Problem with opening some pages when the reverse proxy is placed in DMZ

Michal Sarna March 6, 2018

Hi,

I have a problem with opening some pages, i.e.:

- activity stream - /plugins/servlet/gadgets/ifr

- applications - /plugins/servlet/applications/versions-licenses

- UPM - /plugins/servlet/upm/manage/user-installed

 

I have received an info:

Forbidden

You don't have permission to access /plugins/servlet/... on this server.

 

 

My infrastructure:

Client <--HTTPS--> Reverse Proxy (DMZ) <--HTTPS--> Jira Server (LAN) <--> Database server (LAN)

 

When Reverse Proxy is in LAN zone, together with Jira Server, all works. But when I move Reverse Proxy to DMZ, some links are forbidden.

I have very similar problem with Confluence server.

Jira and Conlfuence are in the latest versions - 7.8.0 and 6.7.1.

 

What are the requirements for the above locations to work?

 

2 answers

0 votes
Mirek
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 6, 2018

That might requires more investigation. Maybe you also have in the infrastructure an IPS or other firewall that is blocking specific requests from "outside" of the organization. However Forbidden points more to an Apache configuration issue. I suggest to check reverse proxy logs first, compare with browser requests and maybe you can find a clue.

Michal Sarna March 6, 2018

Thanks for suggestions.

 

Sample from Reverse Proxy's (Apache) log:

[Tue Mar 06 14:29:43.815802 2018] [authz_core:error] [pid 4018] [client x.x.x.x:62510] AH01630: client denied by server configuration: proxy:https://jira_server.domain.com:8443/plugins/servlet/troubleshooting/view/, referer: https://reverse_proxy.domain.com/admin/viewgeneralconfig.action

A part of Reverse Proxy configuration without SSL cert/key files paths:

    ServerName reverse_proxy.domain.com

    <Proxy *>
        Require all granted
    </Proxy>

    ProxyRequests Off
    ProxyVia Off

    ProxyPass / https://jira_server.domain.com:8443/
    ProxyPassReverse / https://jira_server.domain.com:8443/

    RemoteIPHeader X-Forwarded-For

    SSLProxyEngine on
    SSLEngine on

Above configuration works great when Reverse Proxy is in the LAN zone. I do not block any content on the firewall between DMZ and LAN. There is only an open TCP/8443.

Mirek
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 6, 2018

Hmm.. I did not playaround with proxy for a while.. not sure what version are you using, but..

Try first changing the configuration with " around wildcard and all other parameters

<Proxy "*">
    Require all granted
</Proxy> 
ProxyPass "/" "https://jira_server.domain.com:8443/"
ProxyPassReverse "/" "https://jira_server.domain.com:8443/"

This will clean up your configuration..  then try to get the requests to redirect instead of proxying..

Move some of your configuration responsible for SSL to /etc/httpd/conf.d/ssl.conf

Define a Virtual Host that will redirect, example

<VirtualHost *:80>
  ServerName sample
  RewriteEngine On
  RewriteRule ^(.*) https://%{HTTP_HOST}/$1
</VirtualHost>

  You can do this is a new file under /etc/httpd/conf.d name it with .conf at the end..

You might also need

<Directory />
    AllowOverride none
    Require all denied
</Directory>

something like that inside it .. 

Michal Sarna March 7, 2018

Mirek,

thank you for the tips but they did not help.

I am using Apache in version 2.4.29.

Michal Sarna March 15, 2018

The resolution is to replace the block:

<Proxy *>
        Require all granted
</Proxy>

by

<Location "/">
        Require all granted
</Location>
0 votes
Michal Sarna March 6, 2018

I have updated the drawing of my infrastructure:

Client <--HTTPS--> Reverse Proxy (DMZ) <--HTTPS--> Jira Server (LAN) <---> Database server (LAN)

Suggest an answer

Log in or Sign up to answer