Hi,
I have a problem with opening some pages, i.e.:
- activity stream - /plugins/servlet/gadgets/ifr
- applications - /plugins/servlet/applications/versions-licenses
- UPM - /plugins/servlet/upm/manage/user-installed
I have received an info:
You don't have permission to access /plugins/servlet/... on this server.
My infrastructure:
Client <--HTTPS--> Reverse Proxy (DMZ) <--HTTPS--> Jira Server (LAN) <--> Database server (LAN)
When Reverse Proxy is in LAN zone, together with Jira Server, all works. But when I move Reverse Proxy to DMZ, some links are forbidden.
I have very similar problem with Confluence server.
Jira and Conlfuence are in the latest versions - 7.8.0 and 6.7.1.
What are the requirements for the above locations to work?
That might requires more investigation. Maybe you also have in the infrastructure an IPS or other firewall that is blocking specific requests from "outside" of the organization. However Forbidden points more to an Apache configuration issue. I suggest to check reverse proxy logs first, compare with browser requests and maybe you can find a clue.
Thanks for suggestions.
Sample from Reverse Proxy's (Apache) log:
[Tue Mar 06 14:29:43.815802 2018] [authz_core:error] [pid 4018] [client x.x.x.x:62510] AH01630: client denied by server configuration: proxy:https://jira_server.domain.com:8443/plugins/servlet/troubleshooting/view/, referer: https://reverse_proxy.domain.com/admin/viewgeneralconfig.action
A part of Reverse Proxy configuration without SSL cert/key files paths:
ServerName reverse_proxy.domain.com
<Proxy *>
Require all granted
</Proxy>
ProxyRequests Off
ProxyVia Off
ProxyPass / https://jira_server.domain.com:8443/
ProxyPassReverse / https://jira_server.domain.com:8443/
RemoteIPHeader X-Forwarded-For
SSLProxyEngine on
SSLEngine on
Above configuration works great when Reverse Proxy is in the LAN zone. I do not block any content on the firewall between DMZ and LAN. There is only an open TCP/8443.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hmm.. I did not playaround with proxy for a while.. not sure what version are you using, but..
Try first changing the configuration with " around wildcard and all other parameters
<Proxy "*">
Require all granted
</Proxy>
ProxyPass "/" "https://jira_server.domain.com:8443/"
ProxyPassReverse "/" "https://jira_server.domain.com:8443/"
This will clean up your configuration.. then try to get the requests to redirect instead of proxying..
Move some of your configuration responsible for SSL to /etc/httpd/conf.d/ssl.conf
Define a Virtual Host that will redirect, example
<VirtualHost *:80>
ServerName sample
RewriteEngine On
RewriteRule ^(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
You can do this is a new file under /etc/httpd/conf.d
name it with .conf at the end..
You might also need
<Directory />
AllowOverride none
Require all denied
</Directory>
something like that inside it ..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Mirek,
thank you for the tips but they did not help.
I am using Apache in version 2.4.29.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The resolution is to replace the block:
<Proxy *>
Require all granted
</Proxy>
by
<Location "/">
Require all granted
</Location>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have updated the drawing of my infrastructure:
Client <--HTTPS--> Reverse Proxy (DMZ) <--HTTPS--> Jira Server (LAN) <---> Database server (LAN)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.