Hi everyone,
We deployed Camunda using its Helm chart in a Kubernetes cluster, and while SSL redirection is working, the application appears to be ignoring X-Forwarded-*
headers. Here’s our setup:
- Load Balancer: AWS Network Load Balancer (NLB)
- SSL Termination: Managed with AWS ACM
- Ingress Controller: NGINX ingress
- Kubernetes Cluster: EKS 1.30
- Helm Chart Version: camunda-platform 8.6
The NGINX ingress is configured to redirect HTTP traffic to HTTPS, and requests reach the application via HTTPS as expected. However, we suspect Camunda isn’t correctly handling X-Forwarded-Proto
, X-Forwarded-For
, or similar headers, which results in issues such as incorrect redirects or URLs being generated with HTTP instead of HTTPS.
Here’s a snippet of our Values.yaml
configuration:
---
identityKeycloak:
postgresql:
enabled: true
auth:
existingSecret: identity-secret-for-components
global:
elasticsearch:
enabled: true
opensearch:
enabled: false
ingress:
enabled: true
host: camunda.development.eiwa.ag
className: nginx-public
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: '128k'
nginx.ingress.kubernetes.io/proxy-buffering: 'on'
identity:
auth:
publicIssuerUrl: https://camunda.development.eiwa.ag/auth/realms/camunda-platform
zeebe:
existingSecret:
name: identity-secret-for-components
connectors:
existingSecret:
name: identity-secret-for-components
operate:
redirectUrl: https://camunda.development.eiwa.ag/operate
existingSecret:
name: identity-secret-for-components
tasklist:
redirectUrl: https://camunda.development.eiwa.ag/tasklist
existingSecret:
name: identity-secret-for-components
optimize:
redirectUrl: https://camunda.development.eiwa.ag/optimize
existingSecret:
name: identity-secret-for-components
webModeler:
redirectUrl: https://camunda.development.eiwa.ag/modeler
console:
redirectUrl: https://camunda.development.eiwa.ag/console
existingSecret:
name: identity-secret-for-components
webModeler:
enabled: false
contextPath: /modeler
restapi:
mail:
existingSecret: identity-secret-for-components # reference the smtp password
fromAddress: changeme@example.com # change this required value
identity:
contextPath: /identity
fullURL: https://camunda.development.eiwa.ag/identity
operate:
contextPath: /operate
tasklist:
contextPath: /tasklist
optimize:
contextPath: /optimize
migration:
enabled: false
zeebeGateway:
ingress:
grpc:
enabled: true
className: nginx-public
host: zeebe.camunda.development.eiwa.ag
contextPath: /zeebe
console:
enabled: false # by default, console is not enabled
contextPath: /console
elasticsearch:
enabled: true
We’ve ensured that:
- The
use-forwarded-headers
annotation is enabled. - AWS NLB is correctly passing headers.
Has anyone else encountered this issue with Camunda or similar apps? Is there a specific configuration required in Camunda to respect X-Forwarded-*
headers that could be added in values.yaml?
Would really appreciate any ideas or tips. Thx a lot!
Thank you!