Medium Description
Summary
The embedded crowd library that comes with applications such as Confluence/JIRA/Stash does not respect the proxyHost parameter (used to connect to forwarding proxies), when trying to obtain users from another server (such as JIRA/Crowd/LDAP)
Environment
You have an environment that requires forwarding proxy to forward requests from Confluence/JIRA/Crowd to another server (where the users are stored, could be AD/Crowd/LDAP/JIRA)
Steps to Reproduce
- Setup Confluence
- Add the proxyHost parameter to Confluence's JVM parameters (example):
-Dhttp.proxyHost=proxy.test.com -Dhttp.proxyPort=3128
Modify it accordingly to fit your forwarding proxy configuration
- Make sure JIRA is contactable from Confluence, only via the forwarding proxy
- Start up Confluence, and setup JIRA user management. This will fail with this error:
2015-12-01 12:57:58,790 ERROR [TP-Processor10] [crowd.embedded.admin.ConfigurationController] onSubmit Configuration test failed for user directory: [ JIRA Server], type: [ CROWD ] -- referer: https://confluence.test:8090/plugins/servlet/embedded-crowd/configure/jira/?xsrfTokenName=atl_token&xsrfTokenValue=83233435434634b3b60c3d600bfa4ae2ba546 | url: /plugins/servlet/embedded-crowd/configure/jira/ | userName: test com.atlassian.crowd.exception.runtime.OperationFailedException: org.apache.http.conn.HttpHostConnectException: Connect to jira.test:8010 [jira.test/12.12.24.25] failed: Network is unreachable at com.atlassian.crowd.embedded.core.CrowdDirectoryServiceIm
- Setup Application Links with JIRA via the same URL. This will succeed (proof that only embedded Crowd is affected)
Workaround
No known workaround, except to make sure that JIRA/Crowd/LDAP is contactable without the forwarding proxy