Since I’m a big fan of the Atlassian products like JIRA, Fisheye and Confluence, I bought my own private Starter Licenses over a year ago. Installed as separate Tomcat deployments on my root-server, I put them behind an Apache server and forwarded requests to the localhost-only listening Tomcats using mod_jk.
Now, >12 months later, support expired and so no updates or security-patches will be available for my installations without license renewal. Fair enough. So I thought, it’s time to restrict public access to my Atlassian products completely (even no start page) by just adding a basic auth to the Apache configuration. Oh, silly me :).
First I wondered, how to add basic authentication to a JkMount. But after some googling I found the right snippet:
JkMount /jira* ajp13_worker <Location /jira> JkMount ajp13_worker AuthUserFile /etc/apache2/atlassian.passwd AuthName "Atlassian Authentication" AuthType Basic require valid-user satisfy any deny from all allow from 127.0.0.1 </Location>
After adding this to my Apache configuration, the basic authentication window popped up as expected, but afterwards JIRA ended up with a 401 error.
It turned out, that JIRA and Confluence pick up the basic authentication information collected by Apache and trying to validate these against their user-base. But since I’m using separate credentials for the Apache authentication, both products ended up with a 401 error (Unauthorized, AUHENTICATED_FAILED) calling their start pages. The login page doesn’t even show up.
A quick research showed, that currently basic authentication can’t be disabled on JIRA side. So I took a look at the Apache side to get around this somehow. Luckily the Apache configuration is very powerful and I found a way to simply drop the basic “Authorization” request header before forwarding it to the Tomcat server. So adding the following to the Location configuration did the trick for me:
RequestHeader unset Authorization
Now my Atlassian products are only accessible after a successful basic authorization via Apache and can’t be exploited by public access due to missing security patches.
Did you find another solution to this problem? Maybe configured Apache to use JIRA for authentication? Please let me know.