Details
-
Bug
-
Resolution: Not a bug
-
High
-
None
-
3.12.2
-
3.12
-
Description
Currently, we have a trusted app connection between EAC and JAC. It doesn't work any more because JAC now has mod_proxy in front of it. We get the following error:
Errors were reported by the JIRA trusted connection.
- BAD_REMOTE_IP; Request not allowed from IP address: {0}; ["127.0.0.101"]
Steve tells me that JIRA should be looking at the X-Forwarded-For header to determine the correct remote IP for access control when there is a reverse proxy in front of JIRA.
Adding this IP address (127.0.0.101) to the access control list is not a viable option, because all requests that hit JIRA have this IP address. Anyone would be able to send a trusted request if we added it.
Edit. The above statement is not correct. The protocol checks both the remote IP and any X-Forwarded-For headers for IP matching and all IP addresses must be on the list of valid IPs. The documentation mentions this but does not make it clear.
Attachments
Issue Links
- relates to
-
JRASERVER-13727 Trusted Applications: Support Authentication Context Passing from Confluence or another Application to JIRA
- Closed