Application links behind reverse proxy with Basic Authentication

Jonathan Taylor January 21, 2018

I am hosting Jira v.7.6.3 and Bitbucket v.5.6.2 on my own server (CentOS 7).  I have them running behind an Apache reverse proxy over https.  The "natural" Tomcat ports are behind a firewall.   They are additionally running on their own contents paths. 

Everything was humming along, and they were talking to each other via Application Links.  Now I added basic authentication on the Apache front end and broke the system. 

My goal is to have a "back-end" on the domain that this entirely walled off by authentication.  That would include Jira, Bitbucket, other proxied servers, and basic Apache directories.  So, access to the back end is reached via https://mydomain/staff.  Everything on that context path is walled off.  Jira and Bitbucket are found at https://mydomain/staff/jira and https://mydomain/staff/bitbucket.

At first, I could not use these proxied apps at all when I added the Apache authentication, but I fixed that with the Apache configuration for my proxies "RequestHeader unset Authorization".  Problem solved.

The major trouble that remains, however, is the Application Links no longer work.  How do I get my basic authentication parameters integrated into the links?  I seems that legacy versions of the software e.g. Jira 6 provided a basic authentication option in the app links, but that was eliminated?

I've tried several approaches without luck so far.

As secondary problem I can see errors in my Apache log that behind the scenes Jira and Bitbucket are now failing to be able to check for updates, etc.  That makes sense if the remote end can't get through this authentication wall now.  I can live with that, and maybe just disable the authentication requirement temporarily when I periodically want to check for updates.  In an ideal world though, that also would be fixed.

Btw, I'm totally fine with solutions that involve manually twiddling the database or configuration files as needed.

1 answer

0 votes
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2018

 

Hi Jonathan, we're not sure of the impact of authentication on the Proxy level but Applinks will not be able to provide such data. Most likely you'll need to set up a separate connector and have Bitbucket and Jira communicate directly and bypass the proxy altogether. This would be beneficial if you're on the same physical server anyway.

Also, keep in mind that app links won't work with 'RequestHeader unset Authorization', the only way around that is to bypass the proxy, which
requires the deletion of the existing App Links and the creation of new ones, with different Display and actual URL's for the App link. You can check How to create an unproxied application link for more information (the concept is the same for JIRA and Bitbucket).

They key for this will be to disallow any communication from any outside location on the ports you set up as unproxied.

If Jira and Bitbucket are on different servers then you'd have to make sure that BB -> Jira is allowed and that Jira -> BB is allowed too by configuring your firewall correctly to allow traffic (via iptables or whatever you're using).

Hope that helps!

Ana

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events