JIRA web page not hidden in web search page results - HELP

bolino December 8, 2017

Hello,

A few months ago, we have installed JIRA (and Java, therefore) on our own web server, which is a classical LAMP hosting several websites through Apache vhosts.

We then set up the DNS zone file of our domain, in order to have the address jira.ourdomain.com pointing to the JIRA application we just install, while www.ourdomain.com would stays as the address for our corporate website. It worked fine (after hours of reading documentations and headaches, though, since we absolutely don't know anything about Java).

But recently we noticed that this strange webpage : http://www.ourdomain.com/plugins/servlet/Wallboard/?dashboardId=10000

appears in Google search results when searching for our company.

What is this page and how to hide it or completely disable it from being visible and accessible to the public ? I've been looking at /opt/atlassian/jira/atlassian-jira/robots.txt file and added "Disallow *", but I don't see the link with this strange page.

Please help, this is a very important matter to us, we are thinking about uninstalling JIRA because of that.

Adrien Carpentier

2 answers

0 votes
Sherif Abdelfattah
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 8, 2017

I guess this is a wallboard view of an empty dash board on your JIRA.

It seems that the boards is public which would allow any one to see the board if they are not logged in.

You would need to limit the permissions on the board to have it only viewable for logged in users.

If you limit the permission the wall board wouldn't be visible to any one.

Check this for more info on how to customize board permissions and sharing: https://confluence.atlassian.com/adminjiraserver/managing-shared-dashboards-938847879.html

bolino December 8, 2017

Hi Sherif,

Thanks for your answer.

I've been looking at Shared Dashboard settings, there's no shared dashboard to display. I guess it's more something to do with the servlets, but I might be wrong.

0 votes
Eduard M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 8, 2017

Hello Adrien,

First please check your webhosting parameters for the domain, because you are serving Jira on the www domain and not (just) on the jira subdomain. Maybe you have some proxying going on or something's not configured properly. Ensure that requests going to www domain cannot reach jira.

Afterwards to block indexing on the jira subdomain:

Please edit the robots.txt and ensure it has these contents to disable all search engine access:

User-agent: *
Disallow: /

Ensure that when you browse to jira.domain.com/robots.txt the content above appears (you may need to restart Jira).

Further you can request Google to remove the page from indexing:

https://support.google.com/webmasters/answer/1663419?hl=en

bolino December 8, 2017

Hello Eduard,

Thanks for your answer. I've been changing "Disallow: *" to "Disallow: /" in the robots.txt file. Could it be that the JIRA Servlet Plugin Module, or one of our JIRA modules using this plugin, is serving this webpage and that the /opt/atlassian/jira/atlassian-jira/robots.txt file is not controlling the plugins but only core JIRA?

Anyway, I really would prefer to ensure that all JIRA pages are completely and technically not accessible from the public web, through a .htaccess or a Java web server equivalent config, since robots.txt files are only a common practice by search indexing robots but not a technical protection.

How can we configure the JIRA/Java web server to really forbid access to all pages?

 

Thanks

Adrien

Eduard M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 8, 2017

Hello Adrien,

About robots.txt, yes this is only to tell search engines not to index, it's not used by Jira in any way.

It seems to me you have Jira on the same IP address as the www domain and your front end server is proxying the request to Jira. You should edit the front end server configuration to only proxy requests to jira.domain.com and have another IP address for the subdomain, it will make it easier to manage access rules like firewalling. All main domain requests should be handled by other services (like you main website) and never by Jira.

Further you should probably firewall the jira service from the public internet and only allow internal network requests. 

Finally, you should ensure that Jira configuration does not allow Public access (only Private). When you set it up it asks you for either option. 

Also what Sherif said below, but I saw you already verified that.

Suggest an answer

Log in or Sign up to answer