You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Hello, I am new to Crowd, I recently installed it and began preparations for establishing SSO on JIRA. When I was adding the application it mentioned needing to have the application's IP address.
The server JIRA and Crowd run on are the same (they run on a single server with reverse proxy through Nginx using SSL.
The IP address for the server is dynamic, additionally is it proxied a second time by Cloudflare.
Is there anything in place for handling when a connected application's IP address can be dynamic and the client's IP can be dynamic each time a person connects?
I see that you are setting up Crowd and have some concerns in regards to making sure that other applications such as Jira or Confluence will always be able to reach the Crowd application in a situation where the server address could be changing.
The additions of using SSL and what appears to be more than one reverse proxy will complicate this, but I will try to explain a scenario to make this work. Since we know that your environment has both Jira and Crowd installed to the same server, we can leverage that fact to use a static address that won't change. 127.0.0.1 This is the equivalent of the localhost address that linux/unix machines have as a means to refer to the local address. We can use this address when we are linking Jira to Crowd as a way to make sure each application can always communicate with either other.
In order to make this work though, you might have to create an additional connector for the Tomcat web server in both Crowd and Jira that is specifically listening to a different port. Since we know you're using a proxy and using SSL, you can still have those connectors, but setting up an additional connector in the tomcat $install/conf/server.xml file will allow each application to serve requests on both ports.
We have an application generic guide for this in How to bypass a reverse proxy or SSL in Application Links. You can follow this guide to make some changes, specifically to the server.xml file for each application.
Let's say that Jira and Crowd are already setup and using the default ports of 8080 (Jira) and 8095 (Crowd). You can follow that guide above to add an additional connector here for each product, say 8081 Jira, and 8096 for Crowd.
Once you add that connector to each server.xml, you need to restart each application for the settings to take affect. Then when you create the link between them, within Crowd you can just use the 127.0.0.1 for the Remote IP Address. And within Jira, for the Server settings, you can use the Server URL value of http://127.0.0.1:8096/crowd/ when integrating these. This way, Jira will bypass your SSL and proxy setting when communicating with Crowd, and vice versa. This configuration allows the applications to be able to still communicate to each other regardless of what the external IP address or even the fully qualified domain name might change to be.
As for that IP address clients might have, that actually doesn't matter here. They will all probably just be reaching your Jira site directly through the proxied address anyways. Just keep in mind that will the applications could use that same address, they are not required to.
I hope this helps, let me know if you have any questions or concerns about this suggested configuration.