Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configure Atlassian Crowd Server Forbidden(403)

Samuel Tinapp
Samuel Tinapp February 20, 2018

Hey,

I try to set up the atlassian crowd server for confluence.  I'm running Jira/Confluence in a docker-container and a reverse proxy with nginx in a docker-container aswell.

When I click "test connection" I get the following error:

Connection test failed. Response from the server:
com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Beim Laden dieser Seite ist der Fehler "403 - Forbidden" aufgetreten. client.forbidden.exception Zur JIRA Startseite

 

Docker-configuration:

Jira expose port 8080 and is connected to a docker network a

Confluence expose port 8090 and is connected to a docker network a

nginx expose port 80 and 443 and is connected to a docker network a

nginx-config-file:

upstream docker-jira {
    server jira:8080;
}
upstream docker-conf {
        server conf:8090;
}


server {
    listen 80 default_server;
    listen [::]:80 default_server;
    

    server_name domain.de;
    return 301 https://newdomain.de;
}


server {

    # SSL configuration

    listen 443 ssl http2 default_server;

    listen [::]:443 ssl http2 default_server;

    server_name newdomain.de;

    include snippets/ssl-domain.de;

    include snippets/ssl-params.conf;


    location /jira {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://docker-jira/jira;

        client_max_body_size 100M;

        add_header X-Frame-Options ALLOW;

    }

    location /confluence {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://docker-conf/confluence;

        proxy_redirect http://docker-conf/confluence https://domain.de;        

        client_max_body_size 100M;

        add_header X-Frame-Options SAMEORIGIN;

    }

}

 

curl from confluence-container to the jira base url:

*   Trying 43.3.98.179...
* TCP_NODELAY set
* Connected to domain.de (43.3.98.179) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=domain.de
*  start date: Feb 19 10:00:47 2018 GMT
*  expire date: May 20 10:00:47 2018 GMT
*  subjectAltName: host "domain.de" matched cert's "domain.de"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55f6ce344da0)
> GET /jira HTTP/1.1
> Host: domain.de
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 302 
< server: nginx/1.13.8
< date: Tue, 20 Feb 2018 16:14:35 GMT
< location: https://newdomain.de/jira/
< x-frame-options: ALLOW
< 
* Curl_http_done: called premature == 0
* Connection #0 to host domain.de left intact

  1. I copied the jira/confluence home directory from an old server to a new one.  In addition I made a sql-dump from the old database and replaced the old domain with the new domain and the old ip with the new ip.
  2. Then I restored this in the new database on the new server and started jira/confuence.

Jira is working fine. Everything is restored. But I couldn't login into confluence. So I created a local recovery_admin and logged in.  The configuration from atlassian crowd server looks fine.

Name:  Remote Jira Directory

server url: https://newDomain.de/jira

Application name:Confluence -newDomain.de - cf0d611b-fd1e-345a-8370-cdbeb2ae2651

Application Password: is set aswell(************************)

The setup on the old server was the same but no docker containers.

 

 

I also set the setenv.sh properties in confluence and jira:

-Dhttp.nonProxyHosts=newdomain.de

 

Hope someone can help me!

 

Kindly Regards!

-Sam

Answer
Watch
Like Be the first to like this
2578 views

2 answers

0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 22, 2018

Follow-up after support request:

Adding the IP address of the NGINX proxy to the application in Jira User Server allowed Sam to connect Confluence to Jira for user management.

The cause was, since the traffic had to pass through the reverse proxy to reach Jira from Confluence, Jira "saw" the requests as coming from the proxy and returned a forbidden client error.

Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 20, 2018

Hi Sam,

ApplicationPermissionException returned from Jira User Server usually means the IP for Confluence is either not on the whitelist in Jira or, also in Jira (Jira User Server) not on the application definition for Confluence. Please see Unable to create JIRA User Directory in Confluence due to ApplicationPermissionException - Forbidden (403)

I look forward to hearing whether you can connect to the Jira User Server after verifying the IP for Confluence is allowed by Jira.

Thanks,

Ann

View More Comments
Samuel Tinapp
Samuel Tinapp February 21, 2018

Hey Ann,

in jira there is https://newdomain.de/confluence white listed. I disables white list and I get still the same error.

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 21, 2018

Hi Samuel,

I understand you eliminated the Jira whitelist as being the issue.

Please make sure the IP address of the Confluence server is added in Jira User Server as described in Connecting Confluence to Jira applications for User Management:

  1. In your Jira application go to the admin cog wheel > User Management > Jira User Server.
  2. Enter the IP address or addresses of your Confluence server. Valid values are:
    A full IP address, e.g. 192.168.10.12.
    A wildcard IP range, using CIDR notation, e.g. 192.168.10.1/16.

Thanks,

Ann

Like
Samuel Tinapp
Samuel Tinapp February 21, 2018

Hey Ann,

I already did this.  Still not working

 

Kindly Regards,

Sam

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 21, 2018

Hi Sam,

I created a support ticket on your behalf so we can investigate more. You should see an email from the portal shortly.

Cheers,

Ann

Like
Rolf Lader
Rolf Lader
Community Champion
October 18, 2021

Hello Sam,

we have the identical infrastructure as you and ran into the same problems. During the error analysis we noticed that the IP address of the subnet gateway was entered as sender in the access_log for the "403" error message.
Therefore we entered this IP or the entire IP range of the subnet configuration for the "Jira User Server" settings and thus solved the problem.

Many greetings, Rolf

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security