Although (deliberately) provocative, this is a real question. I want to know why, in 2015, in the age of ever rising hacking sophistication, Atlassian chooses to treat security concerns as a second class citizen (if even that.)
Two specific examples illustrate the question.
Which is prefaced with:
"Atlassian applications allow the use of SSL within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it."
Well, isn't that special? And exactly what besides SSL would anybody be using to help secure sensitive data such as usernames and passwords (which is basically what Crowd does)? Some magical alternative protocol, unspecified?
The other is the now, as I understand, two year old request, amplified by hundreds of concerned individuals, to add two factor authentication to Bitbucket. A feature now routinely supported by other competitors.
While this is a very serious question, and it would be nice to get a serious response, this is part of what I think Atlassian should be doing to make both security, and customer satisfaction, a first class concern:
I would like to answer why SSL configuration is out of the scope of Atlassian support. There are many ways to set a SSL connection which often involve third party applications (apache, nginx, IIS,...) and also different certificate formats. This makes impossible to have a support team which is familiar with all elements involved. Never the less, the support team always tries the best to help customers even with unsupported issues. This does not mean support will always be able to help you with unsupported issues but I can assure you we'll try our best.
In addition to that, there is also extensive documentation on how to set up SSL in different ways. For example, in Conflunece:
Other products also include settings for nginx which should be easily extrapolate to other products since this documentation is not product specific. I addition to that, there are also lot's of threads here in Atlassian Answers discussing other options.
SSL settings may not be supported but I think there are enough resources there to successfully run Atlassian products over SSL.
So a multi-billion dollar company is incapable of creating an installer which works with the most common configurations of Apache/Nginx/IIS? Why is that? The permutations are hardly infinite. There have been Linux installers for more complex software for years.
I disagree that the documentation is "extensive". It's piecemeal at best.
This would be more useful if it specifically dealt with an SSL configuration on the Nginx side (and why wouldn't that be documented unless Atlassian assumes that nobody installs internet-facing applications, unless the idea is that an SSL connection is a luxury when entering passwords? This is my point.)
I have Nginx successfully SSL proxying for Confluence and JIRA. The issue I'm having now is specifically with Crowd, which has many more (poorly documented) configurable parameters all over the place. It would be an immediate help for me (and likely others), and I would be grateful, if you could point me somewhere to that "extensive documentation" on how to do that, or describe how specifically NGinx and Crowd would need to be configured to properly use SSL. I actually do have Nginx SSL proxying for Crowd, up to the login (https://MYSITE/crowd) page, but then it's failing with:
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
It isn't clear how CROWD_HOME/crowd.properties needs to be configured for crowd.server.url and application.login.url - a "localhost" reference, or an external-context reference? And what about the other property files associated with Crowd? (This is exactly what I mean about a hack-fest. Somehow other companies have managed to figure out how to make installers for their software that deal with this stuff.)
Hello Phil. This seem to be a problem with nginx rather than Crowd. Have you tried contacting nginx support? In addition to that, you should create a question with what you describe here to see if someone has faced a similar problem and they are willing to share their knowledge. I also think you should include the server block(s) from your nginx, as I believe it will be useful to troubleshot this problem.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG