We have Confluence sitting behind an Apache proxy running on the same host:
<Location / > ProxyPass http://127.0.0.1:8080/ ProxyPassReverse http://127.0.0.1:8080/ </Location>
When Confluence attempts to validate a Crowd SSO token, it sets the remote-address validation-factor to "127.0.0.1", like this:
<validation-factors> <validation-factor> <name>remote_address</name> <value>127.0.0.1</value> </validation-factor> <validation-factor> <name>X-Forwarded-For</name> <value>184.108.40.206, 220.127.116.11</value> </validation-factor> </validation-factors>
Here, the actual remote client is 18.104.22.168. The client connects to Crowd and to Confluence through a front-end proxy; the request arriving at Crowd has these headers:
X-Forwarded-For: 10.243.22.47, 10.243.21.54
Where 10.243.22.47 is the address of the Confluence host. The requests received by Apache on the Confluence host look like this:
And when the request gets received by Tomcat, it looks like this:
X-Forwarded-For: 22.214.171.124, 126.96.36.199
Is there any way to get this to work? If I understand how things are working (and I may not!), Crowd and Confluence can only do SSO successfully if Confluence is receiving requests directly from clients -- i.e., with no intervening proxies. Is there any way to get Confluence to use the correct remote-address?
I have. You'll note that Confluence is able to authenticate to Crowd despite talking through a proxy; the problem here is that Confluence is providing bad information to Crowd, so no amount of trust is going to solve it. If there were something in Confluence analagous to "trusted proxies" so that Confluence would get the remote-address value from the X-Forwarded-For header that would solve our problem.
This page has hepled me in the past: http://confluence.atlassian.com/display/CROWD/Debugging+SSO+in+environments+with+Proxy+Servers
You can find the remote ips using this method.Ignore if you have tried this as well ;)
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs