Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problems with dockerized Jira behind NGINX

thevideobrewer
thevideobrewer
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 16, 2018

Hello,

I'm trying to configure Jira v7.9.0 from the cptactionhank/atlassian-jira-software docker behind an Nginx reverse proxy configuration and it keeps blocking all the requests with the following error:

[c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request

I'm looking for a way to manually disable the Whitelist from a config file or something but can't seem to find any resources on that.

1. My settings.xml file  has the correct  HTTPS - Proxying Jira via Apache or Nginx over HTTPS block enabled with the proxyName and proxyPort configured correctly

2. My Nginx configuration has the proxy_pass_request_headers on; enabled correctly for the jira proxy_pass block

 

Answer
Watch
Like ARGYRIOS MARGARITIS likes this
1911 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 17, 2018

It sounds like you are encountering the problem described in the KB Cross Site Request Forgery (CSRF) protection changes in Atlassian REST.  I would recommend reviewing that document to better understand why this error can be thrown in Jira.   The KB notes that:

This usually happens due to Tomcat proxy configuration issues.

and it goes on to offer next steps to follow in regards to configuring proxyName, proxyPort, and scheme within the $JIRAINSTALL/conf/server.xml file.

I would also recommend checking out Integrating JIRA with Nginx.  It does provide specific configurations for both Jira and nginx to make sure they can play together nicely.

If these two resources do not help, could you let us know the rest of the details for the error:

[c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request

I am expecting this to contain more information about the origin and referral URLs.  The first KB has an example such as

2015-09-01 17:25:46.530585500 2015-09-01 07:25:46,530 ajp-nio-127.0.0.104-8009-exec-23 WARN anonymous 1045x1465x1 sibktb 127.0.0.1 /rest/auth/latest/session [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request:https://example.domain/rest/auth/latest/session , origin:https://another-origin.domain , referrer: null , credentials in request: true , allowed via CORS: false}}

I would also like to know what address you are accessing Jira on, and what values you have set for <connector> tags in Jira's server.xml file.

View More Comments
Steve Gredell
Steve Gredell
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 26, 2018

Hello Andrew,

 

I'm having a similar issue, trying to use nginx for HTTPS/SSL reasons.  The error I'm getting is:

2018-04-26 20:11:56,518 http-nio-8080-exec-18 WARN <username> 1211x59x1 1x5wz0b <my_ip>,10.0.1.4 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: http://<url>/jira/rest/analytics/1.0/publish/bulk , origin: https://<url> , referrer: https://<url>/jira/secure/WelcomeToJIRA.jspa , credentials in request: true , allowed via CORS: false

 

I have also followed the steps in both 'Integrating JIRA with Nginx' as well as the CSRF KB you posted, but I'm still having issues with CSRF.  It's actually preventing me from creating a new project and otherwise setting up my instance.

 

My server.xml connectors are as follows:

<Connector port="8080"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"

 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 proxyName="<url>"
 proxyPort="80"
 secure="false"
 bindOnInit="false"/>

<!-- <Connector port="8081"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"

 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 proxyName="<url>"
 proxyPort="443"
 scheme="https"
 bindOnInit="false"/>
 -->
<!-- <Connector port="8082"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"

 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 bindOnInit="false"/>

-->

I've been commenting/uncommenting them out at times to try to get it to work, but no luck so far.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.