Apache reverse proxy 403 on POST

I am trying to get Jira and Stash to talk to each other via a Trusted Application link. The setup, currently, looks like this:

Jira -> http -> Jira Proxy -https-> stash proxy -http-> stash.

Jira and the Jira proxy are on the same machine.

The Jira Proxy is showing 403 Forbidden for POST requests from the stash server. It works (or seems to ) for everything else. I contend that since we're seeing 403 forbiddens in the access log for apache, Jira is never seeing the request.

Why is apache forbidding posts,and how do I fix it?

Note that the IPs for both Stash and the Stash Proxy are in the "trusted host" section.

My config:

ErrorLog "|/usr/sbin/rotatelogs /var/log/apache2/error.log 86400"

LogLevel info
CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 86400" common 

ServerSignature off
ServerTokens prod

Listen 8443

<VirtualHost *:443>

	ServerName jira.company.com

	SSLEngine on
	SSLOptions +StrictRequire
	SSLCertificateFile /etc/ssl/certs/server.cer
	SSLCertificateKeyFile /etc/ssl/private/server.key
	SSLProtocol +SSLv3 +TLSv1
	SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

	# If context path is not "/wiki", then send to /jira.
	RedirectMatch 301 ^/$ https://jira.company.com/jira
	RedirectMatch 301 ^/gsd(.*)$ https://jira.company.com/jira$1
	
	ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
	ProxyPass /jira http://localhost:8080/jira
	ProxyPassReverse /jira http://localhost:8080/jira

	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>

	RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
	# Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

	DocumentRoot /var/www
        DirectoryIndex index.html
	<Directory /var/www>
		Options FollowSymLinks
		AllowOverride None
		Order deny,allow
		Allow from all
	</Directory>

	<LocationMatch "/">
               Order deny,allow
               Deny from all
    		allow from x.x.71.8
    		allow from x.x.8.123
    		allow from x.x.120.179
    		allow from x.x.120.73
    		allow from x.x.120.45
    		satisfy any
    		SetEnvif Remote_Addr "x.x.71.8" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.8.123" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.179" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.73" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.45" TRUSTED_HOST
	</LocationMatch>

	<LocationMatch ^>
                SSLRequireSSL
                AuthType CompanyNet
                PubcookieInactiveExpire -1
                PubcookieAppID jira.company.com
                require valid-user
                RequestHeader set userid %{REMOTE_USER}s
        </LocationMatch>
</VirtualHost>

# Port open for SSL, non-pubcookie access.  Used to access APIs with Basic Auth.
<VirtualHost *:8443>

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/server.cer
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

        ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
        ProxyPass /jira http://localhost:8080/jira
        ProxyPassReverse /jira http://localhost:8080/jira

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
        # Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

        DocumentRoot /var/www
        DirectoryIndex index.html
        <Directory /var/www>
                Options FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>
</VirtualHost>

<VirtualHost jira.company.com:80>
        ServerName jira.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

<VirtualHost *:80>
        ServerName go.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

1 answer

This widget could not be displayed.

Hi Sean,

In case both applications are on the same network I usually set the application to the direct address and just edit the application link configuration and modify the Display URL to use the proxied URL.

This way the cross-application communication is done bypassing the proxy and the URL that is displayed to the end user is the proxied URL, this usually avoid problems and the final result is the same.

Cheers

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted 9 hours ago in Jira

Atlassian Research Workshop opportunity on Sep. 28th in Austin, TX

We're looking for participants for a workshop at Atlassian! We need Jira admins who have interesting custom workflows, issue views, or boards. Think you have a story to sha...

29 views 1 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you