Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Confluence
Questions
Problems with Crowd token validation when Confluence is sitting behind an Apache proxy.

Problems with Crowd token validation when Confluence is sitting behind an Apache proxy.

We have Confluence sitting behind an Apache proxy running on the same host:

&lt;Location / &gt;
        ProxyPass          http://127.0.0.1:8080/
        ProxyPassReverse   http://127.0.0.1:8080/
&lt;/Location&gt;

When Confluence attempts to validate a Crowd SSO token, it sets the remote-address validation-factor to "127.0.0.1", like this:

&lt;validation-factors&gt;
    &lt;validation-factor&gt;
        &lt;name&gt;remote_address&lt;/name&gt;
        &lt;value&gt;127.0.0.1&lt;/value&gt;
    &lt;/validation-factor&gt;
    &lt;validation-factor&gt;
        &lt;name&gt;X-Forwarded-For&lt;/name&gt;
        &lt;value&gt;96.1.2.3, 96.1.2.3&lt;/value&gt;
    &lt;/validation-factor&gt;
&lt;/validation-factors&gt;

Here, the actual remote client is 96.1.2.3. The client connects to Crowd and to Confluence through a front-end proxy; the request arriving at Crowd has these headers:

X-Forwarded-For: 10.243.22.47, 10.243.21.54

Where 10.243.22.47 is the address of the Confluence host. The requests received by Apache on the Confluence host look like this:

X-Forwarded-For: 96.1.2.3

And when the request gets received by Tomcat, it looks like this:

X-Forwarded-For: 96.1.2.3, 96.1.2.3

Is there any way to get this to work? If I understand how things are working (and I may not!), Crowd and Confluence can only do SSO successfully if Confluence is receiving requests directly from clients -- i.e., with no intervening proxies. Is there any way to get Confluence to use the correct remote-address?

3 answers

0 votes

Hi, what list of ips do you have on Crowd's listed of authentication interfaces for the application Confluence? Have you added 127.0.0.1 and the other localhost options?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

Did you ever figure out a solution to this issue? We are facing a similar problem to you and have reached a standstill in solving it.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

Have you looked at configuring trusted proxies?

http://confluence.atlassian.com/display/CROWD/Configuring+Trusted+Proxy+Servers

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I have. You'll note that Confluence is able to authenticate to Crowd despite talking through a proxy; the problem here is that Confluence is providing bad information to Crowd, so no amount of trust is going to solve it. If there were something in Confluence analagous to "trusted proxies" so that Confluence would get the remote-address value from the X-Forwarded-For header that would solve our problem.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

To elaborated a bit: we have configured trusted proxies in Crowd, and the validation request is being passwd to the Crowd server by Confluence via one of our trusted proxies.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

This page has hepled me in the past: http://confluence.atlassian.com/display/CROWD/Debugging+SSO+in+environments+with+Proxy+Servers

You can find the remote ips using this method.Ignore if you have tried this as well ;)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS