Camunda on Kubernetes (Helm) Ignores X-Forwarded-* Headers Behind AWS NLB with SSL

Hi everyone,

We deployed Camunda using its Helm chart in a Kubernetes cluster, and while SSL redirection is working, the application appears to be ignoring X-Forwarded-* headers. Here’s our setup:

  1. Load Balancer: AWS Network Load Balancer (NLB)
  2. SSL Termination: Managed with AWS ACM
  3. Ingress Controller: NGINX ingress
  4. Kubernetes Cluster: EKS 1.30
  5. Helm Chart Version: camunda-platform 8.6

The NGINX ingress is configured to redirect HTTP traffic to HTTPS, and requests reach the application via HTTPS as expected. However, we suspect Camunda isn’t correctly handling X-Forwarded-Proto, X-Forwarded-For, or similar headers, which results in issues such as incorrect redirects or URLs being generated with HTTP instead of HTTPS.

Here’s a snippet of our Values.yaml configuration:

---
identityKeycloak:

  postgresql:
    enabled: true

  auth:
    existingSecret: identity-secret-for-components

global:
  elasticsearch:
    enabled: true
  opensearch:
    enabled: false

  ingress:
    enabled: true
    host: camunda.development.eiwa.ag
    className: nginx-public
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffer-size: '128k'
      nginx.ingress.kubernetes.io/proxy-buffering: 'on'
  identity:
    auth:
      publicIssuerUrl: https://camunda.development.eiwa.ag/auth/realms/camunda-platform
      zeebe:
        existingSecret:
          name: identity-secret-for-components
      connectors:
        existingSecret:
          name: identity-secret-for-components
      operate:
        redirectUrl: https://camunda.development.eiwa.ag/operate
        existingSecret:
          name: identity-secret-for-components
      tasklist:
        redirectUrl: https://camunda.development.eiwa.ag/tasklist
        existingSecret:
          name: identity-secret-for-components
      optimize:
        redirectUrl: https://camunda.development.eiwa.ag/optimize
        existingSecret:
          name: identity-secret-for-components
      webModeler:
        redirectUrl: https://camunda.development.eiwa.ag/modeler
      console:
        redirectUrl: https://camunda.development.eiwa.ag/console
        existingSecret:
          name: identity-secret-for-components



webModeler:
  enabled: false
  contextPath: /modeler


  restapi:
    mail:
      existingSecret: identity-secret-for-components # reference the smtp password
      fromAddress: changeme@example.com   # change this required value

identity:
  contextPath: /identity
  fullURL: https://camunda.development.eiwa.ag/identity


operate:
  contextPath: /operate


tasklist:
  contextPath: /tasklist

optimize:
  contextPath: /optimize

  migration:
    enabled: false

zeebeGateway:
  ingress:
    grpc:
      enabled: true
      className: nginx-public
      host: zeebe.camunda.development.eiwa.ag
  contextPath: /zeebe

console:
  enabled: false # by default, console is not enabled
  contextPath: /console

elasticsearch:
  enabled: true

We’ve ensured that:

  • The use-forwarded-headers annotation is enabled.
  • AWS NLB is correctly passing headers.

Has anyone else encountered this issue with Camunda or similar apps? Is there a specific configuration required in Camunda to respect X-Forwarded-* headers that could be added in values.yaml?

Would really appreciate any ideas or tips. Thx a lot!

Thank you!

Hey everyone, I managed to solve the issue!!! Unfortunately, I can’t share the exact solution as it involves proprietary code that’s part of our company’s infrastructure and is protected by copyright :frowning:. However, I can provide a general outline of what worked for us, which might help if you’re dealing with a similar setup.

  • Enable Proxy Protocol in the NGINX Service:
    Modify the NGINX ingress controller service to enable Proxy Protocol:
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
spec:
  type: LoadBalancer
  # ...
  • Configure Proxy Protocol in the NGINX ConfigMap:
    Update the NGINX ingress ConfigMap to recognize and handle Proxy Protocol:
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
data:
  use-proxy-protocol: "true"
  # ...
  • Confirm that Proxy Protocol is enabled by checking the NGINX logs for any related errors.
  • Ensure Camunda is generating the correct URLs (with HTTPS) and handling client IPs properly via X-Forwarded-For.
  • Check NLB target groups, in attributes section proxy protocol v2 should be enalbed

While I can’t share the exact code or implementation details, the solution should look similar to what I outlined above. If you need more specifics about enabling Proxy Protocol with an NLB or configuring NGINX ingress, let me know, and I’ll try to guide you further!

feel free to reach out me if you experience similar issues, I’m always happy to help.

Best!!!

:warning: NOTE :warning: : both configuration are needed, AWS mention in target group configuration the following message:

Before you enable proxy protocol v2, make sure that your application targets can process proxy protocol headers otherwise your application might break.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.