Can't get crowd to work with with nginx proxy (non-ssl)

I've been struggling for the better part of a week troubleshooting this error:

Caused by: org.codehaus.xfire.fault.XFireFault: The application.name or application.password in the crowd.properties file does not match the password in Crowd.

After much testing and ruling out with Atlassian support, I've determined that the problem is due to the proxy config between nginx and crowd.

First off, this URL is just plain broken:

https://confluence.atlassian.com/display/CROWDKB/How+to+use+NGINX+to+proxy+requests+for+Crowd

Here's what my config looks like after following the instructions:

#nginx

server {

listen crowd.torix.ca:80;

server_name crowd.torix.ca;

access_log yes;

location / {

proxy_pass http://localhost:8095/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-for $remote_addr;

port_in_redirect off;

proxy_redirect http://crowd.torix.ca/crowd /;

}

}

#server.xml

<Connector port="8095" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" proxyName="crowd.torix.ca" proxyPort="80" />

<Engine defaultHost="localhost" name="Catalina">

<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"/>

</Engine>

<!-- To connect to an external web server (typically Apache) -->

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

#crowd.properties

#Thu Jul 31 19:05:08 EDT 2014

session.lastvalidation=session.lastvalidation

session.tokenkey=session.tokenkey

#crowd.server.url=http\://192.168.100.56\:8095/crowd/services/

crowd.server.url=http\://crowd.torix.ca/crowd/services/

application.name=crowd

http.timeout=30000

session.isauthenticated=session.isauthenticated

#application.login.url=http\://192.168.100.56\:8095/crowd

application.login.url=http\://crowd.torix.ca/crowd

session.validationinterval=0

application.password=YZbQLETu4sejH0JqEMW5xO

What results from this is a mangled URL rewrite in my browser and a tomcat 404 after trying to open http://crowd.torix.ca/crowd

http://crowd.torix.ca//console/login.action

HTTP Status 404 - /console/login.action

So I take a step back and adjust my nginx config to try and fix that munged URL:

#nginx

server {

listen crowd.torix.ca:80;

server_name crowd.torix.ca;

access_log yes;

location / {

proxy_pass http://localhost:8095/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-for $remote_addr;

port_in_redirect off;

proxy_redirect http://crowd.torix.ca/ /;

}

}

And that leads me to a connection error in my browser:

Connection to authentication server failed. Please review the logs for more information.

And a log message like so:

Caused by: org.codehaus.xfire.fault.XFireFault: The application.name or application.password in the crowd.properties file does not match the password in Crowd.

So I remove my proxy stuff completely...

#nginx

#server {

# listen crowd.torix.ca:80;

# server_name crowd.torix.ca;

#

# access_log yes;

#

# location / {

# proxy_pass http://localhost:8095/;

# proxy_set_header Host $host;

# proxy_set_header X-Real-IP $remote_addr;

# proxy_set_header X-Forwarded-for $remote_addr;

# port_in_redirect off;

# proxy_redirect http://crowd.torix.ca/ /;

# }

#}

#server.xml

<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8095" redirectPort="8443" useBodyEncodingForURI="true" URIEncoding="UToF-8"/>

<!--<Connector port="8095" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" proxyName="crowd.torix.ca" proxyPort="80" />-->

<Engine defaultHost="localhost" name="Catalina">

<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"/>

</Engine>

<!-- To connect to an external web server (typically Apache) -->

<!-- Define an AJP 1.3 Connector on port 8009 -->

<!--

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

-->

#crowd.properties

#Thu Jul 31 19:05:08 EDT 2014

session.lastvalidation=session.lastvalidation

session.tokenkey=session.tokenkey

crowd.server.url=http\://192.168.100.56\:8095/crowd/services/

#crowd.server.url=http\://crowd.torix.ca/crowd/services/

application.name=crowd

http.timeout=30000

session.isauthenticated=session.isauthenticated

application.login.url=http\://192.168.100.56\:8095/crowd

#application.login.url=http\://crowd.torix.ca/crowd

session.validationinterval=0

application.password=YZbQLETu4sejH0JqEMW5xO

... and upon a subsequent restart of nginx and crowd, I'm able to authenticate without any issues to http://192.168.100.56:8095/crowd

So the issue is clearly with the redirect stuff, but I'm not seeing it (because I really don't understand this all that much so I'm at a complete loss as to how to fix it. I'm not a server guy or an application guy).

Does anyone see what I'm doing wrong here? I'm completely at a loss and ready to tear my hair out! :(

3 answers

This widget could not be displayed.

really sucks that crowd can't work with nginx from otb.

i have same problem, but i'm installing crowd under ssl. and have same:
"Caused by: org.codehaus.xfire.fault.XFireFault: The application.name or application.password in the crowd.properties file does not match the password in Crowd."

This widget could not be displayed.

i found problem.

now my nginx location looks like this:

location / {
        proxy_pass http://127.0.0.1:8095/;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-for $remote_addr;
        port_in_redirect off;
        proxy_redirect   https://crowd.example.com/ /;     
}

This widget could not be displayed.

What did you change to make it work?

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,461 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you