18Jul/137

Running JIRA and Confluence behind Apache with basic authentication

Since I'm a big fan of the Atlassian products like JIRA, Fisheye and Confluence, I bought my own private Starter Licenses over a year ago. Installed as separate Tomcat deployments on my root-server, I put them behind an Apache server and forwarded requests to the localhost-only listening Tomcats using mod_jk.

Now,  >12 months later, support expired and so no updates or security-patches will be available for my installations without license renewal. Fair enough. So I thought, it's time to restrict public access to my Atlassian products completely (even no start page) by just adding a basic auth to the Apache configuration. Oh, silly me :).

First I wondered, how to add basic authentication to a JkMount. But after some googling I found the right snippet:

JkMount /jira* ajp13_worker
<Location /jira>
    JkMount ajp13_worker
    AuthUserFile /etc/apache2/atlassian.passwd
    AuthName "Atlassian Authentication"
    AuthType Basic
    require valid-user
    satisfy any
    deny from all
    allow from 127.0.0.1
</Location>

After adding this to my Apache configuration, the basic authentication window popped up as expected, but afterwards JIRA ended up with a 401 error.

It turned out, that JIRA and Confluence pick up the basic authentication information collected by Apache and trying to validate these against their user-base. But since I'm using separate credentials for the Apache authentication, both products ended up with a 401 error (Unauthorized, AUHENTICATED_FAILED) calling their start pages. The login page doesn't even show up.

A quick research showed, that currently basic authentication can't be disabled on JIRA side. So I took a look at the Apache side to get around this somehow. Luckily the Apache configuration is very powerful and I found a way to simply drop the basic "Authorization" request header before forwarding it to the Tomcat server. So adding the following to the Location configuration did the trick for me:

    RequestHeader unset Authorization

Now my Atlassian products are only accessible after a successful basic authorization via Apache and can't be exploited by public access due to missing security patches.

Did you find another solution to this problem? Maybe configured Apache to use JIRA for authentication? Please let me know.

Posted by Veit Guna

Tagged as: Apache, Confluence, JIRA

Recent search terms:

  • Sam Hall

    Does the PDF export work for you when using Basic Auth on Confluence?

    • nightprogrammer

      Yes, just tried it. Works for me.

  • Martin

    Thank you very much! It works fine

  • randum

    thank you. That did the trick!

  • http://mviera.io/ Manuel Viera

    Thank you very much, it worked for me too. I wasted a couple of hours until I found your post. Thanks again, you’ve just made my day.

  • Ádám Varga

    Hi, I’m using the following configuration in my Apache site (my Jira instance is running on port 10080):

    ProxyPreserveHost On
    ProxyRequests Off
    ServerName jira
    ServerAlias jira
    ProxyPass / http://localhost:10080/
    ProxyPassReverse / http://localhost:10080/
    RequestHeader unset Authorization

    Order deny,allow
    Allow from all

    After signing in with the Apache credentials, the Jira login page loads, but basically within Jira, on every page I have to supply the Apache credetials again and again. Any idea why this might happen?

    • nightprogrammer

      Maybe mod_proxy works differently than mod_jk – hence the re-authentication requests. Sorry, that I can’t help you with that.