Camunda webapps behind proxy

Hi, I am testing deploying camunda behind proxy(spring cloud netflix Zuul in my case) and the redirects on login in camunda webapps seems to be ignoring x-forwarded http header, which it should use to send the redirect correctly.

I there any settings with which I should correct it, or do I have to rewrite the Camunda authentication filter.

Hi @tomorrow,

which header? X-Forwarded-For I assume. What do you expect to happen when authentication filter receives request with that header?


Hi yes, I meant exactly this header. I would expect the redirects would work.

Zuul should be filling this header, I have configured spring boot with server.use-forward-headers: true, but when I attepmt to access e.g. tasklist through proxy on http://proxy:port/app/tasklist/index.html i get redirected to http://application:applicationport/app/tasklist/default/ instead of http://proxy:port/app/tasklist/default/

Just to be more precise, from the trace of the request and response, there are headers:

x-forwarded-host localhost:10810
x-forwarded-port 10810
x-forwarded-proto http

Location http://omnichannelpoc1:10810/app/tasklist/default/
status 302

Hi, so I’ve been doing a little bit digging. The problem is, the x-forwarded-* header seem to be handled in every application differently. Some use absolute path in redirect, where absolute path built using the x-forwarded-* headers, some alter the tomcat server name to the value form x-forwarded-host themselves, also tomcat embedded container will have “fix” that will provide ability to set host header, which will be set to server name.

for now, I am going with manually customizing the embedded servlet container with following code

// copied from spring-cloud/spring-cloud-netflix#1108

public EmbeddedServletContainerCustomizer customizer() {
return (final ConfigurableEmbeddedServletContainer container) -> {
((TomcatEmbeddedServletContainerFactory) container).addContextValves(new ValveBase() {

        public void invoke(final Request request, final Response response) throws IOException, ServletException {

            final MessageBytes serverNameMB = request.getCoyoteRequest().serverName();
            String originalServerName = null;
            final String forwardedHost = request.getHeader("X-Forwarded-Host").split(":")[0];

            if (forwardedHost != null) {
                originalServerName = serverNameMB.getString();

            try {
                getNext().invoke(request, response);
            } finally {
                if (forwardedHost != null) {


for some proxies, the spliting the x-forwarded-host might not be needed, Zuul sends in this header a port too, so I need to strip it.

Maybe, it would be better to use absolute path in camunda webapps ProcessEnginesFilter, where the server name and port would be creating from http headers. As x-fowarded-host sometimes might be coming with or without port, the absolute url should be created with some robust logic, where common x-forwared-* usages would be considered.

1 Like