Apache2 reverse proxy. Gadgets error. CSP blocked frame-ancestors

Ascania IT December 13, 2021

Hi, I try to setup Apache2 reverse proxy .

After enable proxy - when local user try to access local site https://sd.corp.ascania.ua - some gadgets error: "can't access to site https://sd.ascania.ua" by CSP "https://sd.ascania.ua/ blocked frame-ancestors". 

So my scheme is:

InetUsers -> https://sd.ascania.ua (Apache2) -> https://sd.corp.ascania.ua (local site)

My settings of Apache2 (proxy server):

<VirtualHost *:443>
   # ServerName sd.ascania.ua
    SSLProxyEngine On
    ProxyRequests Off
    ProxyPreserveHost Off
    <Proxy *>
      Order deny,allow
      Allow from all
    </Proxy>
    SSLProxyEngine on
    ProxyPass / https://sd.corp.ascania.ua/
    ProxyPassReverse / https://sd.corp.ascania.ua/
    SSLEngine on
    SSLCertificateFile ssl/asc.cer
    SSLCertificateKeyFile ssl/asc.key
</VirtualHost>

<VirtualHost *:80>
    ServerName sd.ascania.ua
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

 

My setting of server.xml (Jira server):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
  maxHttpHeaderSize="8192" SSLEnabled="true"
  maxThreads="150" minSpareThreads="25" connectionTimeout="20000"
  enableLookups="false" disableUploadTimeout="true"
  acceptCount="100" scheme="https" secure="true"
  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
  clientAuth="false" useBodyEncodingForURI="true"
  keyAlias="tomcat" keystoreFile="/var/atlassian/application-data/jira/tomcat.jks"
  keystorePass="Password" keystoreType="JKS"
proxyName="sd.ascania.ua" proxyPort="443"/>

Jira server has redirect 443 port to 8443 by IPTABLE rules.

 

 

1 answer

0 votes
Artur Moura
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 23, 2021

Hi @Ascania IT 

The reason you are facing the gadget issue is the fact you are using a different Jira URL.

There is an open feature request for this https://jira.atlassian.com/browse/JRASERVER-69185, also this https://confluence.atlassian.com/jirakb/jira-server-base-url-health-check-fails-859447384.html KB, which explains the reason and the resolution steps.

Overall, you must have the same URL for both internal and external users.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.20.2
TAGS
AUG Leaders

Atlassian Community Events