When using a reverse proxy (F5 LTM + APM Portal Access resource), there are consistent post from the client via rest and each response from the Jira server is a 403 resulting in a failed XSRF check. Looking at all of the GET and POST, I see a jsessionid and csrf token but for some reason the XSRF check still fails based on the Wireshark captures on the server side.
I have attempted the no-check header option with no success and not sure what else to do. Any insight is greatly appreciated.
Issue resolved based on the article (REST API calls and User-Agent headers) below but a little more info for anyone that may run into this in the future. If using LTM only for load balancing purposes, I am able to successfully able to access and authenticate to the Jira webpage and the functionality is great.
Once I introduced LTM + APM I began to see 403s (XSRF check failed) when the client sent a POST. This occurred whether I was just using APM to authenticate to a pool member or using a portal access resource. Due to these errors, images would not load when viewing projects and other items within Jira.
After reviewing the article regarding User-Agent headers for API calls, I created a local traffic policy to remove the User-Agent header from all POST HTTP methods. (Note, this can be done via iRule or local traffic policy)
Then reviewing a capture on the Jira server, you will see all POST's, no longer have the User-Agent header included and this does not include any other HTTP method.
As a result, loading the same page that resulted in the XSRF check failed error, now load.