Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-14843

Trusted authentication doesn't correctly determine remote IP address with mod_proxy

    XMLWordPrintable

Details

    Description

      Currently, we have a trusted app connection between EAC and JAC. It doesn't work any more because JAC now has mod_proxy in front of it. We get the following error:

      Errors were reported by the JIRA trusted connection.

      • BAD_REMOTE_IP; Request not allowed from IP address: {0}; ["127.0.0.101"]

      Steve tells me that JIRA should be looking at the X-Forwarded-For header to determine the correct remote IP for access control when there is a reverse proxy in front of JIRA.

      Adding this IP address (127.0.0.101) to the access control list is not a viable option, because all requests that hit JIRA have this IP address. Anyone would be able to send a trusted request if we added it.

      Edit. The above statement is not correct. The protocol checks both the remote IP and any X-Forwarded-For headers for IP matching and all IP addresses must be on the list of valid IPs. The documentation mentions this but does not make it clear.

      Attachments

        Issue Links

          relates to

          Suggestion - JRASERVER-13727 Trusted Applications: Support Authentication Context Passing from Confluence or another Application to JIRA

          • Closed

          Activity

            People

              Unassigned Unassigned
              matt@atlassian.com Matt Ryall
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: