Pivotal doesn't recommend using public IP addresses for the internal components of your PCF installation.