Running JIRA and Confluence behind Apache with basic authentication

Since I’m a big fan of the Atlassian products like JIRA, Fisheye and Confluence, I bought my own private Starter Licenses over a year ago. Installed as separate Tomcat deployments on my root-server, I put them behind an Apache server and forwarded requests to the localhost-only listening Tomcats using mod_jk.

Now,  >12 months later, support expired and so no updates or security-patches will be available for my installations without license renewal. Fair enough. So I thought, it’s time to restrict public access to my Atlassian products completely (even no start page) by just adding a basic auth to the Apache configuration. Oh, silly me :).

First I wondered, how to add basic authentication to a JkMount. But after some googling I found the right snippet:

JkMount /jira* ajp13_worker
<Location /jira>
    JkMount ajp13_worker
    AuthUserFile /etc/apache2/atlassian.passwd
    AuthName "Atlassian Authentication"
    AuthType Basic
    require valid-user
    satisfy any
    deny from all
    allow from

After adding this to my Apache configuration, the basic authentication window popped up as expected, but afterwards JIRA ended up with a 401 error.

It turned out, that JIRA and Confluence pick up the basic authentication information collected by Apache and trying to validate these against their user-base. But since I’m using separate credentials for the Apache authentication, both products ended up with a 401 error (Unauthorized, AUHENTICATED_FAILED) calling their start pages. The login page doesn’t even show up.

A quick research showed, that currently basic authentication can’t be disabled on JIRA side. So I took a look at the Apache side to get around this somehow. Luckily the Apache configuration is very powerful and I found a way to simply drop the basic “Authorization” request header before forwarding it to the Tomcat server. So adding the following to the Location configuration did the trick for me:

    RequestHeader unset Authorization

Now my Atlassian products are only accessible after a successful basic authorization via Apache and can’t be exploited by public access due to missing security patches.

Did you find another solution to this problem? Maybe configured Apache to use JIRA for authentication? Please let me know.